*Most OS and apps have some sort of time machine, backups if you will. *
Windows
π \System Volume Information\
πΊ Volume Shadow Copy
π Tools
https://coptr.digipres.org/index.php/Forensic_Acquisition_Utilities
π οΈ KAPE (removes duplicates) and π οΈ Velociraptor (scalable) can capture the VSC on a live system. π οΈ Arsenal Image Mounter, π οΈ F-Response and π οΈ vshadowmount can be used for a full-volume analysis.
dd.exe for Windows. There used to be some FAU (Forensic Acquisition Utilities) package containing dd, but I could not find it, so I downloaded dd.exe separately.
To get the list of shadow copies from a PC, run the following built-in utility:
vssadmin list shadows /for=<path_to_drive> # /for=c: for a logial drive
Now, to collect the image with a dd:
dd.exe if=\\.\HardDiskVolumeShadowCopy1 of=g:\shadow.img # for Windows, using the above mentioned version of dd, we type `if` and `of` instead of `-if` and `-of`.
# what's --localwrt
Better go and have a cup of coffee βοΈ since it takes a decent amount of time π°, tick-tock!
π οΈ libvshadow is a library that can be used to process VSC, its components π οΈ vshadowinfo and π οΈ vshadowmount to help.
π vshadowinfo [-o NTFS_volume_offset] image_or_volume # -o is optional, and only use when analysing a phisical drive, not a logical volume.
# If you have a E01 instead of a raw image file, use ewfmount utility first
π ewfmount image.E01 /mnt/mountname # make the system see E01 as a raw disk
π vshadowmount /mnt/mountname/submountname1 /mnt/vss # mount all VSC at /mnt/vss
π cd /mnt/vss && ls # list all available VSC
π mount -o ro, loop, show_sys_files,streams_interface=windows vss2 /mnt/shadow_m/vss2 # mount specific VSC. SIFT workstations now have an alias for this command: mountwin. ro - read-only. loop - This option is used when you're mounting a file that contains a file system, rather than a physical device. For example, this option is commonly used when mounting an ISO file. show_sys_files enables display of system files, which are normally hidden. The last option changes how NTFS Alternate Data Streams (ADS) are accessed, making it more like how they are accessed on a Windows system.
# you can automatically mount all the VSC availble with a loop
for i in vss*; do mountwin $i /mnt/shadow_m/$i; done
# run a timeline tool agains a VSC retrieved
π log2timeline.py plaso.dump imagefile
π psort plaso.dump # remove duplicates
π fls -r -m C: \\.\HarddiskVolumeShadowCopy12 >> bodyfile # can be used to analyse VSC, it's faster since it processes metadata only.
π log2timeline.pl -f mactime -w timeline.csv -Z UTC bodyfile # convert