Ripping VSCs – Tracking User Activity

Tuesday, March 13, 2012 Posted by Corey Harrell
For the past few months I have been discussing a different approach to examining Volume Shadow Copies (VSCs). I’m referring to the approach as Ripping VSCs and the two different methods to implement the approach are the Practitioner and Developer Methods. The multipart Ripping VSCs series is outlined in the Introduction post. On Thursday (03/15/2012) I’m doing a presentation for a DFIROnline Meet-up about tracking user activity through VSCs using the practitioner method. The presentation is titled Ripping VSCs – Tracking User Activity and the slide deck can be found on my Google sites page.

I wanted to briefly mention a few things about the slides. The presentation is meant to compliment the information I’ve been blogging about in regards to Ripping VSCs. In my Ripping VSCs posts I outlined why the approach is important, how it works, and examples showing anyone can start applying the technique to their casework. I now want to put the technique into context by showing how it might apply to an examination. Numerous types of examinations are interested in what a user was doing on a computer so talking about tracking someone’s activities should be applicable to a wider audience. To help explain put the approach into context I created a fake fraud case study to demonstrate how VSCs provide a more complete picture about what someone did on a computer. The presentation will be a mixture of slides with live demos against a live Windows 7 system. Below are the demos I have lined up (if I am short on time then the last demo is getting axed):

        - Previewing VSCs with Shadow Explorer
        - Listing VSCs and creating symbolic links to VSCs using vsc-parser
        - Parsing the link files in a user profile across VSCs using
        - Parsing Jump Lists in a user profile across VSCs using Harlan’s
        - Extracting a Word document’s metadata across VSCs using Exiftool
        - Extracting and viewing a Word document from numerous VSCs using vsc-parser and Microsoft Word

I’m not covering everything in the slides but I purposely added additional information so the slides could be used as a reference. One example is the code for the batch scripts. Lastly, I’m working on my presentation skills so please lower your expectations. :)
  1. Awesome stuff, Corey!

    Have you considered writing up a presentation to give in person?

  2. As a test run for DFIROnline I gave this presentation to a small local DFIR group. I have decided to work on a presentation for one of the DFIR conferences later in the year (right now it's looking like PFIC in the fall). Shooting for the fall gives me more time to work on further developing my presentation skills.

  3. Jimmy_Weg

    Corey, your slide presentation is a great approach to presenting the value of VSCs. Having examined VSCs since their inception, I would add that, after looking at the other methods, simply booting an image in VMware still is the most efficient way to go. First, you can do a quick preview simply by right-clicking the system root (C:\) and invoking "restore previous versions." Open any one you wish in Explorer.

    You also can create a symlink of any VSC and image its contents with FTKI or XWF, run from a thumb. You can mount the VSC with Danny Mares VSS (free), and do a complete exam of the volume with XWF (or other tool that can be run from a thumb). You even can image the VSC if you wish. When I last used Shadow Explorer, I found it terribly slow and unable to export files efficiently (in a VM).

    Lastly, the latest version of ProDiscover is able to mount a VSC in your ProDiscover case, just like any logical volume. Given these approaches, I'm not sure why anyone would use robocopy, although it is free. After all, you still need to do something with the stuff that you copy from the VSC. Why not import the VSC data (AD1, XWF Container) into a forensic tool, process it, and produce a nice HTML report? Anyway, you're presentation will be enlightening to many viewers, and I'm glad that you're taking the time to share your talent with others. The case examples are terrific!

  4. @Jimmy

    Thanks for stopping by and leaving a comment. I hope others read your comment because you laid out how you approach VSCs and it's another option for people to use. I have only started looking at VSCs about two years ago and last year is when I started seeing systems that had them available.

    The way I examine VSCs really depends on what I'm trying to do. However, one commonality I find myself doing trying to examine the data it's still so I can avoid imaging each VSC or copying data out (robocopy method). I find it's faster to just access the data inside VSCs directly to get the information I want.

    How I access the data also varies. Sometimes I'm only interested in one or two VSCs so I'll just create symbolic links to them and analyze it with my tools (I don't need to use my VSC scripts). At other times I'm interested in data across numerous VSCs which is to tedious to manually examine each VSC with my tools. This is why I started looking at ripping VSCs because it's easier to parse an artifact across all VSCs then it is to image each VSC, copy the data out, or manually examine each VSC. The slide deck shows a few instances when it's discussing parsing link files, file metadata, or jump lists. Hopefully the demos go smooth but the technique is fast. In seconds you can parse every link file in a user profile across all VSCs.

    How I access the VSCs also depends. At home I'll just connect the hard drive to my system through USB writeblocker and at work I have access to Encase with the PDE module. Accessing them through vmware is a great option and it's something I added to my to do list of things to try out. I've seen others comment about Prodiscover but it's something I don't have access to.

    I do agree about ShadowExplorer and robocopy. I only use ShadowExplorer to get a quick highlevel look of the filesystem while I only use robocopy to grab a specific folder from each VSC.

  5. Jimmy_W

    Good point about ripping across multiple VSCs. I've never symlinked more than one at a time, so your reply is kind of like a "Gee, I coulda had a V-8!" Parsing all the LNKs at once is a great example. Another thing that I haven't tried is simply building a VM from a drive through a write blocker. It should work. If I get to the point where I need a VM, I already have an image.

    I was lucky to have received a temp license for ProDiscover at the last HTCIA conference. Then, Chris Brown was kind enough to extend it because I helped with a few issues. Given a few tweaks, ProDiscover could be the ultimate VSC exam tool, if one can afford the cost. Thanks for sharing yout talent!

Post a Comment