While conducting forensics examinations I have come across several instances where past activity record on the system had proved helpful. Volume Shadow copy forensics is one of them.
What is Volume shadow copy service (VSS): Also known as volume snapshot service; the feature was introduced with Windows XP. The Idea was to create a backup of old state. Did you ever wonder how System Restore functions to restore the system to an earlier date? How this backup is kept and used?
Volume shadow works as a snapshot of the entire system that existed on a particular date. To get this snapshot windows doesn’t have to keep a complete copy of the system that exists at a particular time. Instead it keeps monitoring the changes on the hard drive on block level. The entire drive is divided into blocks of 16 KB. All the blocks are continuously monitored. Whenever a change is made to a block, windows first copies the block to a storage location and then implements the change. This way a backup of that block is created. language translator . This backup is appended to the file storing the snapshot of a particular date. The snapshot files are created as scheduled by the system or when a restore point is manually created or when a new package is installed on the system.
From Forensics perspective this information is extremely valuable due to following reasons.
1) It lets investigator understand the state of the system on a particular date.
2) Whatever is deleted from the system even with a wipe utility may have its presence in VSC (Volume Shadow Copy)
3) Being not accessible to the user in normal environment and being “Read only” in nature preserves the evidences to a great extent.
4) A series of VSC gives the idea of routine and activities performed by the accused in a sequential manner.
Examining the Volume shadow Copy:
The VSC files are stored in the protected folder “C:\ System Volume Information” (Windows 7). This folder has the restricted access rights to the user as well as administrators. There are ways to bypass the same especially when the drive is connected to another system for investigation or the drive image is mounted virtually.
The tool “VSSadmin” comes in handy to explore the same. This tool is provided by default on Microsoft windows 7. The Command “Vssadmin List Shadows” lists all the shadow copies along with the required details to mount the same virtually. (Fig 1)
As can be seen in the image it tells the date and time to which the copy pertains, the volume with path and the machine to which it belongs. In the above image one can easily see that the system was hooked to the domain “synergy.local” (On 8/17/2012) and later on it was hooked to “server.local” (On 8/20/2012).
Mounting the VSC as a Network Share: For further analysis the entire volume as it existed on a particular date can be mounted as a network share with the command “Net Share <ShareName>= <Path>”. As in our case it can be mounted with “Net Share copy4=\\.\HarddiskVolumeShadowCopy4” to mount the Copy 4. Once it is mounted the entire Drive can be browsed as a shared drive on the network.
Once the drive is so mounted an investigator can copy the files that existed at the time of creation of the shadow copy but later on were deleted or even wiped off. An investigator can also look into the registry hives to find out the activities and the users that existed at that point of time. As most of the systems contain 4 or 5 or even more copies one can have a sequential record of the changes that happened with the time on the drive.
Of course there are other tools like DOSDEV.exe that allows mounting of the Volume shadow copy as a local drive and there are number of other analysis that can be performed with the VSS, I have not included any of them in this article. The idea was just to make aware of the value of VSS and the ways to deal with it. I have not included normal Forensics procedure like imaging and preserving the images here as well.
Boonlia Prince Komal
About the author