Difference between pages "OLE Compound File" and "Mount shadow volumes on disk images"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(File signature)
 
m
 
Line 1: Line 1:
The '''Object Linking and Embedding (OLE) Compound File (CF)''' is used in other file formats as its underlying container file.
+
Windows Shadow Volumes when created are automatically mounted at the
It allows data to be stored in multiple streams.  
+
file system root by Windows. Unfortunately this is invisible to the
 +
user and can not be directly accessed.  Mklink, an included command
 +
line utility that ships with Windows is able to create a symbolic link
 +
that allows access to these shadow volumes.
  
The OLECF is also known as:
+
Shadow Volumes that exsit on a drive image are no different.  They too
* Compound Binary File (current name used by [[Microsoft]])
+
can be accessed by creating a symbolic link to the location of the
* Compound Document File (name used by [[OpenOffice]])
+
volume.  There is a caveat here though -- the Shadow Volume is mounted
* OLE2 file
+
at the local file system's root rather than the drive image's file
 +
system root.
  
== MIME types ==
+
This example will be showing how to mount a virtual disk image in the
 +
VHD format using Windows 7's built in tools.  It will then proceed to
 +
detail the steps of mounting a Shadow Volume that exists on the disk
 +
image. Note: Windows 7 Professional or Ultimate edition are required
 +
as the necessary tools are not bundled with other versions.
  
Because the OLECF by itself is just a container it does not use a mime type.
 
A mime type assigned to an OLECF refers to its contents.
 
  
== File signature ==
+
==Mounting the Disk Image==
  
The OLECF has the following file signature:
+
The first step is to mount the VHD.  If you have a RAW image or
<pre>
+
another similar format these can be converted to VHD using a tool such
d0 cf 11 e0 a1 b1 1a e1
+
as qemu-img (http://wiki.qemu.org/Main_Page) or vmToolkit's Vmdk2Vhd
</pre>
+
utility (http://vmtoolkit.com/).
  
For beta version the following signature was used:
+
* To mount the VHD bring up the Start menu in Windows.
<pre>
+
0e 11 fc 0d d0 cf 11 0e
+
</pre>
+
  
The OLECF has no distinct footer.
+
* Right click on "Computer" and click "Manage". This will bring up a
 +
window titled "Computer Management". [[File:manage.png|thumb|Open the Computer Management window.]]
  
== Contents ==
+
* Now double click on "Storage" in the center pane. [[File:storage.png|thumb|Click "storage" in the center pane.]]
  
The OLECF uses a FAT-like file system to define blocks that are assigned to the stream using multiple allocation tables.
+
* Next double click the "Manage Storage" in the center pane. [[File:disk_management.png|thumb|Double click "manage storage" in the center pane.]]
It uses a directory structure to define the name of the streams.
+
  
The OLECF is used to store:
+
* Now click the "More Actions" menu in the right most pane and select "Attach VHD". [[File:attach_vhd.png|thumb|Select Attach VHD in the right pane.]]
* [[Microsoft Office]] 97-2003 documents:
+
** [[Word Document (DOC)]]
+
** [[Excel Spreadsheet (XLS)]]
+
** [[Powerpoint Presentation (PPT)]]
+
* MSN (Toolbar) (C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\MSNe\msninfo.dat)
+
* [[Jump Lists]]
+
* StickyNotes.snt
+
* [[Thumbs.db]]
+
* Windows Installer (.msi) and patch file (.msp)
+
  
== External Links ==
+
* Browse to the location of the drive image that you would like to mount and hit "OK".
* [http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/WindowsCompoundBinaryFileFormatSpecification.pdf Compound Binary File Specification], by [[Microsoft]]. Be warned this file contains at least one error: the directory entry name length is a size in bytes not in characters.
+
* [http://msdn.microsoft.com/en-us/library/dd942138.aspx MS-CFB: Compound File Binary File Format], by [[Microsoft]]
+
* [http://www.openoffice.org/sc/compdocfileformat.pdf Microsoft Compound Document File Format], by OpenOffice.org
+
* [https://googledrive.com/host/0B3fBvzttpiiSS0hEb0pjU2h6a2c/OLE%20Compound%20File%20format.pdf OLE Compound File format specification], by the [[libolecf|libolecf project]]
+
  
== Tools ==
 
* [[libolecf]]
 
* [http://www.mitec.cz/ssv.html MiTec Structured Storage Viewer]
 
  
[[Category:File Formats]]
+
Now that the image is mounted we can begin the examine the Shadow Volumes on it.
 +
 
 +
===Command Prompt Method===
 +
 
 +
These steps can also be accomplished using an administrator enabled Command Prompt. To perform these steps using the command prompt the diskpart command must be used.
 +
 
 +
* To start type "diskpart" at the command prompt.
 +
<code>C:\> diskpart </code>
 +
 
 +
When diskpart starts the prompt will change to say DISKPART>. 
 +
 
 +
*Next select the drive image by typing "select vdisk file=<path to image>" where <path to image> is the path to the vhd file.
 +
 
 +
<code>DISKPART> select vdisk file=C:\myimage.vhd</code>
 +
 
 +
*Last type "attach vdisk" or optionally if you'd like to mount it read only "attach vdisk readonly".
 +
 
 +
<code>DISKPART> attach vdisk readonly </code>
 +
 
 +
==Mounting the Shadow Volume==
 +
 
 +
To work with the Shadow Volumes we will use the VSSAdmin tool bundled
 +
with Windows 7 Ultimate and Professional editions.
 +
 
 +
* Start by opening an Administrator enabled command shell.  This can be done by right clicking on the Command Prompt application in Start > Accessories > Command Prompt and selecting "Run As Administrator".
 +
 
 +
* Once the command prompt is open you can view the available Shadow Volumes by typing: "vssadmin list shadows".
 +
 
 +
<code>C:\> vssadmin list shadows </code>
 +
 
 +
* At this point you may see a long list of Shadow Volumes that were
 +
created both by the machine the disk image is from as well as local
 +
shadow volumes.  To list just the Shadow Volumes associated with the
 +
drive image you can add an optional /FOR=<DriveLetter:\> where
 +
DriveLetter is the drive letter that the drive image is mounted on.
 +
 
 +
<code>C:\> vssadmin list shadows /for=E:\ </code> [[File:vssadmin_list.png|thumb|vssadmin list]]
 +
 
 +
* Now that we have a list of the Shadow Volumes we can mount them using the mklink tool. To do this, on the command line type:
 +
 
 +
<code>"mklink /D C:\</code><some directory><code> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\"</code>
 +
 
 +
Where <some directory> is the path that you'd like the mount the
 +
Shadow Volume at, and the # in HarddiskVolumeShadowCopy is the number
 +
o the Shadow Volume to mount.  Please note that the trailing slash is
 +
absoutely necessary. Without the slash you will receive a permissions
 +
error when trying to access the directory.
 +
 
 +
<code>mklink /D C:\shadow_volume_1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\</code>
 +
 
 +
* If all was successful you should receive a message that looks like this:
 +
 
 +
<code>symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy1\</code>
 +
 
 +
You can now browse the files contained in the Shadow Volume just like
 +
any other files in your file system! [[File:success.png|thumb|Success!]]
 +
 
 +
== Also See ==
 +
* [[Windows Shadow Volumes]]
 +
 
 +
[[Category:Howtos]]

Latest revision as of 11:31, 31 January 2014

Windows Shadow Volumes when created are automatically mounted at the file system root by Windows. Unfortunately this is invisible to the user and can not be directly accessed. Mklink, an included command line utility that ships with Windows is able to create a symbolic link that allows access to these shadow volumes.

Shadow Volumes that exsit on a drive image are no different. They too can be accessed by creating a symbolic link to the location of the volume. There is a caveat here though -- the Shadow Volume is mounted at the local file system's root rather than the drive image's file system root.

This example will be showing how to mount a virtual disk image in the VHD format using Windows 7's built in tools. It will then proceed to detail the steps of mounting a Shadow Volume that exists on the disk image. Note: Windows 7 Professional or Ultimate edition are required as the necessary tools are not bundled with other versions.


Contents

Mounting the Disk Image

The first step is to mount the VHD. If you have a RAW image or another similar format these can be converted to VHD using a tool such as qemu-img (http://wiki.qemu.org/Main_Page) or vmToolkit's Vmdk2Vhd utility (http://vmtoolkit.com/).

  • To mount the VHD bring up the Start menu in Windows.
  • Right click on "Computer" and click "Manage". This will bring up a
window titled "Computer Management".
Open the Computer Management window.
  • Now double click on "Storage" in the center pane.
    Click "storage" in the center pane.
  • Next double click the "Manage Storage" in the center pane.
    Double click "manage storage" in the center pane.
  • Now click the "More Actions" menu in the right most pane and select "Attach VHD".
    Select Attach VHD in the right pane.
  • Browse to the location of the drive image that you would like to mount and hit "OK".


Now that the image is mounted we can begin the examine the Shadow Volumes on it.

Command Prompt Method

These steps can also be accomplished using an administrator enabled Command Prompt. To perform these steps using the command prompt the diskpart command must be used.

  • To start type "diskpart" at the command prompt.

C:\> diskpart

When diskpart starts the prompt will change to say DISKPART>.

  • Next select the drive image by typing "select vdisk file=<path to image>" where <path to image> is the path to the vhd file.

DISKPART> select vdisk file=C:\myimage.vhd

  • Last type "attach vdisk" or optionally if you'd like to mount it read only "attach vdisk readonly".

DISKPART> attach vdisk readonly

Mounting the Shadow Volume

To work with the Shadow Volumes we will use the VSSAdmin tool bundled with Windows 7 Ultimate and Professional editions.

  • Start by opening an Administrator enabled command shell. This can be done by right clicking on the Command Prompt application in Start > Accessories > Command Prompt and selecting "Run As Administrator".
  • Once the command prompt is open you can view the available Shadow Volumes by typing: "vssadmin list shadows".

C:\> vssadmin list shadows

  • At this point you may see a long list of Shadow Volumes that were

created both by the machine the disk image is from as well as local shadow volumes. To list just the Shadow Volumes associated with the drive image you can add an optional /FOR=<DriveLetter:\> where DriveLetter is the drive letter that the drive image is mounted on.

C:\> vssadmin list shadows /for=E:\
vssadmin list
  • Now that we have a list of the Shadow Volumes we can mount them using the mklink tool. To do this, on the command line type:

"mklink /D C:\<some directory> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\"

Where <some directory> is the path that you'd like the mount the Shadow Volume at, and the # in HarddiskVolumeShadowCopy is the number o the Shadow Volume to mount. Please note that the trailing slash is absoutely necessary. Without the slash you will receive a permissions error when trying to access the directory.

mklink /D C:\shadow_volume_1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

  • If all was successful you should receive a message that looks like this:

symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

You can now browse the files contained in the Shadow Volume just like

any other files in your file system!
Success!

Also See