IEF v6.3 now supports native shadow copy mounting and analysis

Since becoming available in Windows Vista, volume shadow copies have been a valuable resource for forensic investigators when examining a Windows PC. Volume shadow copy runs as a service (volume shadow service) that creates and maintains multiple historical snapshots of the volumes on a disk. Previously on Windows XP, System Restore provided a backup of the system files on a disk prior to a major update or installation but never backed up any user created files. Conversely, volume shadow copies allow the backup of all files on the volume, including user files. This provides a wealth of historical information on files and data that might have previously been deleted or lost.The challenge for investigators has always been how to handle volume shadow copies since the backed up files aren’t true snapshots that could be exported and viewed with traditional forensic tools such as EnCase or FTK. While a user can specify it to omit certain files or folders, the volume shadow service doesn’t care about the file system since it functions at the block level. The volume shadow service maintains a record of every block that is changed and only backs up a block if it is about to be modified which allows it to store so much data in such a small amount of space (15% Windows Vista, 5% Windows 7 by default). The difficulty is that the volume shadow service has always been required to restore or examine any volume shadow copy that was stored on the volume. This required investigators to mount the volume in their desired forensic tool and then use the volume shadow service (vss admin) to manage the needed backup (Guidance and Harlan Carvey both have excellent write-ups detailing the manual process). These added steps are often time consuming for an investigator when they could potentially be handling multiple historical shadow copies, each one requiring separate mounting and analysis.

Internet Evidence Finder (IEF) has previously been able to scan shadow copies when they were stored within an image or live system, however there was no easy way to mount and analyze each of the individual files stored within. The subsequent search was similar to searching unallocated space and sometimes provided only partial results.

[image]

New with version 6.3, IEF can now natively parse volume shadow copies without needing to mount the evidence as a live system. The investigator can now choose to examine either a live system or image file and IEF will automatically scan for any shadow copies available. The investigator can then decide if they want to search one or multiple copies at a time. This allows the examiner to analyze each historical file that was modified for that specific shadow copy.

[image]

An excellent use scenario would be if an investigator conducted a search of an image and found data of a potential evidentiary value in a volume shadow copy but might want to dig deeper into the original source or see if there is any additional data to be found. The IEF Report Viewer will provide the investigator with details around which shadow copy and specific file the data fragment came from. The investigator could then conduct a second search on just the one or more volume shadow copies that contain the modified files. This would provide the investigator with not only a more complete set of data but also potential historical information as well.

Often, shadow copies will have a historical version of the registry hives, databases such as SQLite, and several other artifacts that don’t traditionally store a lot of historical data but do have a wealth of information of evidentiary value. A good example of this would be the potential to find additional chat records that have been deleted and overwritten or only temporarily stored in memory but might be still available in the shadow copy from two weeks previous.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

[image]

Volume shadow copies have always been a valuable resource for investigators, albeit a resource the required some cumbersome and time consuming techniques to analyze. With IEF version 6.3, Magnet Forensics has tried to make it easier to analyze these artifacts from within an image or a live system saving the investigator valuable time.

Watch this video, where we demonstrate what this means to your investigations and how to maximize the artifacts found in the images you’ve already acquired.

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 11:44 am

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 11:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...