IEF v6.3 now supports native shadow copy mounting and analysis

Since becoming available in Windows Vista, volume shadow copies have been a valuable resource for forensic investigators when examining a Windows PC. Volume shadow copy runs as a service (volume shadow service) that creates and maintains multiple historical snapshots of the volumes on a disk. Previously on Windows XP, System Restore provided a backup of the system files on a disk prior to a major update or installation but never backed up any user created files. Conversely, volume shadow copies allow the backup of all files on the volume, including user files. This provides a wealth of historical information on files and data that might have previously been deleted or lost.The challenge for investigators has always been how to handle volume shadow copies since the backed up files aren’t true snapshots that could be exported and viewed with traditional forensic tools such as EnCase or FTK. While a user can specify it to omit certain files or folders, the volume shadow service doesn’t care about the file system since it functions at the block level. The volume shadow service maintains a record of every block that is changed and only backs up a block if it is about to be modified which allows it to store so much data in such a small amount of space (15% Windows Vista, 5% Windows 7 by default). The difficulty is that the volume shadow service has always been required to restore or examine any volume shadow copy that was stored on the volume. This required investigators to mount the volume in their desired forensic tool and then use the volume shadow service (vss admin) to manage the needed backup (Guidance and Harlan Carvey both have excellent write-ups detailing the manual process). These added steps are often time consuming for an investigator when they could potentially be handling multiple historical shadow copies, each one requiring separate mounting and analysis.

Internet Evidence Finder (IEF) has previously been able to scan shadow copies when they were stored within an image or live system, however there was no easy way to mount and analyze each of the individual files stored within. The subsequent search was similar to searching unallocated space and sometimes provided only partial results.

[image]

New with version 6.3, IEF can now natively parse volume shadow copies without needing to mount the evidence as a live system. The investigator can now choose to examine either a live system or image file and IEF will automatically scan for any shadow copies available. The investigator can then decide if they want to search one or multiple copies at a time. This allows the examiner to analyze each historical file that was modified for that specific shadow copy.

[image]

An excellent use scenario would be if an investigator conducted a search of an image and found data of a potential evidentiary value in a volume shadow copy but might want to dig deeper into the original source or see if there is any additional data to be found. The IEF Report Viewer will provide the investigator with details around which shadow copy and specific file the data fragment came from. The investigator could then conduct a second search on just the one or more volume shadow copies that contain the modified files. This would provide the investigator with not only a more complete set of data but also potential historical information as well.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Often, shadow copies will have a historical version of the registry hives, databases such as SQLite, and several other artifacts that don’t traditionally store a lot of historical data but do have a wealth of information of evidentiary value. A good example of this would be the potential to find additional chat records that have been deleted and overwritten or only temporarily stored in memory but might be still available in the shadow copy from two weeks previous.

[image]

Volume shadow copies have always been a valuable resource for investigators, albeit a resource the required some cumbersome and time consuming techniques to analyze. With IEF version 6.3, Magnet Forensics has tried to make it easier to analyze these artifacts from within an image or a live system saving the investigator valuable time.

Watch this video, where we demonstrate what this means to your investigations and how to maximize the artifacts found in the images you’ve already acquired.

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...