Section 5.2: Recovery of Deleted Files via VSS

Question 1

What is the Volumne Shadow Copy Service?

Answer 1

It backs up key system files such as registry, applications, executables, drivers, and DLLs with the exception of some files.

Question 2

Where can I find the files that aren’t backed by VSS? What memory files might not be included by this service?

Answer 2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Backup\FilesNotToSnapshot. Memory files that may be exclude are the hibernation and page files depending on the Windows version.

Question 3

How does the Volumne Shadow Copy Service function?

Answer 3

It monitors for any writes to the filesystem and creates a backup copy of data blocks before writing new data to the disk called Copy-on-Write (COW). Those data blocks are 16 KB in size and stored inside the System Volumne Information directory at the root volumne.

Question 4

What do I expect to find inside the System Volumne Information directory?

Answer 4

Inside I will find a file that tracks active volumne shadow copies along with a VSC ID and a timestamp of creation. This tracking file is called the catalog and its name format is set in GUID. For each active shadow copy, a new catalog is made.

Question 5

What is ScopeSnapshots? Is it enabled?

Answer 5

Its a defaulted Windows 8+ feature that only monitors boot system files relevant to the computer for backup and ignores the rest.

Question 6

How do I disable ScopeSnapshots?

Answer 6

Adding a DWORD key value in the registry called ScopeSnapshots with a value of 0.

Question 7

Path to ScopeSnapshots:

Answer 7

HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

Question 8

What tools can I use to get VSC?

Answer 8

For fast gathering, triage tools such as KAPE and Velociraptor work. For full volumne captures, Arsenal Image Mounter, F-Response, and vshadowmount.

Question 9

For deep-dive forensics, what type of acquisition is recommended for VSC?

Answer 9

Full disk image.

Question 10

How can I get access to the VSC files once I have an image? What other features can I access?

Answer 10

Mount it to a tool like Arsenal Image Mounter to trick the image to act like a disk to get access to those copies. It can also access BitLocker and other drive encryption technologies.

Question 11

Once VSC files are exposed, what tool do I use to recover previous versions of the system files?

Answer 11

Shadow Explorer.

Question 12

What tool, that are not Windows-based, can I use to access VSC?

Answer 12

libvshadow’s vshadowinfo & vshadowmount. These also expose copies as raw disk images.

Question 13

What Windows command outputs how many VSC I have?

Answer 13

“Vssadmin list shadows”

Question 14

What does vshadowinfo do?

Answer 14

It lists all the VSC files from a raw disk image. The image can’t be E01. Use the offset parameter if the disk is an actual physical disk and not an image.

Question 15

Since libvshadow must use a raw disk image to expose VSC and not E01files, what tool must I use beforehand?

Answer 15

Ewfmount. This tool makes the file accessable for libvshadow to run its vshadowmount command.

Question 16

What does mountwin alias do? What do the commands mean?

Answer 16

It adds additional features to the mount. [ro] read-only,
[loop] mount file as a block device,
[show_sys_files] show hidden files like $Logfile, [streams_interface=windows] expose data streams.

Question 17

Can VSC be used with log2timeline.py?

Answer 17

Yes. If a full disk or volumne image is being used on log2timeline.py, it will ask if VSC should be integrated to the timeline. Psort can deduplicate the extra data.