Difference between pages "Mount shadow volumes on disk images" and "Windows Shadow Volumes"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Shadow Volumes in depth)
 
Line 1: Line 1:
Windows Shadow Volumes when created are automatically mounted at the
+
{{expand}}
file system root by Windows.  Unfortunately this is invisible to the
+
user and can not be directly accessed.  Mklink, an included command
+
line utility that ships with Windows is able to create a symbolic link
+
that allows access to these shadow volumes.
+
  
Shadow Volumes that exsit on a drive image are no differentThey too
+
==Volume Shadow Copy Service==
can be accessed by creating a symbolic link to the location of the
+
Windows has included the Volume Shadow Copy Service in it's releases since Windows XPThe Shadow Copy Service creates differential backups periodically to create restore points for the userWindows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to [[mount shadow volumes on disk images]].
volumeThere is a caveat here though -- the Shadow Volume is mounted
+
at the local file system's root rather than the drive image's file
+
system root.
+
  
This example will be showing how to mount a virtual disk image in the
+
In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.
VHD format using Windows 7's built in tools.  It will then proceed to
+
detail the steps of mounting a Shadow Volume that exists on the disk
+
image. Note: Windows 7 Professional or Ultimate edition are required
+
as the necessary tools are not bundled with other versions.
+
  
 +
== Also see ==
 +
* [[Windows]]
 +
* [[Windows File History | File History]]
 +
* How to: [[Mount shadow volumes on disk images]]
  
==Mounting the Disk Image==
+
== External Links ==
  
The first step is to mount the VHD. If you have a RAW image or
+
=== How to analyze Shadow Volumes ===
another similar format these can be converted to VHD using a tool such
+
* [http://computer-forensics.sans.org/blog/2008/10/10/shadow-forensics/ VISTA and Windows 7 Shadow Volume Forensics], by [[Rob Lee]], October 2008
as qemu-img (http://wiki.qemu.org/Main_Page) or vmToolkit's Vmdk2Vhd
+
* [http://windowsir.blogspot.ch/2011/01/accessing-volume-shadow-copies.html Accessing Volume Shadow Copies], by [[Harlan Carvey]], January 2011
utility (http://vmtoolkit.com/).
+
* [http://windowsir.blogspot.ch/2011/01/more-vscs.html More VSCs], by [[Harlan Carvey]], January 2011
 +
* [http://journeyintoir.blogspot.ch/2011/04/little-help-with-volume-shadow-copies.html A Little Help with Volume Shadow Copies], by [[Corey Harrell]], April 2011
 +
* [http://toorcon.techpathways.com/uploads/VolumeShadowCopyWithProDiscover-0511.pdf Volume Shadow Copy with ProDiscover], May 2011
 +
* [http://windowsir.blogspot.ch/2011/09/howto-mount-and-access-vscs.html HowTo: Mount and Access VSCs], by [[Harlan Carvey]], September 2011
 +
* [http://computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows], by [[Rob Lee]], September 2011
 +
* [http://journeyintoir.blogspot.ch/2012/01/ripping-volume-shadow-copies.html Ripping Volume Shadow Copies – Introduction], by [[Corey Harrell]], January 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-method.html Ripping VSCs – Practitioner Method], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-examples.html Ripping VSCs – Practitioner Examples], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-method.html Ripping VSCs – Developer Method], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-examples.html Ripping VSCs – Developer Examples], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/examining-vscs-with-gui-tools.html Examining VSCs with GUI Tools], by [[Corey Harrell]], February 2012
 +
* [http://dfstream.blogspot.ch/2012/03/vsc-toolset-gui-tool-for-shadow-copies.html VSC Toolset: A GUI Tool for Shadow Copies], by [[Jason Hale]], March 2012
 +
* [http://encase-forensic-blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html Examining Volume Shadow Copies – The Easy Way!], by [[Simon Key]], June 2012
 +
* [http://justaskweg.com/?p=351 Getting Ready for a Shadow Volume Exam], by [[Jimmy Weg]], June 2012
 +
* [http://justaskweg.com/?p=466 Mounting Shadow Volumes], by [[Jimmy Weg]], July 2012
 +
* [http://justaskweg.com/?p=518 Examining the Shadow Volumes with X-Ways Forensics], by [[Jimmy Weg]], July 2012
 +
* [http://justaskweg.com/?p=710 “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”], by [[Jimmy Weg]], August 2012
 +
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre "Examining shadow copies with Reconnoitre (and without vssadmin), it's as easy as 1, 2, 3"], by [[Paul Sanderson]], January 2013
  
* To mount the VHD bring up the Start menu in Windows.
+
=== Shadow Volumes in depth ===
 +
* [http://www.qccis.com/docs/publications/WP-VSS.pdf Reliably recovering evidential data from Volume Shadow Copies in Windows Vista and Windows 7], by [[James Crabtree]] and [[Gary Evans]], 2010
 +
* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows] and [http://www.forensic4cast.com/2010/04/presentation-into-the-shadows/ Presentation], by [[Lee Whitfield]], April 2010
 +
* [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Volume%20Shadow%20Snapshot%20(VSS)%20format.pdf Volume Shadow Snapshot format], by the [[libvshadow|libvshadow project]], March 2011
 +
* [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Paper%20-%20Windowless%20Shadow%20Snapshots.pdf Windowless Shadow Snapshots - Analyzing Volume Shadow Snapshots (VSS) without using Windows] and [http://www.basistech.com/about-us/events/open-source-forensics-conference/ OSDFC 2012] [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Slides%20-%20Windowless%20Shadow%20Snapshots.pdf Slides], by [[Joachim Metz]], October 2012
  
* Right click on "Computer" and click "Manage". This will bring up a
+
=== Other ===
window titled "Computer Management". [[File:manage.png|thumb|Open the Computer Management window.]]
+
* [http://lanmaster53.com/talks/#hack3rcon2 Lurking in the Shadows – Hack3rcon II]
 +
* [http://pauldotcom.com/2012/10/volume-shadow-copies---the-los.html Volume Shadow Copies - The Lost Post], [[Mark Baggett]], October 2012
  
* Now double click on "Storage" in the center pane. [[File:storage.png|thumb|Click "storage" in the center pane.]]
+
== Tools ==
 +
* [[EnCase]] with VSS Examiner Enscript (available from the downloads section of the GSI Support Portal)
 +
* [[libvshadow]]
 +
* [[ProDiscover]]
 +
* [http://www.shadowexplorer.com/ ShadowExplorer]
 +
* [http://dfstream.blogspot.ch/p/vsc-toolset.html VSC Toolset]
 +
* [[X-Ways AG|X-Ways Forensics]]
 +
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre Reconnoitre]
  
* Next double click the "Manage Storage" in the center pane. [[File:disk_management.png|thumb|Double click "manage storage" in the center pane.]]
+
[[Category:Volume Systems]]
 
+
* Now click the "More Actions" menu in the right most pane and select "Attach VHD". [[File:attach_vhd.png|thumb|Select Attach VHD in the right pane.]]
+
 
+
* Browse to the location of the drive image that you would like to mount and hit "OK".
+
 
+
 
+
Now that the image is mounted we can begin the examine the Shadow Volumes on it.
+
 
+
===Command Prompt Method===
+
 
+
These steps can also be accomplished using an administrator enabled Command Prompt. To perform these steps using the command prompt the diskpart command must be used.
+
 
+
* To start type "diskpart" at the command prompt.
+
<code>C:\> diskpart </code>
+
 
+
When diskpart starts the prompt will change to say DISKPART>. 
+
 
+
*Next select the drive image by typing "select vdisk file=<path to image>" where <path to image> is the path to the vhd file.
+
 
+
<code>DISKPART> select vdisk file=C:\myimage.vhd</code>
+
 
+
*Last type "attach vdisk" or optionally if you'd like to mount it read only "attach vdisk readonly".
+
 
+
<code>DISKPART> attach vdisk readonly </code>
+
 
+
==Mounting the Shadow Volume==
+
 
+
To work with the Shadow Volumes we will use the VSSAdmin tool bundled
+
with Windows 7 Ultimate and Professional editions.
+
 
+
* Start by opening an Administrator enabled command shell.  This can be done by right clicking on the Command Prompt application in Start > Accessories > Command Prompt and selecting "Run As Administrator".
+
 
+
* Once the command prompt is open you can view the available Shadow Volumes by typing: "vssadmin list shadows".
+
 
+
<code>C:\> vssadmin list shadows </code>
+
 
+
* At this point you may see a long list of Shadow Volumes that were
+
created both by the machine the disk image is from as well as local
+
shadow volumes.  To list just the Shadow Volumes associated with the
+
drive image you can add an optional /FOR=<DriveLetter:\> where
+
DriveLetter is the drive letter that the drive image is mounted on.
+
 
+
<code>C:\> vssadmin list shadows /for=E:\ </code> [[File:vssadmin_list.png|thumb|vssadmin list]]
+
 
+
* Now that we have a list of the Shadow Volumes we can mount them using the mklink tool. To do this, on the command line type:
+
 
+
<code>"mklink /D C:\</code><some directory><code> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\"</code>
+
 
+
Where <some directory> is the path that you'd like the mount the
+
Shadow Volume at, and the # in HarddiskVolumeShadowCopy is the number
+
o the Shadow Volume to mount.  Please note that the trailing slash is
+
absoutely necessary. Without the slash you will receive a permissions
+
error when trying to access the directory.
+
 
+
<code>mklink /D C:\shadow_volume_1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\</code>
+
 
+
* If all was successful you should receive a message that looks like this:
+
 
+
<code>symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy1\</code>
+
 
+
You can now browse the files contained in the Shadow Volume just like
+
any other files in your file system! [[File:success.png|thumb|Success!]]
+
 
+
== Also See ==
+
* [[Windows Shadow Volumes]]
+
 
+
[[Category:Howtos]]
+

Revision as of 08:47, 2 February 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Volume Shadow Copy Service

Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to mount shadow volumes on disk images.

In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.

Also see

External Links

How to analyze Shadow Volumes

Shadow Volumes in depth

Other

Tools