Difference between pages "Dd" and "Windows Shadow Volumes"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(See also)
 
(How to analyze Shadow Volumes)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{expand}}
  name = dd |
+
  maintainer = [[Paul Rubin]], [[David MacKenzie]], [[Stuart Kemp]] |
+
  os = {{Linux}}, {{Windows}}, {{Mac OS X}} |
+
  genre = {{Disk imaging}} |
+
  license = {{GPL}} |
+
  website = [ftp://ftp.gnu.org/gnu/coreutils/ ftp.gnu.org/gnu/coreutils/] |
+
}}
+
  
'''dd''', sometimes called '''GNU dd''', is the oldest [[Tools#Disk_Imaging_Tools|imaging tool]] still used. Although it is functional and requires only minimal resources to run, it lacks some of the useful features found in more modern imagers such as [[metadata]] gathering, error correction, piecewise hashing, and a user-friendly interface. dd is a command line program that uses several obscure command line arguments to control the imaging process. Because some of these flags are similar and, if confused, can destroy the source media the examiner is trying to duplicate, users should be careful when running this program. The program generates [[Raw image file|raw image files]] which can be read by many other programs.
+
==Volume Shadow Copy Service==
 +
Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to [[mount shadow volumes on disk images]].
  
dd is part of the [[GNU Coreutils]] package which in turn has been ported to many [[Operating system|operating systems]].  
+
In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.
  
There are a few forks of dd for forensic purposes including [[dcfldd]], [[sdd]], [[dd_rescue]], [[ddrescue]], [[dccidd]], and a [[Windows|Microsoft Windows]] version that supports reading [[physical memory]].
+
== Also see ==
 +
* [[Windows]]
 +
* [[Windows File History | File History]]
 +
* How to: [[Mount shadow volumes on disk images]]
  
== Example ==
+
== External Links ==
  
Here are two common dd command lines:
+
=== How to analyze Shadow Volumes ===
 +
* [http://computer-forensics.sans.org/blog/2008/10/10/shadow-forensics/ VISTA and Windows 7 Shadow Volume Forensics], by [[Rob Lee]], October 2008
 +
* [http://windowsir.blogspot.ch/2011/01/accessing-volume-shadow-copies.html Accessing Volume Shadow Copies], by [[Harlan Carvey]], January 2011
 +
* [http://windowsir.blogspot.ch/2011/01/more-vscs.html More VSCs], by [[Harlan Carvey]], January 2011
 +
* [http://journeyintoir.blogspot.ch/2011/04/little-help-with-volume-shadow-copies.html A Little Help with Volume Shadow Copies], by [[Corey Harrell]], April 2011
 +
* [http://toorcon.techpathways.com/uploads/VolumeShadowCopyWithProDiscover-0511.pdf Volume Shadow Copy with ProDiscover], May 2011
 +
* [http://windowsir.blogspot.ch/2011/09/howto-mount-and-access-vscs.html HowTo: Mount and Access VSCs], by [[Harlan Carvey]], September 2011
 +
* [http://computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows], by [[Rob Lee]], September 2011
 +
* [http://journeyintoir.blogspot.ch/2012/01/ripping-volume-shadow-copies.html Ripping Volume Shadow Copies – Introduction], by [[Corey Harrell]], January 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-method.html Ripping VSCs – Practitioner Method], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-examples.html Ripping VSCs – Practitioner Examples], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-method.html Ripping VSCs – Developer Method], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-examples.html Ripping VSCs – Developer Examples], by [[Corey Harrell]], February 2012
 +
* [http://journeyintoir.blogspot.ch/2012/02/examining-vscs-with-gui-tools.html Examining VSCs with GUI Tools], by [[Corey Harrell]], February 2012
 +
* [http://dfstream.blogspot.ch/2012/03/vsc-toolset-gui-tool-for-shadow-copies.html VSC Toolset: A GUI Tool for Shadow Copies], by [[Jason Hale]], March 2012
 +
* [http://encase-forensic-blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html Examining Volume Shadow Copies – The Easy Way!], by [[Simon Key]], June 2012
 +
* [http://justaskweg.com/?p=351 Getting Ready for a Shadow Volume Exam], by [[Jimmy Weg]], June 2012
 +
* [http://justaskweg.com/?p=466 Mounting Shadow Volumes], by [[Jimmy Weg]], July 2012
 +
* [http://justaskweg.com/?p=518 Examining the Shadow Volumes with X-Ways Forensics], by [[Jimmy Weg]], July 2012
 +
* [http://justaskweg.com/?p=710 “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”], by [[Jimmy Weg]], August 2012
 +
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre "Examining shadow copies with Reconnoitre (and without vssadmin), it's as easy as 1, 2, 3"], by [[Paul Sanderson]], January 2013
  
'''UNIX/Linux'''
+
* [http://computerforensicsblog.champlain.edu/2014/02/05/volume-shadow-copy-part-2/ Volume Shadow Copy Part 2], by Ryan Montelbano, Scott Barrett, Jacob Blend, February 5, 2014
 +
* [http://computerforensicsblog.champlain.edu/2014/02/26/volume-shadow-copy-part-3/ Volume Shadow Copy Part 3], by Scott Barrett, February 26, 2014
 +
* [http://computerforensicsblog.champlain.edu/2014/03/26/volume-shadow-copy-part-4/ Volume Shadow Copy Part 4], by Ryan Montelbano, March 26, 2014
  
dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync
+
=== Shadow Volumes in depth ===
 +
* [http://www.qccis.com/docs/publications/WP-VSS.pdf Reliably recovering evidential data from Volume Shadow Copies in Windows Vista and Windows 7], by [[James Crabtree]] and [[Gary Evans]], 2010
 +
* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows] and [http://www.forensic4cast.com/2010/04/presentation-into-the-shadows/ Presentation], by [[Lee Whitfield]], April 2010
 +
* [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Volume%20Shadow%20Snapshot%20(VSS)%20format.pdf Volume Shadow Snapshot format], by the [[libvshadow|libvshadow project]], March 2011
 +
* [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Paper%20-%20Windowless%20Shadow%20Snapshots.pdf Windowless Shadow Snapshots - Analyzing Volume Shadow Snapshots (VSS) without using Windows] and [http://www.basistech.com/about-us/events/open-source-forensics-conference/ OSDFC 2012] [https://googledrive.com/host/0B3fBvzttpiiSZDZXRFVMdnZCeHc/Slides%20-%20Windowless%20Shadow%20Snapshots.pdf Slides], by [[Joachim Metz]], October 2012
  
'''Windows'''
+
=== Other ===
 +
* [http://lanmaster53.com/talks/#hack3rcon2 Lurking in the Shadows – Hack3rcon II]
 +
* [http://pauldotcom.com/2012/10/volume-shadow-copies---the-los.html Volume Shadow Copies - The Lost Post], [[Mark Baggett]], October 2012
  
dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img --md5sum --verifymd5
+
== Tools ==
--md5out=d:\images\PhysicalDrive0.img.md5
+
* [[EnCase]] with VSS Examiner Enscript (available from the downloads section of the GSI Support Portal)
 
+
* [[libvshadow]]
== Tips ==
+
* [[ProDiscover]]
With linux in addition to
+
* [http://www.shadowexplorer.com/ ShadowExplorer]
dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync
+
* [http://dfstream.blogspot.ch/p/vsc-toolset.html VSC Toolset]
 
+
* [[X-Ways AG|X-Ways Forensics]]
You can wipe a drive with:
+
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre Reconnoitre]
dd if=/dev/zero of=/dev/hda bs=4K conv=noerror,sync
+
 
+
For imaging a useful alternate invocation in Linux or UNIX is:
+
dd if=/dev/hda bs=4K conv=sync,noerror | tee mybigfile.img | md5sum > mybigfile.md5
+
 
+
The above alternate imaging command uses dd to read the harddrive being imaged and outputs the data to tee.  tee saves a copy of the data as your image file and also outputs a copy of the data to md5sum.  md5sum calculates the hash which gets saved in mybgifile.md5
+
 
+
For all of the above
+
if            => input file
+
/dev/hda      => the linux name of a physical disk.  Mac has their own names.
+
/dev/zero      => in linux, this is an infinite source of nulls
+
of            => output file
+
mybigfile.img  => The name of the image file you are creating
+
bs            => [[blocksize]]
+
65536          => 64K  (I normally use 4K in linux.  That is what the linux kernel uses as a page size.)
+
noerror        => don't die if you have a read error from the source drive
+
sync          => if there is an error, null fill the rest of the block.
+
 
+
In linux, the blocksize value can have a multiplicative suffix: 
+
c =1
+
w =2
+
b =512
+
kB =1000,          K =1024
+
MB =1000*1000,      M =1024*1024
+
GB =1000*1000*1000, G =1024*1024*1024
+
and so on for T, P, E, Z, Y.
+
 
+
Things to know:
+
 
+
Having a bigger blocksize is more efficient, but if you use a 1MB block as an example and have a read error in the first sector, then dd will null fill the entire MB.  Thus you should use as small a blocksize as feasible.
+
 
+
But with linux if you go below 4KB blocksize, you can hit really bad performance issues.  It can be as much as 10x slower to use the default 512 byte block as it is to use a 4KB block. 
+
 
+
Without noerror and sync, you basically don't have a forensic image.  For forensic images they are mandatory.
+
 
+
dd by itself does not hash, that is why the alternate command is provided.
+
 
+
== Cautions ==
+
=== Reversing Args can cause evidence erasure ===
+
Use extreme care when typing the command line for this program. Reversing the <tt>if</tt> and <tt>of</tt> flags will cause the computer to erase your evidence!
+
 
+
=== Use extreme caution if reading from a tape drive ===
+
At least with Linux/UNIX, tape drives have functional differences from disk that make them more complex to "image". Specifically they have EOF and EOT markings on the tape media that do not have a corresponding functionality with disks.
+
 
+
Most commercial backup software use EOF separators to allow a single tape to hold multiple backup sessions.
+
 
+
backup1-- EOF -- backup2 -- EOF -- backup3 -- EOT
+
 
+
A simple dd if=/dev/st0 of=image.dd will only preserve the first backup session.
+
 
+
For testing, from Linux you can create a multi-session backup tape via:
+
 
+
mt rewind -f /dev/st0
+
tar -cf /dev/nst0 /home
+
tar -cf /dev/nst0 /srv
+
 
+
The nst device driver considers the closing of /dev/nst0 to signal the
+
end of a tape file, so it appends a EOF mark after each invocation of
+
tar.
+
 
+
So the tape would have:
+
home_tar_archive -- EOF -- srv_tar_archive -- EOF -- EOT
+
 
+
If you start reading from the start of the tape with either dd or tar,
+
they will stop when the first EOF is hit and thus will only extract the home archive and will miss the srv archive.
+
 
+
== See also ==
+
 
+
* [[aimage]]
+
* [[Blackbag]]
+
* [[dc3dd]]
+
* [[dcfldd]]
+
* [[dd_rescue]]
+
* [[ddrescue]]
+
* [[sdd]]
+
* [[sg_dd]]
+
* [[mdd]]
+
* [[Raw Image Format]]
+
 
+
== External Links ==
+
  
* [http://www.linuxjournal.com/article/1320 LinuxJournal article about dd]
+
[[Category:Volume Systems]]
* [http://users.erols.com/gmgarner/forensics/ Windows Version of dd and other forensics tools]
+

Latest revision as of 11:36, 7 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Volume Shadow Copy Service

Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to mount shadow volumes on disk images.

In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.

Also see

External Links

How to analyze Shadow Volumes

Shadow Volumes in depth

Other

Tools