Volume Shadow Copy as an aid to forensic investigations

While conducting forensics examinations I have come across several instances where past activity record on the system had proved helpful. Volume Shadow copy forensics is one of them.

What is Volume shadow copy service (VSS):  Also known as volume snapshot service; the feature was introduced with Windows XP. The Idea was to create a backup of old state. Did you ever wonder how System Restore functions to restore the system to an earlier date? How this backup is kept and used?

Volume shadow works as a snapshot of the entire system that existed on a particular date. To get this snapshot windows doesn’t have to keep a complete copy of the system that exists at a particular time. Instead it keeps monitoring the changes on the hard drive on block level. The entire drive is divided into blocks of 16 KB. All the blocks are continuously monitored. Whenever a change is made to a block, windows first copies the block to a storage location and then implements the change. This way a backup of that block is created. language translator . This backup is appended to the file storing the snapshot of a particular date. The snapshot files are created as scheduled by the system or when a restore point is manually created or when a new package is installed on the system.

From Forensics perspective this information is extremely valuable due to following reasons.

1)      It lets investigator understand the state of the system on a particular date.

2)      Whatever is deleted from the system even with a wipe utility may have its presence in VSC (Volume Shadow Copy)

3)      Being not accessible to the user in normal environment and being “Read only” in nature preserves the evidences to a great extent.

4)      A series of VSC gives the idea of routine and activities performed by the accused in a sequential manner.

Examining the Volume shadow Copy:

The VSC files are stored in the protected folder “C:\ System Volume Information” (Windows 7). This folder has the restricted access rights to the user as well as administrators. There are ways to bypass the same especially when the drive is connected to another system for investigation or the drive image is mounted virtually.

The tool “VSSadmin” comes in handy to explore the same. This tool is provided by default on Microsoft windows 7. The Command “Vssadmin List Shadows” lists all the shadow copies along with the required details to mount the same virtually. (Fig 1)

 

Volume Shadow Copy

(Fig1)

As can be seen in the image it tells the date and time to which the copy pertains, the volume with path and the machine to which it belongs. In the above image one can easily see that the system was hooked to the domain “synergy.local” (On 8/17/2012) and later on it was hooked to “server.local” (On 8/20/2012).

Mounting the VSC as a Network Share: For further analysis the entire volume as it existed on a particular date can be mounted as a network share with the command “Net Share <ShareName>=  <Path>”. As in our case it can be mounted with “Net Share copy4=\\.\HarddiskVolumeShadowCopy4” to mount the Copy 4. Once it is mounted the entire Drive can be browsed as a shared drive on the network.

Once the drive is so mounted an investigator can copy the files that existed at the time of creation of the shadow copy but later on were deleted or even wiped off. An investigator can also look into the registry hives to find out the activities and the users that existed at that point of time. As most of the systems contain 4 or 5 or even more copies one can have a sequential record of the changes that happened with the time on the drive.

Of course there are other tools like DOSDEV.exe that allows mounting of the Volume shadow copy as a local drive and there are number of other analysis that can be performed with the VSS, I have not included any of them in this article. The idea was just to make aware of the value of VSS and the ways to deal with it. I have not included normal Forensics procedure like imaging and preserving the images here as well.

 

Boonlia Prince Komal

About the author

boonlia

3 Comments

  1. Adams says:

    It’s good bt write in depth. want to learn more abt VSC and its forensics.
    Thanks

  2. I do consider all of the ideas you have introduced to your post. They’re very convincing and will definitely work. Nonetheless, the posts are very short for novices. Could you please lengthen them a little from subsequent time? Thank you for the post.

  3. boonlia Adams says:

    Hi
    This is just a small bit that i had written for a magazine. There is a lot that can be shared. Will take it up in detail and write on the same.
    In my experience one can find more data with VSC that has been deleted intentionally than any other way for the simple reason that people dont even realize that something of this sort might be present.
    Digital Forensics is definitely evolving like anything.
    Thanks for the comments :)

Leave a Reply to burberry outlets onlines Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>