Difference between pages "Mount shadow volumes on disk images" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Mounting the Disk Image)
 
(See Also)
 
Line 1: Line 1:
Windows Shadow Volumes when created are automatically mounted at the
+
{{expand}}
file system root by Windows.  Unfortunately this is invisible to the
+
user and can not be directly accessed.  Mklink, an included command
+
line utility that ships with Windows is able to create a symbolic link
+
that allows access to these shadow volumes.
+
  
Shadow Volumes that exsit on a drive image are no different.  They too
+
== Cache files ==
can be accessed by creating a symbolic link to the location of the
+
The cache is stored in multiple:
volume.  There is a caveat here though -- the Shadow Volume is mounted
+
{| class="wikitable"
at the local file system's root rather than the drive image's file
+
|-
system root.
+
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
This example will be showing how to mount a virtual disk image in the
+
== Cache address ==
VHD format using Windows 7's built in tools. It will then proceed to
+
The cache address is 4 bytes in size and consists of:
detail the steps of mounting a Shadow Volume that exists on the disk
+
{| class="wikitable"
image. Note: Windows 7 Professional or Ultimate edition are required
+
|-
as the necessary tools are not bundled with other versions.
+
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
 +
=== File types ===
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
==Mounting the Disk Image==
+
==== Examples ====
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
The first step is to mount the VHD.  If you have a RAW image or
+
== Index file format (index) ==
another similar format these can be converted to VHD using a tool such
+
Overview:
as qemu-img (http://wiki.qemu.org/Main_Page) or vmToolkit's Vmdk2Vhd
+
* File header
utility (http://vmtoolkit.com/).
+
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
To mount the VHD bring up the Start menu in Windows.
+
=== File header ===
 +
*TODO*
  
Right click on "Computer" and click "Manage".  This will bring up a
+
== Data block file format (data_#) ==
window titled "Computer Management". [[File:manage.png|thumb|Open the Computer Management window.]]
+
Overview:
 +
* File header
 +
* array of blocks
  
Now double click on "Storage" in the center pane. [[File:storage.png|thumb|Click "storage" in the center pane.]]
+
=== File header ===
 +
*TODO*
  
Next double click the "Manage Storage" in the center pane. [[File:disk_management.png|thumb|Double click "manage storage" in the center pane.]]
+
== Data stream ==
 +
See: [[gzip]]
  
Now click the "More Actions" menu in the right most pane and select "Attach VHD". [[File:attach_vhd.png|thunb]]
+
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
  
Browse to the location of the drive image that you would like to mount and hit "OK".
+
== External Links ==
  
Now that the image is mounted we can begin the examine the Shadow Volumes on it.
+
[[Category:File Formats]]
 
+
 
+
These steps can also be accomplished using an administrator enabled Command Prompt.
+
To perform these steps using the command prompt the diskpart command must be used.
+
 
+
To start type "diskpart" at the command prompt.
+
 
+
When diskpart starts the prompt will change to say DISKPART>.  Next
+
select the drive image by typing "select vdisk file=<path to image>"
+
where <path to image> is the path to the vhd file.
+
 
+
Last type "attach vdisk" or optionally if you'd like to mount it read
+
only "attach vdisk readonly".
+
 
+
==Mounting the Shadow Volume==
+
 
+
To work with the Shadow Volumes we will use the VSSAdmin tool bundled
+
with Windows 7 Ultimate and Professional editions. Start by opening an
+
Administrator enabled command shell.  This can be done by right
+
clicking on the Command Prompt application in Start > Accessories >
+
Command Prompt and selecting "Run As Administrator".
+
 
+
Once the command prompt is open you can view the available Shadow
+
Volumes by typing: vssadmin list shadows.
+
 
+
At this point you may see a long list of Shadow Volumes that were
+
created both by the machine the disk image is from as well as local
+
shadow volumes.  To list just the Shadow Volumes associated with the
+
drive image you can add an optional /FOR=<DriveLetter:\> where
+
DriveLetter is the drive letter that the drive image is mounted on.
+
 
+
Now that we have a list of the Shadow Volumes we can mount them using
+
the mklink tool. To do this, on the command line type:
+
 
+
<code>mklink /D C:\<some directory> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\</code>
+
 
+
Where <some directory> is the path that you'd like the mount the
+
Shadow Volume at, and the # in HarddiskVolumeShadowCopy is the number
+
o the Shadow Volume to mount.  Please note that the trailing slash is
+
absoutely necessary. Without the slash you will receive a permissions
+
error when trying to access the directory.
+
 
+
If all was successful you should receive a message that looks like
+
this:
+
 
+
<code>symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy#\</code>
+
 
+
You can now browse the files contained in the Shadow Volume just like
+
any other files in your file system!
+

Revision as of 14:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links