ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Mount shadow volumes on disk images" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Mounting the Disk Image)
 
(See Also)
 
Line 1: Line 1:
Windows Shadow Volumes when created are automatically mounted at the
+
{{expand}}
file system root by Windows.  Unfortunately this is invisible to the
+
user and can not be directly accessed.  Mklink, an included command
+
line utility that ships with Windows is able to create a symbolic link
+
that allows access to these shadow volumes.
+
  
Shadow Volumes that exsit on a drive image are no different.  They too
+
== Cache files ==
can be accessed by creating a symbolic link to the location of the
+
The cache is stored in multiple:
volume.  There is a caveat here though -- the Shadow Volume is mounted
+
{| class="wikitable"
at the local file system's root rather than the drive image's file
+
|-
system root.
+
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
This example will be showing how to mount a virtual disk image in the
+
== Cache address ==
VHD format using Windows 7's built in tools. It will then proceed to
+
The cache address is 4 bytes in size and consists of:
detail the steps of mounting a Shadow Volume that exists on the disk
+
{| class="wikitable"
image. Note: Windows 7 Professional or Ultimate edition are required
+
|-
as the necessary tools are not bundled with other versions.
+
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
 +
=== File types ===
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
==Mounting the Disk Image==
+
==== Examples ====
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
The first step is to mount the VHD.  If you have a RAW image or
+
== Index file format (index) ==
another similar format these can be converted to VHD using a tool such
+
Overview:
as qemu-img (http://wiki.qemu.org/Main_Page) or vmToolkit's Vmdk2Vhd
+
* File header
utility (http://vmtoolkit.com/).
+
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
* To mount the VHD bring up the Start menu in Windows.
+
=== File header ===
 +
*TODO*
  
* Right click on "Computer" and click "Manage".  This will bring up a
+
== Data block file format (data_#) ==
window titled "Computer Management". [[File:manage.png|thumb|Open the Computer Management window.]]
+
Overview:
 +
* File header
 +
* array of blocks
  
* Now double click on "Storage" in the center pane. [[File:storage.png|thumb|Click "storage" in the center pane.]]
+
=== File header ===
 +
*TODO*
  
* Next double click the "Manage Storage" in the center pane. [[File:disk_management.png|thumb|Double click "manage storage" in the center pane.]]
+
== Data stream ==
 +
See: [[gzip]]
  
* Now click the "More Actions" menu in the right most pane and select "Attach VHD". [[File:attach_vhd.png|thumb|Select Attach VHD in the right pane.]]
+
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
  
* Browse to the location of the drive image that you would like to mount and hit "OK".
+
== External Links ==
  
 
+
[[Category:File Formats]]
Now that the image is mounted we can begin the examine the Shadow Volumes on it.
+
 
+
===Command Prompt Method===
+
 
+
These steps can also be accomplished using an administrator enabled Command Prompt.
+
To perform these steps using the command prompt the diskpart command must be used.
+
 
+
* To start type "diskpart" at the command prompt.
+
<code>C:\> diskpart </code>
+
 
+
When diskpart starts the prompt will change to say DISKPART>. 
+
 
+
*Next select the drive image by typing "select vdisk file=<path to image>"
+
where <path to image> is the path to the vhd file.
+
 
+
<code>DISKPART> select vdisk file=C:\myimage.vhd</code>
+
 
+
*Last type "attach vdisk" or optionally if you'd like to mount it read
+
only "attach vdisk readonly".
+
 
+
<code>DISKPART> attach vdisk readonly </code>
+
 
+
==Mounting the Shadow Volume==
+
 
+
To work with the Shadow Volumes we will use the VSSAdmin tool bundled
+
with Windows 7 Ultimate and Professional editions. Start by opening an
+
Administrator enabled command shell.  This can be done by right
+
clicking on the Command Prompt application in Start > Accessories >
+
Command Prompt and selecting "Run As Administrator".
+
 
+
Once the command prompt is open you can view the available Shadow
+
Volumes by typing: vssadmin list shadows.
+
 
+
At this point you may see a long list of Shadow Volumes that were
+
created both by the machine the disk image is from as well as local
+
shadow volumes.  To list just the Shadow Volumes associated with the
+
drive image you can add an optional /FOR=<DriveLetter:\> where
+
DriveLetter is the drive letter that the drive image is mounted on.
+
 
+
Now that we have a list of the Shadow Volumes we can mount them using
+
the mklink tool. To do this, on the command line type:
+
 
+
<code>mklink /D C:\<some directory> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\</code>
+
 
+
Where <some directory> is the path that you'd like the mount the
+
Shadow Volume at, and the # in HarddiskVolumeShadowCopy is the number
+
o the Shadow Volume to mount.  Please note that the trailing slash is
+
absoutely necessary. Without the slash you will receive a permissions
+
error when trying to access the directory.
+
 
+
If all was successful you should receive a message that looks like
+
this:
+
 
+
<code>symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy#\</code>
+
 
+
You can now browse the files contained in the Shadow Volume just like
+
any other files in your file system!
+

Revision as of 18:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links