Since becoming available in Windows Vista, volume shadow copies have been a valuable resource for forensic investigators when examining a Windows PC. Volume shadow copy runs as a service (volume shadow service) that creates and maintains multiple historical snapshots of the volumes on a disk. Previously on Windows XP, System Restore provided a backup of the system files on a disk prior to a major update or installation but never backed up any user created files. Conversely, volume shadow copies allow the backup of all files on the volume, including user files. This provides a wealth of historical information on files and data that might have previously been deleted or lost.The challenge for investigators has always been how to handle volume shadow copies since the backed up files aren’t true snapshots that could be exported and viewed with traditional forensic tools such as EnCase or FTK. While a user can specify it to omit certain files or folders, the volume shadow service doesn’t care about the file system since it functions at the block level. The volume shadow service maintains a record of every block that is changed and only backs up a block if it is about to be modified which allows it to store so much data in such a small amount of space (15% Windows Vista, 5% Windows 7 by default). The difficulty is that the volume shadow service has always been required to restore or examine any volume shadow copy that was stored on the volume. This required investigators to mount the volume in their desired forensic tool and then use the volume shadow service (vss admin) to manage the needed backup (Guidance and Harlan Carvey both have excellent write-ups detailing the manual process). These added steps are often time consuming for an investigator when they could potentially be handling multiple historical shadow copies, each one requiring separate mounting and analysis.
Internet Evidence Finder (IEF) has previously been able to scan shadow copies when they were stored within an image or live system, however there was no easy way to mount and analyze each of the individual files stored within. The subsequent search was similar to searching unallocated space and sometimes provided only partial results.
New with version 6.3, IEF can now natively parse volume shadow copies without needing to mount the evidence as a live system. The investigator can now choose to examine either a live system or image file and IEF will automatically scan for any shadow copies available. The investigator can then decide if they want to search one or multiple copies at a time. This allows the examiner to analyze each historical file that was modified for that specific shadow copy.
An excellent use scenario would be if an investigator conducted a search of an image and found data of a potential evidentiary value in a volume shadow copy but might want to dig deeper into the original source or see if there is any additional data to be found. The IEF Report Viewer will provide the investigator with details around which shadow copy and specific file the data fragment came from. The investigator could then conduct a second search on just the one or more volume shadow copies that contain the modified files. This would provide the investigator with not only a more complete set of data but also potential historical information as well.
Often, shadow copies will have a historical version of the registry hives, databases such as SQLite, and several other artifacts that don’t traditionally store a lot of historical data but do have a wealth of information of evidentiary value. A good example of this would be the potential to find additional chat records that have been deleted and overwritten or only temporarily stored in memory but might be still available in the shadow copy from two weeks previous.
Volume shadow copies have always been a valuable resource for investigators, albeit a resource the required some cumbersome and time consuming techniques to analyze. With IEF version 6.3, Magnet Forensics has tried to make it easier to analyze these artifacts from within an image or a live system saving the investigator valuable time.
Watch this video, where we demonstrate what this means to your investigations and how to maximize the artifacts found in the images you’ve already acquired.
As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.
Jamie McQuaid
Forensics Consultant, Magnet Forensics
