Manage Learn to apply best practices and optimize your operations.

Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8, Fourth Edition

In this excerpt of Windows Forensic Analysis Toolkit, author Harlan Carvey discusses what Volume Shadow Copies are and how they affect forensic analysis in Windows 8.

Windows Forensic Analysis Toolkit coverThe following is an excerpt from the book Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8, Fourth Editionwritten by author Harlan Carvey and published by Syngress. This section from chapter three outlines what Volume Shadow Copies are and how the technology can be used to further an investigation.

What are "Volume Shadow Copies"?

VSCs are one of the new, ominous sounding aspects of the Windows operating systems (specifically, Windows XP, in a limited manner, and more so with Vista and Windows 7) that can significantly impact an analyst's examination. VSCs are significant and interesting as a source of artifacts, enough to require their own chapter.

With the release of Windows XP, Microsoft introduced the Volume Shadow Copy Service to provide functionality for backing up critical system files in order to assist with system recovery. With Windows XP, users and administrators saw this functionality as System Restore Points which were created automatically under various conditions (every 24 hours, when a driver was installed, etc.) and could also be created manually, as illustrated in Figure 3.1.

As illustrated in Figure 3.1, users can not only create Restore Points, but they can also restore the computer to an earlier time. This proved to be useful functionality, particularly when a user installed something (application, driver, etc.) that failed to work properly, or the system became infected with malware of some kind. Users could revert the core functionality of their systems to a previous state through the System Restore functionality, effectively recovering it to a previous state. However, System Restore Points do not back up everything on a system; for example, user data files are not backed up (and are therefore not restored, either), and all of the data in the SAM hive of the Registry is not backed up, as you wouldn't want users to restore their system to a previous point in time and have them not be able to access it, as a previous password had been restored. So, while System Restore Points did prove useful when a user needed to recover their system to a previous state, they did little to back up user data and provide access to previous copies of other files. From a forensic analysis, a great deal of historical data could be retrieved from System Restore Points, including backed up system files and Registry hives. Analysts still need to understand how backed up files could be "mapped" to their original file names but the fact that the files are backed up is valuable in itself.

Figure 3.1: Windows XP System Restore Point functionality.
Figure 3.1: Windows XP System Restore Point functionality.

Tip: System Files in Restore Points

One use of system files being backed up to Windows XP System Restore Points is that when malware is installed as device driver (executable file with a ".sys" extension), it would be backed up to a Restore Point. If the installation process had included modifying the file time stamps so that the file appeared to have been created on the system during the original installation process, the true creation date could be verified via the master file table (MFT; see Chapter 4). Further, if there were six Restore Points, and the system file was not backed up in the older five Restore Points, and was only available in the most recent Restore Point, this would also provide an indication that the observed creation date for the file was not correct.

With the release of Vista, the functionality provided by the Volume Shadow Copy Service to support services such as Windows Backup and System Restore was expanded. In particular, the amount and type of data captured by System Restore was expanded to include block-level, incremental "snapshots" of a system (only the modified information was recorded) at a given point in time. These "snapshots" -- known as VSCs -- appeared in a different manner to the user. VSCs operate at the block level within the file system, backing up and providing access to previous versions of system and user data files within a particular volume. As with System Restore Points, the actual backups are transparent to the user, but with VSCs, the user can restore previous versions of files through the Previous Versions shell extension, as illustrated in Figure 3.2 (from a Windows 7 system).

Figure 3.2: Windows 7
Figure 3.2: Windows 7

Okay, so what does this mean to the forensic analyst? From an analyst's perspective, there is a great deal of historical information within backed up files. Accessing these files can provide not just historical data (previous contents, etc.) but additional analysis can be conducted by comparing the available versions over time.

Registry keys

As you'd expect, there are several Registry keys that have a direct impact on the performance of the Volume Shadow Copy Service (VSS; the service which supports the various functions that lead to VSCs). As this is a Windows service, the primary key of interest is:

HKLM\System\CurrentControlSet\Services\VSS

However, it is important to understand that disabling the VSC Service may affect other applications aside from just disabling VSCs, such as Windows Backup. As such, care should be taken in disabling this service on production systems. Also, forensic analysts examining Vista and Windows 7 systems that do not appear to have any VSCs available should check this key to see if the service had been disabled prior to the system being acquired.

There's another key within the System hive that affects VSC behavior, and that is:

HKLM\System\CurrentControlSet\Control\BackupRestore

Beneath this key are three subkeys: FilesNotToBackup, FilesNotToSnapshot, and KeysNotToRestore. The names should be pretty self-explanatory, but just in case, the FilesNotToBackup key contains a list of files and directories that (according to Microsoft; additional information is available online at https://msdn.microsoft.com/en-us/library/bb891959(v=vs.85).aspx) backup applications should not backup and restore. On a default Windows 7 installation, this list includes temporary files (as in those in the %TEMP% directory), the pagefile, hibernation file (if one exists), the Offline Files Cache, Internet Explorer index.dat files, as well as number of log file directories. The FilesNotToSnapshot key contains a list of files that should be deleted from newly created shadow copies. Finally, the KeysNotToRestore key contains lists of subkeys and values that should not be restored. It should be noted that within this key, values that end in "\" indicate that subkeys and values for the listed key will not be restored, while values that end in "\*" indicate that subkeys and values for the listed key will not be restored from backup, but new values will be included from the backup.

Another Registry key to be very aware of is the following:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients

This key contains a value named "{09F7EDC5-294E-4180-AF6AFB0E6A0E9513}," and the data within that value will tell you which volumes are being monitored by the Volume Shadow Service. The data for this value can contain multiple strings, each of which references a volume GUID and the drive letter for the volume, separated by a colon. This value will mirror what is listed in the Protection Settings section of the System Properties dialog, as illustrated in Figure 3.3.

Figure 3.3: System Properties dialog.
Figure 3.3: System Properties dialog.

Tip: Finding VSCs

I've run into and used the SPP\Clients key quite a bit during examinations. One of the steps I include in order to orient myself to an image prior to an examination, I will check (via FTK Imager or ProDiscover, usually) to see if there are any difference files available within the System Volume Information folder. In a number of cases, I've found none, and upon further examination, found that the VSS service was set to run automatically upon system boot. During examinations in which historical information would be very valuable, I will then verify the LastWrite time on the SPP\Clients key, and check the data of the "{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}" value. Using this information, I can then state my findings based on those values in my report; many times, I find from the client that deleting or clearing the value is actually part of the standard system configurations for the enterprise.

Live systems

Accessing VSCs on live Vista, Windows 2008, and Windows 7 systems is a relatively simple task, as Windows systems ship with the necessary native system tools to access VSCs. In order to see the available VSCs for the C:\ drive of the Vista or Windows 7 system that you're logged into, type the following command into a command prompt using elevated privileges (you may need to right-click the command prompt window and choose "Run as Administrator"):

C:\>vssadmin list shadows /for=c:

Example results of this command are illustrated in Figure 3.4.

Figure 3.4: Sample output of the vssadmin command.
Figure 3.4: Sample output of the vssadmin command.

As you can see illustrated in Figure 3.3, we can use the vssadmin command to gather considerable information about available VSCs on the system.

Warning: WMI

The Windows Management Instrumentation (WMI) class Win32_ShadowCopy (documentation found online at https://msdn.microsoft.com/en-us/library/aa394428 (v=VS.85).aspx) provides an interface for programmatically extracting much of the same information from Windows systems made available by the vssadmin command. However, according to information available at the Microsoft web site (see the "Community Content" section of the previously linked page) at the time of this writing, this class is not supported on the 64-bit version of Windows 2008. Testing using a Perl script indicates that this is also true for Windows 7; the script didn't work at all on 64-bit Windows 7, but ran very well on the 32-bit edition. A sample of what is available via Perl (or other methods for accessing WMI classes) appears as follows:

Computer: WIN-882TM1JM2N2
DeviceObject: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
InstallDate: 20110421125931.789499-240
<snip>
VolumeName: \\?\Volume{d876c67b-1139-11df-8b47-806e6f6e6963}\

Figure 3.5: ShadowExplorer v0.8 interface.
Figure 3.5: ShadowExplorer v0.8 interface.

Don't like the command line approach? Hey, that's okay -- it's not for everyone. Head on over to ShadowExplorer.com and get a copy of ShadowExplorer (at the time of this writing, version 0.8 is available). Download and run the setup file on your system in order to install ShadowExplorer on the system in question. The web site describes ShadowExplorer as being useful to all users, but especially so to users with Windows 7 Home Edition, who don't have access to VSCs by default. Once you install and launch ShadowExplorer, you will see the interface as illustrated in Figure 3.5.

Windows Forensic Analysis Toolkit

Author: Harlan Carvey

Learn more about Windows Forensic Analysis Toolkit from publisher Syngress.

At checkout, use discount code PBTY14 for 25% off

As illustrated in Figure 3.5, you can use the drop-down selector beneath menu bar to select the date of the VSC you would like access to; unfortunately, ShadowExplorer will only show you the VSCs available within the volume or drive (i.e., C:\, D:\) on which it is installed. Therefore, if your system has a D:\ drive, you'll need to rerun the installation program and install it on that drive, as well, in order to view the VSCs on that drive. Navigating through the tree view in the lefthand pane, locate the file for which you'd like to see a previous version, right-click the file and choose "Export" to copy that file to another location.

Going back to the command prompt, in order to access the VSCs on your live system and have access to the previous versions of files within those VSCs, you'll need to make a symbolic link to a VSC. To do that, go to the listing for a VSC, as illustrated in Figure 3.3, and select (you'll need to have Quick Edit mode enabled in your command prompt) the VSC identifier, which appears after "Shadow Copy Volume." Then go back to the prompt and type the following command:

C:\>mklink /d C:\vsc

Do not hit the Enter key at this point. Once you get the far with command, rightclick to paste the selected VSC identifier into the prompt and then add a trailing slash ("\"), so that the command looks like the following:

C:\>mklink /d C:\vsc \\?\GLOBALROOT\Device\
HarddiskVolumeShadowCopy20\

Remember to add the trailing slash to the command -- this is very important! This is not something that is clearly documented at the Microsoft site, but has been found to be the case by a number of forensic analysts, to include Rob Lee, of SANS fame, and Jimmy Weg, a law enforcement officer from Montana. Now, go ahead and hit the Enter key, and you should see that the symbolic link was successfully created. Now you can navigate to the C:\vsc directory, and browse and access the files via the command prompt or Windows Explorer. Once you're done doing whatever you're going to do with these files (review, copy, etc.), type the following command to remove the symbolic directory link:

C:\>rmdir C:\vsc

This series of commands is going to be very important throughout the rest of this chapter, so it's important that we understand some of the key points. First, use the vssadmin command to get the list of VSCs for a particular volume; note that when you run the command from the command prompt, you do not have to be in that volume. For example, if you want to list the VSCs for the D:\ volume, you can do so using the following command, run from the C:\ volume.

C:\>vssadmin list shadows /for=d:

Once you know which VSC you'd like to access, you can use the mklink command to create a symbolic link to that VSC. Remember, you must be sure that the VSC identifier (i.e., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\) ends with a trailing slash. Finally, once you've completed working in that VSC, you remove the symbolic link with the rmdir command.

ProDiscover

A number of commercial forensic analysis applications provide access to VSCs within acquired images, and ProDiscover is just one of those applications. However, ProDiscover is also the only commercial forensic analysis application to which I have access. As such, I briefly mention its ability to access VSCs on live systems here. For those who want more detailed information on how to use ProDiscover for this purpose, Christopher Brown posted a five-page PDF format paper at the Technology Pathways, LLC, web site that describes how to use ProDiscover IR (the Incident Response Edition) to access and acquire VSCs on remote live systems. This can be very valuable to an investigator who needs to quickly access these resources in another location, or to do so surreptitiously. The paper can be found on the web at http://toorcon.techpathways.com/uploads/LiveVolumeShadowCopyWithProDiscoverIR.pdf.

F-Response

If you're a user of the fantastic F-Response tool from Matt Shannon, particularly the Enterprise Edition (EE), you'll be very happy to know that you can use this product to access VSCs on remote systems. This may be important for a variety of reasons; a user within your enterprise environment may have "lost" an important file that they were working on, you may need to access an employee's system surreptitiously, or you may need to quickly acquire data from a system located in another building in another area of the city. While I generally don't recommend acquiring full system images over the network, even over a VPN, you can use tools like F-Response EE, which provides read-only access to the remote system drive, in order to collect specific information and selected files from remote systems very quickly. This will allow you to perform a quick triage of systems, and potentially perform a good deal of data reduction and reduce the impact of your response activities on your organization by identifying the specific systems that need to be acquired.

That being said, perhaps the best way to discuss F-Response EE's ability to provide access to VSCs is through a demonstration. Before describing the setup I used and walking through this demonstration, I need to make it clear that I used F-Response EE because Matt was gracious enough to provide me with a copy to work with; this process that I'm going to walk through can be used with all versions of F-Response, including the Consultant and Field Kit editions.

Tip: F-Response VSC Demo Setup

For my demonstration, I don't have a full network to "play with," so I opted to use the tools that I do have available. I booted my 64-bit Windows 7 Professional analysis system, and then started up a 32-bit Windows 7 Ultimate virtual machine (VM) in VMPlayer. I had set the Network Adapter in the settings for the VM to "bridged," so that the VM appeared as a system on the network. For the demonstration, the IP address of the running VM was 192.168.1.8, and the IP address of the host was 192.168.1.5. On both systems, the Windows firewalls were disabled (just for the demonstration, I assure you!) in order to simulate a corporate environment. Also, it is important to note that Windows 7 ships with the iSCSI initiator already installed, so I didn't need to go out and install it separately.

Again, this demonstration makes use of F-Response EE (thanks to Matt Shannon for allowing me the honor to work with this wonderful tool!). Once I logged into my analysis system, I plugged in my F-Response EE dongle and launched the F-Response License Manager Monitor to install and start the License Manager service. I then launched the F-Response Enterprise Management Console (FEMC) and started by configuring the credentials that I would be using to access the remote system. I clicked File→Configure Credentials… from the menu bar, and entered the appropriate username/password information to access the remote system (if you're in an Active Directory domain, check the "Use Current User Credentials" option). Next, I clicked File→Configure Options… and configured my deployment options appropriately (for this demo, I didn't select the "Physical Memory" option in the Host Configuration section).

Figure 3.6: FEMC Direct Connect UI.
Figure 3.6: FEMC Direct Connect UI.

As I was going to connect to a specific system, I selected Scan→Direct Scan from the menu bar, and entered the IP address of the target system (i.e., 192.168.1.8), and clicked the Open button. Once the connection was made, F-Response was installed and started on the target system, as illustrated in Figure 3.6.

From there, I logged into the C:\ volume on the target host, and that host's C:\ drive appeared on my analysis system as the F:\ volume. I then ran the following command on my analysis system:

C:\>vssadmin list shadows /for=f:

Read an excerpt

Download the PDF of chapter three to learn more!

In order to access the oldest VSC listed (HarddiskVolumeShadowCopy17, created on January 4, 2011), I entered the following command in a command prompt on my analysis system:

C:\>mklink /d d:\test \\?\GLOBALROOT\Device\
HarddiskVolumeShadowCopy17\

This command created a symbolic link on my analysis system called "d:\test" that contained the contents of a VSC created on the target system on January 4, 2011, and allowed me to access all of the files with that directory, albeit via the read-only access provided by F-Response EE.

Warning: Accessing VSCs on Live Systems

It is very important to remember that when you're accessing VSCs on live systems, that system, whether accessed remotely or locally, is still subject to operating normally. What this means is that if you're accessing the oldest VSC that you found, the system itself is still going about its normal operations, and that VSC could be overwritten to make room for another VSC, as under normal conditions, the VSCs are subject to the "first-in-first-out" (FIFO) process. This actually happened to me while I was working on some of the demonstrations listed in this chapter. The remote live system continued to operate normally, and the VSC I was accessing was removed simply because I had taken too long to complete the testing (I was just browsing through some of the files). I had to back out of my demonstration and restart it. When I did, I found that the output of the vssadmin command was quite a bit different, particularly with respect to the dates on which the available shadow copies had been created.

Another very important aspect of accessing VSCs (and this applies to accessing VSCs within images, as well) is that you need to be very careful about the files you click or double-click on. Remember, if you double-click a file that is in a VSC on a remote system, your analysis system is going to apply its own rules to accessing and opening that file. This means that if you see a PDF file that you'd like to click on, you should be very sure that it wasn't what led to the remote system being infected in the first place. If it is a malicious PDF, and your system isn't protected (updated antivirus (AV) and PDF viewer, etc.), then your system may become infected, as well.

As I mentioned, there are a number of commercial forensic analysis applications and tools that provide analysts and responders with the ability to access VSCs on remote systems, and what we've discussed here are only a few of your (and my) available options. The application and methodology you choose to use depends largely on your needs, abilities, and preferences (and, of course, which tool or set of tools you can afford).

About the author:
Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and “cloud computing” services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan’s primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms. Harlan holds a bachelor’s degree in electrical engineering from the Virginia Military Institute and a master’s degree in the same discipline from the Naval Postgraduate School. Harlan resides in Northern Virginia with his family.

Next Steps

Learn more about what Volume Shadow Copies are and how to troubleshoot Volume Shadow Copy Service.

Take an inside look at Windows registry forensics.

This was last published in December 2014

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close