Backups

Created: 12.07.2023

*Most OS and apps have some sort of time machine, backups if you will. *

Windows

πŸ“‚ \System Volume Information\

🏺 Volume Shadow Copy

πŸ›  Tools

https://coptr.digipres.org/index.php/Forensic_Acquisition_Utilities

πŸ› οΈ KAPE (removes duplicates) and πŸ› οΈ Velociraptor (scalable) can capture the VSC on a live system. πŸ› οΈ Arsenal Image Mounter, πŸ› οΈ F-Response and πŸ› οΈ vshadowmount can be used for a full-volume analysis.

dd.exe for Windows. There used to be some FAU (Forensic Acquisition Utilities) package containing dd, but I could not find it, so I downloaded dd.exe separately.

To get the list of shadow copies from a PC, run the following built-in utility:

vssadmin list shadows /for=<path_to_drive> # /for=c: for a logial drive

Now, to collect the image with a dd:

dd.exe if=\\.\HardDiskVolumeShadowCopy1 of=g:\shadow.img # for Windows, using the above mentioned version of dd, we type `if` and `of` instead of `-if` and `-of`.
# what's --localwrt

Better go and have a cup of coffee β˜•οΈ since it takes a decent amount of time πŸ•°, tick-tock!

πŸ› οΈ libvshadow is a library that can be used to process VSC, its components πŸ› οΈ vshadowinfo and πŸ› οΈ vshadowmount to help.

πŸ“˜ vshadowinfo [-o NTFS_volume_offset] image_or_volume # -o is optional, and only use when analysing a phisical drive, not a logical volume. 

# If you have a E01 instead of a raw image file, use ewfmount utility first
πŸ“˜ ewfmount image.E01 /mnt/mountname # make the system see E01 as a raw disk

πŸ“˜ vshadowmount /mnt/mountname/submountname1 /mnt/vss # mount all VSC at /mnt/vss

πŸ“˜ cd /mnt/vss && ls # list all available VSC

πŸ“˜ mount -o ro, loop, show_sys_files,streams_interface=windows vss2 /mnt/shadow_m/vss2 # mount specific VSC. SIFT workstations now have an alias for this command: mountwin. ro - read-only. loop - This option is used when you're mounting a file that contains a file system, rather than a physical device. For example, this option is commonly used when mounting an ISO file. show_sys_files enables display of system files, which are normally hidden. The last option changes how NTFS Alternate Data Streams (ADS) are accessed, making it more like how they are accessed on a Windows system.

# you can automatically mount all the VSC availble with a loop
for i in vss*; do mountwin $i /mnt/shadow_m/$i; done

# run a timeline tool agains a VSC retrieved
πŸ“˜ log2timeline.py plaso.dump imagefile
πŸ“˜ psort plaso.dump # remove duplicates

πŸ“˜ fls -r -m C: \\.\HarddiskVolumeShadowCopy12 >> bodyfile # can be used to analyse VSC, it's faster since it processes metadata only. 
πŸ“˜ log2timeline.pl -f mactime -w timeline.csv -Z UTC bodyfile # convert 

References

Expand… http://journeyintoir.blogspot.com/2012/03/volume-shadow-copy-timeline.html