Difference between pages "Mount shadow volumes on disk images" and "User:Dykstra"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Created page with "Windows Shadow Volumes when created are automatically mounted at the file system root by Windows. Unfortunately this is invisible to the user and can not be directly accessed. ...")
 
m (Creating user page with biography of new user.)
 
Line 1: Line 1:
Windows Shadow Volumes when created are automatically mounted at the
 
file system root by Windows.  Unfortunately this is invisible to the
 
user and can not be directly accessed.  Mklink, an included command
 
line utility that ships with Windows is able to create a symbolic link
 
that allows access to these shadow volumes.
 
  
Shadow Volumes that exsit on a drive image are no different.  They too
 
can be accessed by creating a symbolic link to the location of the
 
volume.  There is a caveat here though -- the Shadow Volume is mounted
 
at the local file system's root rather than the drive image's file
 
system root.
 
 
This example will be showing how to mount a virtual disk image in the
 
VHD format using Windows 7's built in tools.  It will then proceed to
 
detail the steps of mounting a Shadow Volume that exists on the disk
 
image. Note: Windows 7 Professional or Ultimate edition are required
 
as the necessary tools are not bundled with other versions.
 
 
 
==Mounting the Disk Image== 
 
 
The first step is to mount the VHD.  If you have a RAW image or
 
another similar format these can be converted to VHD using a tool such
 
as qemu-img (http://wiki.qemu.org/Main_Page) or vmToolkit's Vmdk2Vhd
 
utility (http://vmtoolkit.com/).
 
 
To mount the VHD bring up the Start menu in Windows.
 
 
Right click on "Computer" and click "Manage".  This will bring up a
 
window titled "Computer Management".
 
 
Now double click on "Storage" in the center pane.
 
 
Next double click the "Manage Storage" in the center pane.
 
 
Now click the "More Actions" menu in the right most pane and select "Attach VHD".
 
 
Browse to the location of the drive image that you would like to mount and hit "OK".
 
 
Now that the image is mounted we can begin the examine the Shadow Volumes on it.
 
 
 
These steps can also be accomplished using an administrator enabled Command Prompt.
 
To perform these steps using the command prompt the diskpart command must be used.
 
 
To start type "diskpart" at the command prompt.
 
 
When diskpart starts the prompt will change to say DISKPART>.  Next
 
select the drive image by typing "select vdisk file=<path to image>"
 
where <path to image> is the path to the vhd file.
 
 
Last type "attach vdisk" or optionally if you'd like to mount it read
 
only "attach vdisk readonly".
 
 
==Mounting the Shadow Volume==
 
 
To work with the Shadow Volumes we will use the VSSAdmin tool bundled
 
with Windows 7 Ultimate and Professional editions. Start by opening an
 
Administrator enabled command shell.  This can be done by right
 
clicking on the Command Prompt application in Start > Accessories >
 
Command Prompt and selecting "Run As Administrator".
 
 
Once the command prompt is open you can view the available Shadow
 
Volumes by typing: vssadmin list shadows.
 
 
At this point you may see a long list of Shadow Volumes that were
 
created both by the machine the disk image is from as well as local
 
shadow volumes.  To list just the Shadow Volumes associated with the
 
drive image you can add an optional /FOR=<DriveLetter:\> where
 
DriveLetter is the drive letter that the drive image is mounted on.
 
 
Now that we have a list of the Shadow Volumes we can mount them using
 
the mklink tool. To do this, on the command line type:
 
 
<code>mklink /D C:\<some directory> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\</code>
 
 
Where <some directory> is the path that you'd like the mount the
 
Shadow Volume at, and the # in HarddiskVolumeShadowCopy is the number
 
o the Shadow Volume to mount.  Please note that the trailing slash is
 
absoutely necessary. Without the slash you will receive a permissions
 
error when trying to access the directory.
 
 
If all was successful you should receive a message that looks like
 
this:
 
 
<code>symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy#\</code>
 
 
You can now browse the files contained in the Shadow Volume just like
 
any other files in your file system!
 

Latest revision as of 11:24, 11 September 2010