Monday 17 August 2009

Vista Volume Shadow Copy issues

Volume shadow copies in Vista are often the elephant sat in the corner in many cases. We know they exist and we know they can contain lots of data, but we often choose to ignore them.
A recent case required some keyword searches and an examination of picture files. A the completion of the keyword search most of the hits were within files with names similar to
{bab9c293-d150-12dc-a44f-021d253da909}{3708876a-d176-4f38-b7bb-05036c6bb821}


The view pane within Encase 6.14 displayed the contents in a nice light blue colour which I now know is a new feature in 6.14 to indicate the contents of uninitialised files. The files were all located within the System Volume Information folder on the root of the volume and are the Vista Volume Shadow Copies. By default 15% of the capacity of the volume is allocated by Vista to store these copies. The C4P graphics extractor enscript carved most of the notable pictures out shadow copies also.
At this stage I have known examiners report their findings alluding to the fact that that the notable artefacts are within the file {bab9c293-d150-12dc-a44f-021d253da909}{3708876a-d176-4f38-b7bb-05036c6bb821}. In most cases I think you need to drill down further. In order to do this I mounted my Vista image with Encase PDE and used Liveview 0.7b to create a working VM using VMWare Workstation 6. Having logged into my suspects account I ran a command prompt as administrator and entered the command
vssadmin list shadows /for=c:\

This provided a nice list of available shadow copies. Having selected one I entered the command (updated 13th Jan 2010)

mklink /d c:\shadow_copy7 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\


This created a symbolic link in the root of C which in Windows Explorer at any rate appears exactly like a shortcut to a folder. Clicking on it produced the error message shown below

I believed this error is probably generated by a permissions issue (SEE UPDATE BELOW), however I was not able to overcome it and Rob Lee over at Sans Computer Forensics suggests this methodology does not work. I think Jimmy Weg however has had some success with a program written by Dan Mares - VSS.exe. I therefore turned to ShadowExplorer version 0.4.382.0. This program allows the user to view the contents of Volume Shadow Copies that exist on any volumes within the installed system. The contents are displayed in an Explorer like view allowing the user to export out any file or folder to an export directory. I exported the User profile I was interested in to an export directory. Unfortunately it seems that only the Last Written date is preserved in this process and all other time stamps are tripped. I then tried to copy this export directory out of the VM to my workstation and encountered errors (probably due to files within the profile with illegal windows file names). To overcome this I zipped up the export directory and copied the zip out of the VM. Once unpacked I then added the exported folders into Encase as single files and created logical evidence files from them.
Having done this I was able to resolve most of my keyword search hits and pictures to actual files as opposed to being simply within a volume shadow copy.

UPDATE 13th January 2010
The issue I had with the mklink command was due to a missing \  but not the trailing slash referred to in some comments below.  The correct command is 

mklink /d c:\shadow_copy7 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\




9 comments:

johnmccash said...

Another excellent reference for this can be found at https://blogs.sans.org/computer-forensics/2008/10/10/shadow-forensics/

Jimmy_Weg said...

Yes, I was able to use Danny Mares' VSS, after I encountered the same issue with permissions. I did everything in a VM built from a dd image. I ran FTK Imager from a thumb and imaged the mounted shadow volume to a boxed USB drive. It went rather slowly, so it would be quite a project to create several images from one system. That's why I also used Shadow Explorer.

DC1743 said...

JohnMcCash,

I did link to the blog you reference in the post anyway I have now added the link as a reference - thanks.

Jimmy,

Apologies for the misspelling of your name. Is VSS.exe a paid for program? I couldn't seem to establish this on Dan Mares web site.

Regards

Troy said...

Contact me at my work address and I will send you my VSS imaging material. Imaging shadow copies is really the best way to go with VSS examination.

Troy

Rob Lee said...

I think you meant to say is that I say that it DOES work vs. does not. What I found is KEY to getting the mklink command to actually work is the TRAILING slash at the end of the line. Without it you will produce an error like the above. With it you will be successful in accessing the Shadow Snapshot in question.

troy said...

Rob,

You are quite correct. I my presentations I highlight the commands that need the trailing slash and those that do not. However, it is not necessary to create a symbolic link. You can mount the shadow copy as a share, which eliminates some of the difficulties that Explorer or NTFS migh cause by mounting via a link.

DC1743 said...

Hi Troy and Rob,

Thanks for commenting. I am pleased I have some celebrity readers!

With regards to the trailing slash I did include this in the command but still got the error shown in the post. I revisited this today and tried the mklink command with the trailing slash, forward slash and without. All resulted in the same error (or didn't work at all).

Rob, I understood from your blog posting that you couldn't get this to work in a VM?

Troy, I found a presentation of yours at

http://www.slideshare.net/ctin/ctin-windows-fe-1256290

I have tried the dosdev.exe method you describe but the volume I created showed up as a disconnected network drive and I was unable to access it. The net share method appeared to work but I was unable to get my XP64 workstation to see the share in the vista VM.

Regards

Jimmy_Weg said...

VSS is free and available at http://www.dmares.com/index.htm.

Nathalie said...

You might want to try a program I wrote to easily access shadow copies on a system without having to fight with the system. It is TimeTraveler. It adds a timeline to Windows Explorer populated with time tics each representing a shadow copy. You move a time cursor to a tic and then it shows you the files from the selected time. It does this by mounting the corresponding volume shadow copy under a hidden folder on the system drive and by changing the Explorer address bar to point to the mounted folder. You can then use all the Explorer tools on the shadow copies. You might find it useful for searches on prior points-in-time. You will not have permission problems and the timestamps are always correct.

It is free for trial for 10 days.