Section 5.2: Recovery of Deleted Files via VSS Flashcards
What is the Volumne Shadow Copy Service?
It backs up key system files such as registry, applications, executables, drivers, and DLLs with the exception of some files.
Where can I find the files that aren’t backed by VSS? What memory files might not be included by this service?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Backup\FilesNotToSnapshot. Memory files that may be exclude are the hibernation and page files depending on the Windows version.
How does the Volumne Shadow Copy Service function?
It monitors for any writes to the filesystem and creates a backup copy of data blocks before writing new data to the disk called Copy-on-Write (COW). Those data blocks are 16 KB in size and stored inside the System Volumne Information directory at the root volumne.
What do I expect to find inside the System Volumne Information directory?
Inside I will find a file that tracks active volumne shadow copies along with a VSC ID and a timestamp of creation. This tracking file is called the catalog and its name format is set in GUID. For each active shadow copy, a new catalog is made.
What is ScopeSnapshots? Is it enabled?
Its a defaulted Windows 8+ feature that only monitors boot system files relevant to the computer for backup and ignores the rest.
How do I disable ScopeSnapshots?
Adding a DWORD key value in the registry called ScopeSnapshots with a value of 0.
Path to ScopeSnapshots:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
What tools can I use to get VSC?
For fast gathering, triage tools such as KAPE and Velociraptor work. For full volumne captures, Arsenal Image Mounter, F-Response, and vshadowmount.
For deep-dive forensics, what type of acquisition is recommended for VSC?
Full disk image.
How can I get access to the VSC files once I have an image? What other features can I access?
Mount it to a tool like Arsenal Image Mounter to trick the image to act like a disk to get access to those copies. It can also access BitLocker and other drive encryption technologies.
Once VSC files are exposed, what tool do I use to recover previous versions of the system files?
Shadow Explorer.
What tool, that are not Windows-based, can I use to access VSC?
libvshadow’s vshadowinfo & vshadowmount. These also expose copies as raw disk images.
What Windows command outputs how many VSC I have?
“Vssadmin list shadows”
What does vshadowinfo do?
It lists all the VSC files from a raw disk image. The image can’t be E01. Use the offset parameter if the disk is an actual physical disk and not an image.
Since libvshadow must use a raw disk image to expose VSC and not E01files, what tool must I use beforehand?
Ewfmount. This tool makes the file accessable for libvshadow to run its vshadowmount command.