Shadow Copies are exactly those pieces of data that get saved on disk when the system restore option is enabled. Once triggered, these files restore the system to the previous state. It’s very useful when you are not an expert in PC and something weird is happening. However, not only ordinary people find this feature useful. Some bad guys might try to cover their tracks which can sometimes be undone with this feature.
π \System Volume Information\
Volume Shadow Copy is the back-end technology for features such as System Restore, allowing it to revert system files to a previous state (system files and settings), and Previous Versions, which can recover older versions of individual files. The service monitors changes made to the system and copies the block before writing new data to it. These backup blocks are 16K chunks of data saved in the π \System Volume Information\ at the root of a volume. This folder contains a file (called catalogue) that tracks all volume shadow copies along with their ID and timestamp created. For each active volume shadow copy, there is a store file that keeps all the backed-up 16K chunks.
βοΈWin8+ came with a new feature, ScopeSnapshots. It’s enabled by default on the clients and significantly reduces the amount of data backed up, decreasing the forensic usefulness of that artefact as a data recovery mechanism. This feature is, however, off on the servers. Also, one can use π
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore, create aDWORDScopeSnapshotsand set it to0.
π HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot will list the files not included in a backup copy. Although hiberfil.sys and pagefile.sys are not in the list, they are often not included when the snapshot is made.
π§ͺ This option is turned on by default! However, in the case of my Windows 10 VM on Parallels (Windows Insider program for ARM) this option was disabled, resulting in the following line:
No items found that satisfy the query.For my Dell notebook running Windows 10, build 18362 (value from registry,SOFTWARE\Microsoft\Windows NT\CurrentVersion, valueCurrentBuild). I had to create the point of restoration myself as well since I didn’t find where I could make it happen regularly.βοΈ After the above steps were followed, PowerShell was relaunched, and I could finally see the valid output with
vssadmin.exe /for=c:.
For Windows 7 (3-5%) and for Vista - 15%. For Windows 10 you can adjust this space when turning this feature on.
βοΈ To turn on: Control Panel -> All Control Panel Items -> Recovery or type Recovery in the Start menu search box.
Users can set the regularity with which these copies are made: daily/weekly, on every new hardware attached, new installations, and manual. There is a rollover process for these files to save space. Sometimes these files are kept for years and sometimes deleted soon, first in, first out priority. Some OS versions don’t allow access to previously created points but still keep them. Once you have an OS that allows access to these files, you can view them.
From a forensic point of view, these files allow one to view the previous versions of the OS, recover files (find remnant metadata that can’t be recovered), and examine user activity at different time points. Since shadow copies are system files, wiping software does not access these.
Tools π : https://coptr.digipres.org/index.php/Forensic_Acquisition_Utilities
π οΈ Tools
π οΈ KAPE (removes duplicates) and π οΈ Velociraptor (scalable) can capture the VSC on a live system. π οΈ Arsenal Image Mounter, π οΈ F-Response and π οΈ vshadowmount can be used for a full-volume analysis.
dd.exe for Windows. There used to be some FAU (Forensic Acquisition Utilities) package containing dd, but I could not find it, so I downloaded dd.exe separately.
To get the list of shadow copies from a PC, run the following built-in utility:
vssadmin list shadows /for=<path_to_drive> # /for=c: for a logial drive
Now, to collect the image with a dd:
dd.exe if=\\.\HardDiskVolumeShadowCopy1 of=g:\shadow.img # for Windows, using the above mentioned version of dd, we type `if` and `of` instead of `-if` and `-of`.
# what's --localwrt
Better go and have a cup of coffee βοΈ since it takes a decent amount of time π°, tick-tock!
π οΈ libvshadow is a library that can be used to process VSC, its components π οΈ vshadowinfo and π οΈ vshadowmount to help.
π vshadowinfo [-o NTFS_volume_offset] image_or_volume # -o is optional, and only use when analysing a phisical drive, not a logical volume.
# If you have a E01 instead of a raw image file, use ewfmount utility first
π ewfmount image.E01 /mnt/mountname # make the system see E01 as a raw disk
π vshadowmount /mnt/mountname/submountname1 /mnt/vss # mount all VSC at /mnt/vss
π cd /mnt/vss && ls # list all available VSC
π mount -o ro, loop, show_sys_files,streams_interface=windows vss2 /mnt/shadow_m/vss2 # mount specific VSC. SIFT workstations now have an alias for this command: mountwin. ro - read-only. loop - This option is used when you're mounting a file that contains a file system, rather than a physical device. For example, this option is commonly used when mounting an ISO file. show_sys_files enables display of system files, which are normally hidden. The last option changes how NTFS Alternate Data Streams (ADS) are accessed, making it more like how they are accessed on a Windows system.
# you can automatically mount all the VSC availble with a loop
for i in vss*; do mountwin $i /mnt/shadow_m/$i; done
# run a timeline tool agains a VSC retrieved
π log2timeline.py plaso.dump imagefile
π psort plaso.dump # remove duplicates
π fls -r -m C: \\.\HarddiskVolumeShadowCopy12 >> bodyfile # can be used to analyse VSC, it's faster since it processes metadata only.
π log2timeline.pl -f mactime -w timeline.csv -Z UTC bodyfile # convert