Volume Shadow Copy
Vista/Win7/Win8 now logs changes to the entire Volume and keeps track of the specific clusters that are changed on a daily basis in the new Volume Snapshot Service or VSS.
Vista/Win7 Business, Enterprise, and Ultimate have Shadow Copy enabled by default.
Enables a user to:
Revert the file to any previous version
Restore a previous version from backup
Make a copy of previous version
All volume shadow copy files are stored in the ‘System Volume Information’ folder on the root of the volume and are recognizable by their names.
The number 3808876b-c176-4e48-b7ae-04046e6cc752, is a unique identifier specific to the volume shadow service.
System Snapshot Frequency
Windows Vista,
The system snapshot is scheduled to take place every 24 hours.
Windows 7
The system snapshot is scheduled to take place every 7 days.
You may notice that this is not exact. Windows Vista will not take volume snapshots exactly every 24 hours; there may be some time changes day to day. This is because the VSS will create new shadow copies only once the computer has been idle for a certain amount of time, or the computer is being turned off or rebooted.
Tools that can parse the volume shadow copy are:
Magnet forensics IEF
VSC-Toolset
libvshadow (SIFT)
ShadowExplorer
VSS Imaging
FTK Imager
robocopy
Copy only specific file types (robocopy)
VSS Examination
Live examination of VSS
vssadmin + mslink + robocopy
FTK Imager, EnCase
ShadowExplorer, VSCToolset, ShadowKit
Offline analysis
Reconnoitre – Commercial
libvshadow (DD style RAW image input for use on Linux / Mac)
VSS Live Examination
Obtain a list of existing shadow volumes in the Volume Shadow Copy Service by executing the tool vssadmin.
To obtain a list of the shadows execute:
This command will list the available shadows for the C-drive volume.
To create a symbolic link via mklink to mount the shadow copy to a directory of your choice:
The shadow copy—a mirror of the volume’s entire file system at the time of the snapshot—will now be available within the linked directory.
Things to notice:
The shadow copy volume is the name of the volume that we will use to examine the contents of that specific volume. You might want to write the exact name down.
The originating machine would be noteworthy if you have plugged in an NTFS drive from another shadow copy-enabled machine.
The system time of the creation time of the volume will tell you when the snapshot was created, This time is important as you know which shadow copy volume might contain your data. From the output of vssadmin, note the total number of shadow copy volumes from the machine
Offline Analysis
Mount disk image in Arsenal Image Mounter in “Write Temporary“ Mode
Launch ShadowExplorer as Administrator
Browse Snapshots
Extract Files using Right Click -> Export
Volume Shadow Copies in the Registry
We can also recover information about our Volume Shadow Copies, and their characteristics, from the Windows Registry.
There are multiple locations of interest, especially as this is a Windows service. The following registry key provides information on the service itself:
And the following registry key:
Within this path, we’ve got three subkeys:
FilesNotToBackup — specifies files that should not be backed up or restored.
FilesNotToSnapshot (only Vista/2008+) — Specify files that should be deleted from newly-created shadow copies
KeysNotToRestore — Provides the names of registry keys and values that backup applications should not restore.
If you ever find any discrepancies on a system that you are analyzing, I’d recommend pulling these registry keys and determining if there was a configuration change that altered data within a VSC.
Last updated
