Ripping Volume Shadow Copies Sneak Peek

Monday, December 19, 2011 Posted by Corey Harrell
I was hesitant to do a sneak peak about a different approach to examine Volume Shadow Copies (VSCs). I personally don’t like sneak peeks and would rather wait to see the finished product. I think it’s along the lines of starting a movie then stopping it after 15 minutes and being forced to finish watching months later. If I don’t like sneak peeks then why am I putting others through it? I previously mentioned how I wanted to spend my furlough days by putting together some posts about another approach to examining VSCs. Well last week was my furlough week and my family wrote a new version to the carol The Twelve Days of Christmas. Four out of town trips, three sick kids, two family emergencies, and one blogger quarantined to his room. Needless to say I had to spend my time focused on my family. I won’t have time to write the VSCs blog posts until next month so I at least wanted to show one example on how I use this method.

There are times when I get a system that has been altered and one change is removing financial software from the system. This is pretty important because if I’m trying to locate financial data then I need to know what software is on the system so I know what kind of files to look for. There is a chance some file types might initially be missed if I’m not aware a certain program was installed at some point in the past. Different registry keys can help determine what programs were installed or executed but you can get a more complete picture about a system by looking at those same registry keys at different points in time. Performing registry analysis in this manner has allowed me to quickly identify uninstalled financial applications which reduced the time needed to find the data. Anyone who has used Harlan’s RipXP understands the value in seeing registry keys at different points in time. I used the same concept with one exception: numerous registry keys can be queried at the same time when dealing with VSCs.

The system I used for this demonstration was a live Windows 7 Ultimate 32 bit system. In the past I also used it against Windows 7 and Vista. forensic images

Obtaining General Operating System Information

I discussed previously one initial examination step is to get a better understanding about the system I’m facing. I use a batch script with Regripper to obtain a wealth of information about how the system was configured when it was last powered on. The configuration information is from only one point in time but if the system has VSCs then that means the same information can be obtained from different points in time. Seeing the same configuration information enables you to see how the system changed slightly over time including what software was installed or uninstalled. To do this I made some modifications to the general operating system batch script which lets me run it against VSCs I have access to.

I’m not going to discuss accessing VSCs in this post. For information on how to access VSCs I’d check out Harlan’s Even More Stuff post since he provides a link to his slide deck he gave to the online DFIR meet-up on the topic. My Windows 7 system had 19 VSCs and for the demonstration I only used the following:

        - ShadowCopy19 12/13/2011 6:13:35 PM

        - ShadowCopy16 12/01/2011 8:08:50 AM

        - ShadowCopy3 11/28/2011 11:19:40 AM

        - ShadowCopy1 8/26/2011 12:15:34 PM

The screen shot below shows the main menu to the vsc-parser (most selections have sub menus). To review the system to identify software of interest I’m interested in selection 2: “Obtain General Operating System Information from Volume Shadow Copies”.

The selection will immediately execute my Regripper batch file against every VSC I have access to. The picture below shows the script running against my four VSCs. I highlighted the samparse and uninstall plug-ins that executed.

The output from the script is nicely organized into different folders based on what the information is.

I’m interested in the software on the system which means I need the reports in the software-information folder. A report was created for each VSC I had access to (notice how the file name contains the VSC number it came from).

Now at this point I can review the reports and notice the slight differences between each VSCs. I tend to look at the most recent VSC then work my way to the oldest VSC. It makes it easier to see how the system slightly changed over time from the forensic image I examined first.

On a case I used this technique and it helped me to identify a financial application that was removed from the system. In the end it saved some a lot of time because this was one of my initial steps and I knew right off the bat I was looking for specific file types. Some may be wondering why I decided to highlight the samparse plug-in as well. At another time the same technique helped me verify a user account existed on the system and narrow down the timeframe when it was removed from the system.

I showed an example running Regripper against registry hives stored in VSCs on a live Windows 7 system. However, the approach is not only limited to registry hives or Regripper since you can pretty much parse any data stored in a VSC.
  1. Thierry13

    Hi. First of all thanks for your excellent blog!
    Vsc are a very good source of informations for any forensic investigator. Your approach is very efficient to compare datas and determine what have changed and what have not. Beeing a police officer I do differently cause my task is quite often to find quickly artefacts of what a suspect have done ( did he visit a site, access a file, use a program...).
    Exploiting Vsc asks time i often do not have so I've tried to automate collect of datas . Using Powershell scripts and freewares, I can automaticly identify Vsc on a hard drive, create hard links and then, for each Vsc of interest, automaticly extract the most usefull datas (browsers datas, regripper, recent, prefetch, boot, Usn journal, Mft entries...).After that I search keywords in the results or just analyze the most interisting reports.. That's not perfect but that works ( normally ;) )

  2. The examples we both provided discuss different data but I think the technique is the same. Examining the data while it is still stored in the VSCs. I'm just starting my series on three different methods to accomplish this and one method is to traverse through symbolic links (mklink command).

    Thanks for posting a comment. Are your scripts something that can be shared?

  3. Thierry13

    Thanks for your answer.
    These scripts used freewares and are free. It will be my pleasure if you test it. !
    form :
    The tool has been made to extract datas on french windows OS so some scripts (3 or 4 on 24 ) won't work with english OS. The script concerning VSC is one of them cause it uses vssadmin output to process but i'll try to made it US compatible if you want. After connecting a drive, the script create a hard link to each VSC. Using subst.exe I assign a drive letter to the VSC folder and use the scripts on this partition. That's not perfect but I hope that will be helpfull to someone else.

  4. Thanks for sharing and I'm going to check out the scripts sometime this week. You don't need to make them US compatible for me; I more was interested in how you approached the same issue. In my series I'm going to be releasing a few scripts of my own and they also use the mklink command to provide access.

Post a Comment