top of page
Search

Shadow Copies - The wiped out Evidence

Updated: Jan 4, 2021



Subject: Shadow Copies, Digital Forensics Investigation.

Operating System: Windows

 

Intro

As part of a successful forensics investigation, we may need to collect some files that might be deleted and can provide us critical evidence. If we need to get inside the attacker's head, deleted files is that thing we want to put our finger on.

So, is the Volume Shadow Copies is that one thing we need in our investigation? how we can use them? Let’s see.


Volume shadow copies are created in two ways:


  • Automatically –

In the automatic process, shadows are snapped after an installation of a new program has been initialized or when there is a Windows Update. The VSS process is activated by the OS and then catches an image of the drive of only files that have changed since the last snapshot. These images are then stored in the Systems information folder where they are protected until they are needed for Windows Recovery. However, some users prefer to create a shadow copy manually. This situation arises when the user makes changes in their files and want to make sure the systems preserve their files at specific points during the process.


  • Manually –

With the help of the Control Panel

Control Panel -> System and Security -> System -> Advance System Settings

With the help of the CMD

(NOTE: Administrator privileges needed)

vssadmin list shadows

Navigated to desktop - 

mklink /d link \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\




Types of Copies

There are two types of shadow copies:

  • Clones –

Clone duplicates the original data for system restore purposes.

  • Copy-on-write –

In the Copy-on-write shadow, as changes are being made to a live system, the information being changed is saved. These changes are collected on a regular basis or when new software or system updates are added. They are stored locally, in the System Volume Information folder.



VSS (VSSVC.EXE)

The core component of shadow copy is the Volume Shadow Copy service, which initiates and oversees the snapshot creation process, performing all necessary data transfers using components called providers.


Windows comes with a default System Provider, but software and hardware vendors can create their own software or hardware providers and register them with Volume Shadow Copy service.


The VSS is activated by the OS and then catches an image of the drive of only files that have changed since the last snapshot.


The VSS service is also used by third-party programs. On its own, the VSS service only starts with some predefined triggers to create an image of the system drive and other drives present on your system. If all our drives are of the same type, for example, NTFS, the service will take a single snapshot, I'll elaborate on that later. If they are of different models or types, several different snapshots are taken. They are stored in a protected location on your system with a header file consisting of the time stamp and the unique ID assigned to it.

At the moment I created Shadow Copy manually, I could have seen the activity of vssvc.exe



The Attacker mind

Diskshadow.exe is a tool that exposes the functionality offered by the VSSVC.exe and requires admin privileges. Even so, few of the command utilities can be invoked by the non-privileged user.





System Restore

System Restore is a feature that allows a user to roll back to a state prior to ${some_level_of_significance} changes being made. These changes often include the installation of a new application or system configuration changes. When you roll back, you’re actually utilizing the Volume Shadow Copy Service to go back to that known-good state. System Restore points often also include notes on what happened, so that the user can determine what significant change caused the error.






Shadow Volume Copies in Digital Forensics

Windows Shadow Copies can provide additional data that otherwise would not be available. They can allow a forensic investigator to recover deleted files, and to learn what was taking place on a system before we began the investigation. They are an excellent tool for discovering data that was previously deleted by a system user.

Although Shadow Copies can provide forensic investigators with files that have been deleted between the time the Shadow Copy was made and the time the investigation began, we, as Digital Forensics researchers, Encounter a number of disadvantages:

  • They only provide one previous version of the files.

  • If previous changes to files were made before the Shadow Copy was created, those changes will not be known.

  • The Shadow Copy service might be turned off by the user, resulting in no Shadow Copies being stored.

  • The disk space settings might be set too low for multiple Shadow Copies to be saved, or even for one Shadow Copy to be saved if it is larger than what the settings allow.


To investigate these points, we may collect information about our Volume Shadow Copies and their characteristics from the Windows Registry:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS

  1. Image Path

  2. Display Path



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore

  1. Files Not to Backup — specify files that should not be backed up or restored.

  2. Files Not to Snapshot - Specify files that should be deleted from newly created shadow copies

  3. Keys Not to Restore — Provides the names of registry keys and values that backup applications should not restore.




Tools

As part of our forensic investigation, we need to check the possibility that the malicious files run on our host already deleted by the attacker.


VSCmount

With the help of "mklink" we may create a shadow copy link per volume shadow copy path. In order to make the process easier, we can use VSCmount:


VSCMount.exe --dl C --mp \security_hive (dl=drive letter, mp=mount point)

Now, we may observe the mount point we created –





VSHADOWMOUNT

This is the order of action provided by the SANS SIFT workstation to mount a volume shadow copy:



  1. Receive a disk image

  2. Mount with ewfmount

  3. Run vshadow info

  4. Use vshadow mount

  5. Bash for loop





Conclusions

This article has shown the value of Volume Shadow Copies, and also to investigate Live/ Dead systems. It is very recommended to use these on a forensic investigation due to the different artifacts we may collect from the copies, each one of them is a complete copy of the disk, there we can find Log files and other things providing evidence in our investigation.


Bình luận

ABOUT THIS SITE

This site is intended for educational purposes in the cybersecurity world. 
All rights reserved to Security Hive only and his owners.

 

GET IN TOUCH

Leave us a message on

Contact page>>

© Security Hive 2020

 
bottom of page