0
SHADOW FORENSICSForensics on Windows Volume ShadowCopiesYogesh Khatri
Volume Shadow Copy (VSC) in use• VSC Enables the ‘Previous Versions’ functionality in Windows 7• Similar functionality cal...
System Restore uses VSC
VSC• Uses  • Previous Versions/File History functionality  • Create System Restore Points  • Backup API for taking ‘Snapsh...
Location of Backups/Restore Points• Default  • <Drive Letter>:System Volume Information• Applications can use API to write...
Volume Shadow Copy• C:System Volume Information    Figure: ‘C:System Volume Information’ Folder viewed in Encase 6
Forensic Importance• Shadow copies are the source data for Restore Points  and the Restore Previous Versions features• Sha...
However...Volume shadow copies DO NOT contain a complete imageof everything that was on the volume at the time theshadow c...
Basic Technical Details• Volume shadow copies are bit level differential backups of a volume  • NOT File level backups    ...
Copy-on-write illustration                            Raw Disk blocks   0         1          2         3           4   5  ...
Recreating the volume in time   • VSC by itself does not have all data     • Only modified blocks are saved   • Need volum...
VSC File FormatFile                                                   Description{3808876b-c176-4e48-b7ae-04046e6cc752}   ...
Browsing local shadow copies
Listing local Shadow copies• Use the ‘vssadmin’ tool
List files in shadow copy• Commands:  vssadmin list shadows  set shadow=?GLOBALROOTDeviceHarddiskvolumeshadowcopyxx  for /...
Investigate Shadow Copies from anotherdisk• Commercial software  • Use Encase Physical Disk Emulator and manual approach u...
Investigate Shadow Copies from anotherdisk• FREEWARE approach 1  • Use FTK Imager to mount your evidence disk as a physica...
FTK Imager + VMware                      FTK Imager Mount Settings                      VM settings (added new Hard       ...
QuestionsThanks for listening!More forensic articles, tips and scripts on my blog –www.swiftforensics.com       Yogesh Kha...
References• libvshadow (https://code.google.com/p/libvshadow/)• Volume Shadow Copy Service on MSDN (http://msdn.microsoft....
Upcoming SlideShare
Loading in...5
×

Shadow forensics print

4,969

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,969
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
28
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Shadow forensics print"

  1. 1. SHADOW FORENSICSForensics on Windows Volume ShadowCopiesYogesh Khatri
  2. 2. Volume Shadow Copy (VSC) in use• VSC Enables the ‘Previous Versions’ functionality in Windows 7• Similar functionality called ‘File History’ is used in Windows 8
  3. 3. System Restore uses VSC
  4. 4. VSC• Uses • Previous Versions/File History functionality • Create System Restore Points • Backup API for taking ‘Snapshots’ of files/folders/disk • Used by Windows Backup, Hyper-V, Virtual Server, Active Directory, SQL Server, Exchange Server & SharePoint • Used by backup software & AV for reading locked (in-use) files• Implementation • Only for NTFS volumes • Volume ShadowCopy Service (VSS) • Included in Windows 2003 onwards including Windows 8 • Not enabled by default on Windows 2008 or 2008 R2
  5. 5. Location of Backups/Restore Points• Default • <Drive Letter>:System Volume Information• Applications can use API to write to any location
  6. 6. Volume Shadow Copy• C:System Volume Information Figure: ‘C:System Volume Information’ Folder viewed in Encase 6
  7. 7. Forensic Importance• Shadow copies are the source data for Restore Points and the Restore Previous Versions features• Shadow copies provide a “snapshot” of a volume at a particular time• Shadow copies can show how files have been altered/modified• Shadow copies can retain data that has subsequently been deleted, wiped, or encrypted
  8. 8. However...Volume shadow copies DO NOT contain a complete imageof everything that was on the volume at the time theshadow copy was made! Figure: Settings for VSC located in Registry at:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlBackupRestore
  9. 9. Basic Technical Details• Volume shadow copies are bit level differential backups of a volume • NOT File level backups Driver Stack File Volume• Scheme • 16 KB blocks Disk • Copy on write • Volume Shadow copy files are “difference” files
  10. 10. Copy-on-write illustration Raw Disk blocks 0 1 2 3 4 5 6 16 KB Info.txt Amit.pdf 36 KB 32 KB Flier.PPT 10 KB Operations 1. Edit & save Info.txt 6 1 2 3 6 2. Delete Amit.pdf 3. Edit & save Info.txt Resulting VSC file has copies of only modified blocks
  11. 11. Recreating the volume in time • VSC by itself does not have all data • Only modified blocks are saved • Need volume itself to recreate complete disk Volume 0 1 2 3 4 5 6 (NOW) VSC 6 1 2 3 6 data Volume 0 1 2 3 4 5 6(before alloperations)
  12. 12. VSC File FormatFile Description{3808876b-c176-4e48-b7ae-04046e6cc752} Catalog only{GUID}{3808876b-c176-4e48-b7ae-04046e6cc752} Catalog and data HEADER CATALOG DATA STORES Contains VSS Contains Shadow copy Contains details of shadow copy identifier and GUIDS, creation times, providers, host machine info, Catalog offset store offsets, etc.. volume bitmaps and the associated data
  13. 13. Browsing local shadow copies
  14. 14. Listing local Shadow copies• Use the ‘vssadmin’ tool
  15. 15. List files in shadow copy• Commands: vssadmin list shadows set shadow=?GLOBALROOTDeviceHarddiskvolumeshadowcopyxx for /R %shadow% %i in (*) do echo %i Or for /R %shadow% %i in (*) do echo %i>>"C:shadow.txt"
  16. 16. Investigate Shadow Copies from anotherdisk• Commercial software • Use Encase Physical Disk Emulator and manual approach using command line / PowerShell • X-ways Forensic (XWF) • Shadow Scanner from EKL • Reconnoitre from Sanderson Forensics • ProDiscover
  17. 17. Investigate Shadow Copies from anotherdisk• FREEWARE approach 1 • Use FTK Imager to mount your evidence disk as a physical device • Add the mounted disk as a new Hard Disk to an existing Windows 7 Virtual Machine (VM) in VMware Player (or VirtualBox) • Boot VM, now vssadmin should be able to see the snapshots • Use manual approach to list / parse / copy out• FREEWARE approach 2 • Use Joachim Metz’s libvshadow project (https://code.google.com/p/libvshadow/) • Mounts your shadow copies in a linux enviroment
  18. 18. FTK Imager + VMware FTK Imager Mount Settings VM settings (added new Hard Disk)
  19. 19. QuestionsThanks for listening!More forensic articles, tips and scripts on my blog –www.swiftforensics.com Yogesh Khatri Director, Training & Services W.H.S. yogesh.khatri@whitehats.in yogesh@swiftforensics.com
  20. 20. References• libvshadow (https://code.google.com/p/libvshadow/)• Volume Shadow Copy Service on MSDN (http://msdn.microsoft.com/en- us/library/windows/desktop/bb968832(v=vs.85).aspx)• Harlan Carvey’s blog (http://windowsir.blogspot.com)
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×