Examining VSCs with GUI Tools

Wednesday, February 22, 2012 Posted by Corey Harrell
Over the past few posts I’ve been discussing how to examine data while it’s still inside Volume Shadow Copies (VSCs). I refer to the approach as Ripping VSCs because the concept behind it is to extract data from a system/forensic image as fast as possible so an examiner can start their analysis. This allows an examiner to start analyzing data within seconds instead of having to wait minutes in order to gather the information to analyze. The two different methods to rip VSCs are the Practitioner and Developer methods. Both methods don’t necessary use tools with Graphical User Interfaces (GUIs) because these types of tools are not great for automation. However, GUI tools are viable options for parsing data inside VSCs and they shouldn’t be overlooked.

To run a GUI tool against a VSC requires the that VSC is accessed a certain way. As I mentioned in a previous post chapter 3 in Harlan Carvey’s WFA 3/e shows how to create a symbolic directory to a VSC. The other method I saw in Troy Larson’s slide deck where he exposes a VSC as a network share. Before I show how Harlan and Troy access VSCs I wanted to share my own failure in figuring this out so others know what didn’t work for me.

When I first started working with VSCs I created symbolic links to VSCs using the /j switch with mklink. The /j switch creates a Directory Junction which worked well for my needs since I was running command-line tools against it. However, I was unable to get GUI tools to traverse through a directory junction and this limited the tools I could use to parse VSCs’ data. To get it to work I knew the VSC had to be exposed like a folder or drive but my attempts were unsuccessful. I tried DiskShadow (I did get this to work in Windows 7 by leveraging the DLL search order vulnerability) and vshadow (included in the SDK) but neither program can mount a persistent VSC to a folder. The VSCs on Windows 7 and Vista systems are persistent so at that point I didn’t have a way to expose them for GUI tools to work. That was until I saw what Harlan and Troy were doing.

Exposing VSCs as Symbolic Folder

I already discussed how Harlan was creating a symbolic directory to a VSC in the Practitioner Method post. If anyone wants more information than what I’m providing here I’d recommend you check out the post. The mklink command was used with the /d switch to create a symbolic directory to a VSC. The following command creates a symbolic directory named vsc1 pointing to C volume’s first VSC and the picture shows the result:

mklink /d c:\vsc1 \\?\GLOBALROOT\Device\HardDiskVolumeShadowCopy1\

Any GUI tool can then browse the VSCs or parse any data inside. Side note, to automate creating and removing symbolic links to VSCs I put together the access-vsc.bat script located here. See the following pictures for some examples:

Windows Explorer Browsing VSC

Mitec WFA Analyzing Prefetch Files

FTK Imager Browsing VSC

Exposing VSCs as a Network Share

I could never do justice trying to explain the information Troy provides in his slides. That’s why I won’t even try to summarize anything and I recommend to anyone reading my post who hasn’t seen the presentation I’m referencing to check it out (here’s the link again). Slide 53 shows how to expose a VSC as a network share and I reposted the command below.

net share testshadow=\\.\HarddiskVolumeShadowCopy18\

After the command is ran then the share testshadow points to VSC 18. To make things easier for browsing with GUI tools I’d map the share to network drive. The command below creates a mapped drive using drive letter K.

net use K: \\\testshadow

Similar to the symbolic directory, any GUI tool can browse the VSC or parse data inside VSCs. See the following pictures for some examples:

Windows Explorer Browsing VSC

MalwareBytes Scanning VSC

Ripping VSCs Summary

The majority of my casework involves Windows XP operating systems so I rarely encounter VSCs. The few cases I did have involving Windows Vista and 7 VSCs played a critical role in my examinations since they allowed me to see how data evolved overtime. As more organizations begin the migration from Windows XP to Windows 7 or 8 then examining VSCs will become a common occurrence. Knowing the different approaches for examining VSCs will be vital for a successful examination. One of those approaches is to parse data while it’s still stored inside VSCs. The different methods to accomplish that include: the Ripping VSCs Practitioner and Developer methods as well as manually using any GUI tool of choice.

Post a Comment