Difference between revisions of "Windows Shadow Volumes"

From ForensicsWiki
Jump to: navigation, search
(External Links)
(Tools)
 
(38 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{expand}}
 +
 
==Volume Shadow Copy Service==
 
==Volume Shadow Copy Service==
Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to [[mount shadow volumes on disk images]].
+
Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to mount shadow volumes on disk images.
 +
In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.
 +
 
 +
Windows Shadow Copy is a service that either manually or automatically creates backup copies of disk volumes. These backups are automatically created when Windows performs either a scheduled backup or a system restore point. This happens before Windows Updates are installed, or when Windows determines that it is time to create a new system restore point, which is determined by both system idle time and the time since a previous system restore point was created. In Windows Vista, this is one day. On Windows 7 and newer, this is seven days. Windows XP creates them every 24 hours regardless of system activity.
 +
 
 +
Shadow copies are initially created as block-level clones of entire drives. From there, only the changes to the drive are tracked. This means that in a forensic investigation, not all relevant information may be in the same Shadow Copy.
 +
 
 +
==History==
 +
Shadow copies were first available in the Windows XP and Server 2003 operating systems, and are still present in each subsequent Windows and Server operating systems, including the present day Windows 10.
 +
 
 +
Although all present Windows and Server operating systems contain shadow volume capability, the process in which each operating system creates and accesses them varies, and is explained below.
 +
 
 +
===Windows XP and Server 2003===
 +
Windows first added Volume Snapshot Service to windows XP, which is used by NTBackup. The creation of persistent snapshots has been added within Windows Server 2003. This addition gives the ability of having up to 512 snapshots to exist for a single volume. Windows 2003 is used to create incremental snapshots of the data that have changed.
 +
 
 +
In Windows XP, the process of system restore, or the creation of the shadow copies is different from the more recent versions of windows. Windows XP uses a simple mechanism- the moment an application attempts to overwrite any system file, Windows XP makes a copy of the file and saves that file to a separate folder. That way, in windows XP, system restore will not affect a user's documents, but only files such as dll, exe, and registry files, along with a few others.
 +
 
 +
===Windows Vista, Windows 7, and Server 2008===
 +
Many of the components of Windows have been updated to make use of Shadow copies in these versions. The backup and restore utility within these windows versions, use both shadow copies of files in both file-based and sector-by -sector backups. VSS is used by the System Protection components, which creates and maintains periodic copies of system and user data on the same local volume, allows it to be locally accessed by the System Restore Utility.
 +
 
 +
===Windows 8 and Server 2012===
 +
These versions of Microsoft’s operating systems support persistent shadow copies. However, Windows 8 is lacking a GUI portion that is necessary to easily browse the shadow copies. So, within Windows 8 the Previous versions tab of the properties dialog of files was removed for local volumes, so the ability to browse, search or recover older versions of files is not present.
 +
 
 +
===Windows 10===
 +
This version of Microsoft Windows has restored the Previous versions tab within the properties dialog of files. However, it now depends on the the File History feature instead of Volume shadow Copy.
 +
 
 +
==Shadow Volume Copies in Digital Forensics==
 +
 
 +
===Why Shadow Copies are Important to Forensics===
 +
Windows Shadow Volumes are important to digital forensics because they can provide additional data that otherwise would not be available. They can allow a forensic investigator to recover deleted files, and to learn what was taking place on a system before he/she began the investigation. They are an excellent tool for discovering data that was previously deleted by a system user.
 +
 
 +
===Limitations of Shadow Copies in forensic investigations===
 +
Although Shadow Copies can provide forensic investigators with files that have been deleted between the time the Shadow Copy was made and the time the investigation began, they only provide one previous version of files. If previous changes to files were made before the Shadow Copy was created, those changes will not be known. Because Shadow Copies clone on a block-level rather than a file-level, changes to individual files may not be enough to cause Windows to make the changes in a corresponding Shadow Copy.
 +
 
 +
Additionally, depending on the user’s individual settings, the Shadow Copy service might be turned off, resulting in no Shadow Copies being stored. Other times, the disk space settings might be set too low for multiple Shadow Copies to be saved, or even for one Shadow Copy to be saved if it is larger than what the settings allow. Windows automatically overwrites Shadow Copies when the disk space limit is reached. For these reasons, Shadow Copies should be an aid in a forensic investigation, but they are not guaranteed as a means to discover useful information.  
  
 
== Also see ==
 
== Also see ==
* [[Mount shadow volumes on disk images]]
+
* [[Windows]]
 +
* [[Windows File History | File History]]
 +
* How to: [[Mount shadow volumes on disk images]]
  
 
== External Links ==
 
== External Links ==
 +
 +
=== How to analyze Shadow Volumes ===
 
* [http://computer-forensics.sans.org/blog/2008/10/10/shadow-forensics/ VISTA and Windows 7 Shadow Volume Forensics], by [[Rob Lee]], October 2008
 
* [http://computer-forensics.sans.org/blog/2008/10/10/shadow-forensics/ VISTA and Windows 7 Shadow Volume Forensics], by [[Rob Lee]], October 2008
* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows] and [http://www.forensic4cast.com/2010/04/presentation-into-the-shadows/ Presentation], by [[Lee Whitfield]], April 2010
 
 
* [http://windowsir.blogspot.ch/2011/01/accessing-volume-shadow-copies.html Accessing Volume Shadow Copies], by [[Harlan Carvey]], January 2011
 
* [http://windowsir.blogspot.ch/2011/01/accessing-volume-shadow-copies.html Accessing Volume Shadow Copies], by [[Harlan Carvey]], January 2011
* [http://code.google.com/p/libvshadow/downloads/detail?name=Volume%20Shadow%20Snapshot%20%28VSS%29%20format.pdf Volume Shadow Snapshot format], by the [[libvshadow|libvshadow projects]], March 2011
+
* [http://windowsir.blogspot.ch/2011/01/more-vscs.html More VSCs], by [[Harlan Carvey]], January 2011
 +
* [http://journeyintoir.blogspot.ch/2011/04/little-help-with-volume-shadow-copies.html A Little Help with Volume Shadow Copies], by [[Corey Harrell]], April 2011
 
* [http://toorcon.techpathways.com/uploads/VolumeShadowCopyWithProDiscover-0511.pdf Volume Shadow Copy with ProDiscover], May 2011
 
* [http://toorcon.techpathways.com/uploads/VolumeShadowCopyWithProDiscover-0511.pdf Volume Shadow Copy with ProDiscover], May 2011
 +
* [http://windowsir.blogspot.ch/2011/09/howto-mount-and-access-vscs.html HowTo: Mount and Access VSCs], by [[Harlan Carvey]], September 2011
 
* [http://computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows], by [[Rob Lee]], September 2011
 
* [http://computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows], by [[Rob Lee]], September 2011
 +
* [http://journeyintoir.blogspot.ch/2012/01/ripping-volume-shadow-copies.html Ripping Volume Shadow Copies – Introduction], by [[Corey Harrell]], January 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-method.html Ripping VSCs – Practitioner Method], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-examples.html Ripping VSCs – Practitioner Examples], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-method.html Ripping VSCs – Developer Method], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-examples.html Ripping VSCs – Developer Examples], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/examining-vscs-with-gui-tools.html Examining VSCs with GUI Tools], by [[Corey Harrell]], February 2012
 +
* [http://dfstream.blogspot.ch/2012/03/vsc-toolset-gui-tool-for-shadow-copies.html VSC Toolset: A GUI Tool for Shadow Copies], by [[Jason Hale]], March 2012
 
* [http://encase-forensic-blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html Examining Volume Shadow Copies – The Easy Way!], by [[Simon Key]], June 2012
 
* [http://encase-forensic-blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html Examining Volume Shadow Copies – The Easy Way!], by [[Simon Key]], June 2012
 
* [http://justaskweg.com/?p=351 Getting Ready for a Shadow Volume Exam], by [[Jimmy Weg]], June 2012
 
* [http://justaskweg.com/?p=351 Getting Ready for a Shadow Volume Exam], by [[Jimmy Weg]], June 2012
Line 17: Line 65:
 
* [http://justaskweg.com/?p=518 Examining the Shadow Volumes with X-Ways Forensics], by [[Jimmy Weg]], July 2012
 
* [http://justaskweg.com/?p=518 Examining the Shadow Volumes with X-Ways Forensics], by [[Jimmy Weg]], July 2012
 
* [http://justaskweg.com/?p=710 “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”], by [[Jimmy Weg]], August 2012
 
* [http://justaskweg.com/?p=710 “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”], by [[Jimmy Weg]], August 2012
 +
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre "Examining shadow copies with Reconnoitre (and without vssadmin), it's as easy as 1, 2, 3"], by [[Paul Sanderson]], January 2013
 +
 +
* [http://computerforensicsblog.champlain.edu/2014/02/05/volume-shadow-copy-part-2/ Volume Shadow Copy Part 2], by Ryan Montelbano, Scott Barrett, Jacob Blend, February 5, 2014
 +
* [http://computerforensicsblog.champlain.edu/2014/02/26/volume-shadow-copy-part-3/ Volume Shadow Copy Part 3], by Scott Barrett, February 26, 2014
 +
* [http://computerforensicsblog.champlain.edu/2014/03/26/volume-shadow-copy-part-4/ Volume Shadow Copy Part 4], by Ryan Montelbano, March 26, 2014
 +
 +
=== Shadow Volumes in depth ===
 +
* [http://www.qccis.com/docs/publications/WP-VSS.pdf Reliably recovering evidential data from Volume Shadow Copies in Windows Vista and Windows 7], by [[James Crabtree]] and [[Gary Evans]], 2010
 +
* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows] and [http://www.forensic4cast.com/2010/04/presentation-into-the-shadows/ Presentation], by [[Lee Whitfield]], April 2010
 +
* [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Volume%20Shadow%20Snapshot%20(VSS)%20format.pdf Volume Shadow Snapshot format], by the [[libvshadow|libvshadow project]], March 2011
 +
* [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Paper%20-%20Windowless%20Shadow%20Snapshots.pdf Windowless Shadow Snapshots - Analyzing Volume Shadow Snapshots (VSS) without using Windows] and [http://www.basistech.com/about-us/events/open-source-forensics-conference/ OSDFC 2012] [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Slides%20-%20Windowless%20Shadow%20Snapshots.pdf Slides], by [[Joachim Metz]], October 2012
 +
 +
=== Other ===
 +
* [http://lanmaster53.com/talks/#hack3rcon2 Lurking in the Shadows – Hack3rcon II]
 +
* [http://pauldotcom.com/2012/10/volume-shadow-copies---the-los.html Volume Shadow Copies - The Lost Post], [[Mark Baggett]], October 2012
  
 
== Tools ==
 
== Tools ==
Line 24: Line 87:
 
* [http://www.shadowexplorer.com/ ShadowExplorer]
 
* [http://www.shadowexplorer.com/ ShadowExplorer]
 
* [http://dfstream.blogspot.ch/p/vsc-toolset.html VSC Toolset]
 
* [http://dfstream.blogspot.ch/p/vsc-toolset.html VSC Toolset]
 +
* [[X-Ways AG|X-Ways Forensics]]
 +
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre Reconnoitre]
 +
* Vssadmin - Command Line utility included in Windows XP and later, which can list, create, or delete volume shadow copies. This utility will also list the installed shadow copy writers and providers.
 +
* [[Forensic_Toolkit | Forensic Tool Kit]]
 +
 +
==Sources==
 +
[http://blog.szynalski.com/2009/11/volume-shadow-copy-system-restore/]
 +
[https://msdn.microsoft.com/en-us/library/windows/desktop/aa378910(v=vs.85).aspx]
  
 
[[Category:Volume Systems]]
 
[[Category:Volume Systems]]

Latest revision as of 23:03, 26 October 2016

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Volume Shadow Copy Service

Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to mount shadow volumes on disk images. In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.

Windows Shadow Copy is a service that either manually or automatically creates backup copies of disk volumes. These backups are automatically created when Windows performs either a scheduled backup or a system restore point. This happens before Windows Updates are installed, or when Windows determines that it is time to create a new system restore point, which is determined by both system idle time and the time since a previous system restore point was created. In Windows Vista, this is one day. On Windows 7 and newer, this is seven days. Windows XP creates them every 24 hours regardless of system activity.

Shadow copies are initially created as block-level clones of entire drives. From there, only the changes to the drive are tracked. This means that in a forensic investigation, not all relevant information may be in the same Shadow Copy.

History

Shadow copies were first available in the Windows XP and Server 2003 operating systems, and are still present in each subsequent Windows and Server operating systems, including the present day Windows 10.

Although all present Windows and Server operating systems contain shadow volume capability, the process in which each operating system creates and accesses them varies, and is explained below.

Windows XP and Server 2003

Windows first added Volume Snapshot Service to windows XP, which is used by NTBackup. The creation of persistent snapshots has been added within Windows Server 2003. This addition gives the ability of having up to 512 snapshots to exist for a single volume. Windows 2003 is used to create incremental snapshots of the data that have changed.

In Windows XP, the process of system restore, or the creation of the shadow copies is different from the more recent versions of windows. Windows XP uses a simple mechanism- the moment an application attempts to overwrite any system file, Windows XP makes a copy of the file and saves that file to a separate folder. That way, in windows XP, system restore will not affect a user's documents, but only files such as dll, exe, and registry files, along with a few others.

Windows Vista, Windows 7, and Server 2008

Many of the components of Windows have been updated to make use of Shadow copies in these versions. The backup and restore utility within these windows versions, use both shadow copies of files in both file-based and sector-by -sector backups. VSS is used by the System Protection components, which creates and maintains periodic copies of system and user data on the same local volume, allows it to be locally accessed by the System Restore Utility.

Windows 8 and Server 2012

These versions of Microsoft’s operating systems support persistent shadow copies. However, Windows 8 is lacking a GUI portion that is necessary to easily browse the shadow copies. So, within Windows 8 the Previous versions tab of the properties dialog of files was removed for local volumes, so the ability to browse, search or recover older versions of files is not present.

Windows 10

This version of Microsoft Windows has restored the Previous versions tab within the properties dialog of files. However, it now depends on the the File History feature instead of Volume shadow Copy.

Shadow Volume Copies in Digital Forensics

Why Shadow Copies are Important to Forensics

Windows Shadow Volumes are important to digital forensics because they can provide additional data that otherwise would not be available. They can allow a forensic investigator to recover deleted files, and to learn what was taking place on a system before he/she began the investigation. They are an excellent tool for discovering data that was previously deleted by a system user.

Limitations of Shadow Copies in forensic investigations

Although Shadow Copies can provide forensic investigators with files that have been deleted between the time the Shadow Copy was made and the time the investigation began, they only provide one previous version of files. If previous changes to files were made before the Shadow Copy was created, those changes will not be known. Because Shadow Copies clone on a block-level rather than a file-level, changes to individual files may not be enough to cause Windows to make the changes in a corresponding Shadow Copy.

Additionally, depending on the user’s individual settings, the Shadow Copy service might be turned off, resulting in no Shadow Copies being stored. Other times, the disk space settings might be set too low for multiple Shadow Copies to be saved, or even for one Shadow Copy to be saved if it is larger than what the settings allow. Windows automatically overwrites Shadow Copies when the disk space limit is reached. For these reasons, Shadow Copies should be an aid in a forensic investigation, but they are not guaranteed as a means to discover useful information.

Also see

External Links

How to analyze Shadow Volumes

Shadow Volumes in depth

Other

Tools

Sources

[1] [2]