Difference between pages "Mount shadow volumes on disk images" and "Windows 8"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Created page with "Windows Shadow Volumes when created are automatically mounted at the file system root by Windows. Unfortunately this is invisible to the user and can not be directly accessed. ...")
 
(External Links)
 
Line 1: Line 1:
Windows Shadow Volumes when created are automatically mounted at the
+
Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.
file system root by Windows.  Unfortunately this is invisible to the
+
user and can not be directly accessed. Mklink, an included command
+
line utility that ships with Windows is able to create a symbolic link
+
that allows access to these shadow volumes.
+
  
Shadow Volumes that exsit on a drive image are no different.  They too
+
== New Features ==
can be accessed by creating a symbolic link to the location of the
+
The following new features were introduced in Windows 8:
volume.  There is a caveat here though -- the Shadow Volume is mounted
+
* [[Windows File History | File History]]
at the local file system's root rather than the drive image's file
+
* [[Windows Storage Spaces | Storage Spaces]]
system root.
+
* [[Search Charm History]]
  
This example will be showing how to mount a virtual disk image in the
+
== File System ==
VHD format using Windows 7's built in tools.  It will then proceed to
+
The file system used by Windows 8 is primarily [[NTFS]].
detail the steps of mounting a Shadow Volume that exists on the disk
+
image. Note: Windows 7 Professional or Ultimate edition are required
+
as the necessary tools are not bundled with other versions.
+
  
 +
The [[Resilient File System (ReFS)]] was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.
  
==Mounting the Disk Image==
+
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.
  
The first step is to mount the VHD.  If you have a RAW image or
+
== [[Prefetch]] ==
another similar format these can be converted to VHD using a tool such
+
The prefetch hash function is similar to [[Windows 2008]].
as qemu-img (http://wiki.qemu.org/Main_Page) or vmToolkit's Vmdk2Vhd
+
utility (http://vmtoolkit.com/).
+
  
To mount the VHD bring up the Start menu in Windows.
+
The [[Windows Prefetch File Format]] was changed on Windows 8.1 to version 26. (note this could be Windows 8 as well but has not been confirmed)
  
Right click on "Computer" and click "Manage".  This will bring up a
+
== Registry ==
window titled "Computer Management".
+
The [[Windows_Registry|Windows Registry]] remains a core component of the Windows operating system.
  
Now double click on "Storage" in the center pane.
+
== Application Experience and Compatibility ==
 +
On Windows 8 Amcache.hve replaces RecentFileCache.bcf and uses the [[Windows NT Registry File (REGF)]] format. A common location for Amcache.hve is:
 +
<pre>
 +
C:\Windows\AppCompat\Programs\Amcache.hve
 +
</pre>
  
Next double click the "Manage Storage" in the center pane.
+
== See Also ==
 +
* [[Windows]]
 +
* [[Windows Vista]]
 +
* [[Windows 7]]
  
Now click the "More Actions" menu in the right most pane and select "Attach VHD".
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
 +
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
 +
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
 +
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
 +
* [http://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html Windows 8 and 8.1: Search Charm History], by [[Jason Hale]], September 9, 2013
 +
* [http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html Amcache.hve in Windows 8 - Goldmine for malware hunters], by Yogesh Khatri, December 4, 2013
 +
* [http://www.swiftforensics.com/2013/12/amcachehve-part-2.html Amcache.hve - Part 2], by Yogesh Khatri, December 16, 2013
  
Browse to the location of the drive image that you would like to mount and hit "OK".
+
[[Category:Operating systems]]
 
+
Now that the image is mounted we can begin the examine the Shadow Volumes on it.
+
 
+
 
+
These steps can also be accomplished using an administrator enabled Command Prompt.
+
To perform these steps using the command prompt the diskpart command must be used.
+
 
+
To start type "diskpart" at the command prompt.
+
 
+
When diskpart starts the prompt will change to say DISKPART>.  Next
+
select the drive image by typing "select vdisk file=<path to image>"
+
where <path to image> is the path to the vhd file.
+
 
+
Last type "attach vdisk" or optionally if you'd like to mount it read
+
only "attach vdisk readonly".
+
 
+
==Mounting the Shadow Volume==
+
 
+
To work with the Shadow Volumes we will use the VSSAdmin tool bundled
+
with Windows 7 Ultimate and Professional editions. Start by opening an
+
Administrator enabled command shell.  This can be done by right
+
clicking on the Command Prompt application in Start > Accessories >
+
Command Prompt and selecting "Run As Administrator".
+
 
+
Once the command prompt is open you can view the available Shadow
+
Volumes by typing: vssadmin list shadows.
+
 
+
At this point you may see a long list of Shadow Volumes that were
+
created both by the machine the disk image is from as well as local
+
shadow volumes.  To list just the Shadow Volumes associated with the
+
drive image you can add an optional /FOR=<DriveLetter:\> where
+
DriveLetter is the drive letter that the drive image is mounted on.
+
 
+
Now that we have a list of the Shadow Volumes we can mount them using
+
the mklink tool. To do this, on the command line type:
+
 
+
<code>mklink /D C:\<some directory> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\</code>
+
 
+
Where <some directory> is the path that you'd like the mount the
+
Shadow Volume at, and the # in HarddiskVolumeShadowCopy is the number
+
o the Shadow Volume to mount.  Please note that the trailing slash is
+
absoutely necessary. Without the slash you will receive a permissions
+
error when trying to access the directory.
+
 
+
If all was successful you should receive a message that looks like
+
this:
+
 
+
<code>symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy#\</code>
+
 
+
You can now browse the files contained in the Shadow Volume just like
+
any other files in your file system!
+

Latest revision as of 14:13, 16 December 2013

Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.

Contents

New Features

The following new features were introduced in Windows 8:

File System

The file system used by Windows 8 is primarily NTFS.

The Resilient File System (ReFS) was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.

Jump Lists

Jump Lists are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.

Prefetch

The prefetch hash function is similar to Windows 2008.

The Windows Prefetch File Format was changed on Windows 8.1 to version 26. (note this could be Windows 8 as well but has not been confirmed)

Registry

The Windows Registry remains a core component of the Windows operating system.

Application Experience and Compatibility

On Windows 8 Amcache.hve replaces RecentFileCache.bcf and uses the Windows NT Registry File (REGF) format. A common location for Amcache.hve is:

C:\Windows\AppCompat\Programs\Amcache.hve

See Also

External Links