Shadow Copies: What Are They? Why Are Shadow Copies Important to Investigators? How to Examine Them - the Traditional Way & the Better Way!

Shadow Copy Forensics

Shadow Copies: What are they? Why are shadow copies important to investigators? How to examine them - The traditional way & the better way!

Receive a Quote for Shadow Scanner at www.patctech.com

Shadow copies are moment-in-time snapshots of files on a computer - specifically a NTFS formatted volume. They are created any time the restore point is triggered. Shadow Copies are created in both Windows® Vista and Windows® 7 however the focus of this article will be on Windows® 7. Windows® 7 creates a restore point by default every day at 12:00 AM and at system startup. Users can view these schedule tasks in the Windows® task scheduler.

Both Windows® Vista & Windows® 7 create volume shadow copies prior to the installation of new software, including Windows® updates. There is a maximum of 64 shadow copies which can be saved on a volume. The Microsoft Volume Shadow Copy Service, VSS, monitors all changes made to a VSS enabled volume. These changes are monitored in 16kb ‘blocks’. If a change is made to any data inside a 16kb block the entire block is copied to a volume shadow copy file prior to the data changing on the volume. All volume shadow copy files are stored in the ‘System Volume Information’ folder on the root of the volume. If there is a need to revert to a snapshot the original blocks are restored, replacing the changed ones, in a sense reconstituting the volume back to its state when the snapshot was taken. Certain versions of Windows® 7 and Windows® Vista (Professional, Enterprise, and Ultimate) allow users to access previous versions through the operating system.

Windows® 7 and Vista (Home basic and Home Premium) do not include the above functionality. Since the volume shadow copies are tied to the restore points being created, these backup copies still exist in the Windows® 7 / Vista home products!

Why look at Shadow Copies?

Shadow copies are enabled on the boot drive by default in Windows® Vista and Windows® 7. It allocates up to 15% of the hard drive space for shadow copies. Shadow copies store the 16K blocks of data that has been changed (in any way). If a file has been deleted in the volume (the main set of “active files” on the computer), the entire file would then exist only in the shadow volume. File carving the data from the shadow volumes could be accomplished when the file has been deleted. If you need to recover the different versions of files, file carving is not effective since the shadow volume only holds the differences. Additionally, when you rely on file carving, you are unable to determine file attributes such as create, access and written times. Why would I rely on products w hich carve the data, when I can recover the whole file as it existed at a particular moment in time? This is the advantage of analyzing shadow copies ~ you have the potential to get the whole file, WITH the file attributes (meta-data)!

Overview:

There are two different times when a shadow copy can be examined, live at a scene or post seizure in a lab environment. Although there may be instances where you would need to examine Shadow Copies live, this article will primarily focus on examination in a controlled environment.

The preferred operating system to use when examining shadow copies is Windows® 7. Two advantages of using Windows 7 are:

• Windows® 7 Volume Shadow Copy Service (VSS) will remain backwardly compatible with older versions of VSS. • Windows® 7 does a better job of recognizing the shadow copies found on foreign discs.

Traditional Procedures for Shadow Copy Forensics

In order to examine shadow copies the traditional way, examiners must use the “vssadmin” and the “mklink” commands native to Windows® Vista & 7. The following steps could be taken to create a forensic image of a specific shadow copy.

1. Attach the hard drive to a forensic write blocker and then connect the write blocker to a computer running any version of Windows® 7. 2. Identify the shadow copy you wish to perform an analysis of with the following command which must be run in a dos window that has administrative privileges: “Vssadmin list shadows”

Contents of shadow copy set ID: {6b7b73b0-e0c8-4dee-a2d4-dd3e2efb3bb4} Contained 1 shadow copies at creation time: 12/3/2010 1:51:48 AM Shadow Copy ID: {713eb39b-0869-4b91-9ad1-ae3c40689d7c} Original Volume: (C:)\\?\Volume{50db6a44-cd56-11db-ad62-806e6f6e6963}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 Originating Machine: RobE521 Service Machine: RobE521 Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessibleWriters Attributes: Persistent, Client-accessible, No auto release, Differentia l, Auto recovered

3. Use the “mklink” command to mount the volume to a directory on your forensic machine.

C:\ >mklink /d c:\shadow1 \\?\GLOBALROOT\Device\HarddiskVolumeShadow Copy2\ symbolic link created for c:\shadow1 <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\

Note: I pasted the Shadow Copy Volume ID into the command line then added a trailing “\”

4. Use a forensic application to create a forensic image of the mounted shadow copy found mounted to the c:\shadow1 directory. This is a symbolic link which can be removed by simply deleting it.

The Problem with traditional shadow copy forensics

Although this process will work, there are issues with conducting a forensic analysis using traditional proedures. The primary problem is that even though the mounted shadow copy volume is a snapshot in time for the hard drive, when mounted, the contents of the shadow copy is commingled with the active files on the volume. These commingled files will equal nearly the same size of the files found on the volume. If the hard drive has 100 GB of files on the volume, the mounted shadow volume will be approximately 100 GB in size also. When you consider that there can be up to 64 shadow copies on a volume, you can see that taking the time to examine shadow copies can be cost prohibitive. The costs to consider are:

• The cost of the examiner’s time and wages

• The cost of storage for holding the massive forensic images (In the above example, it would take 6 TB of storage to store the images)

• The cost of time lost in the investigation (if this is a missing person case, do you have time to search and analyze this amount of data?)

Shadow Scanner

Shadow Scanner was developed to provide a more efficient and cost-effective solution to Shadow Copy Forensics. This forensic tool gives examiners the ability to perform their examinations on the file differences ~ eliminating hours or even days of examin ation time. It scans the files found in the shadow copies and then exports the files which are different or missing on the volume. Users may filter the results using the built-in file filters or user created filters. Once the file set is identified, the examiner need only export and image the different files they wish to examine.

Shadow Scanner is available as a Windows® 32 bit and 64 bit application. Regardless of which version you run, you will be able to examine shadow copies seized from a 32 or 64 bit copy of Windows® Vista or Windows® 7 computers.

1. Attach the seized hard drive to a forensic write blocker, and then attach to a Windows® 7 computer (any version of Windows® 7).

2. Launch Shadow Scanner and select Shadow Copy(s) to scan.

3. Shadow Scanner will first scan the volume, then the shadow copy

4. The differences can be based on the file path or also consider the attributes. By default it just finds the differences based on the file path.

5. The differences can be filtered by using the pre-defined filters or a user create filter.

6. Select one or more filters then “Close” to continue.

7. The results can then be exported in whole or in part by using the check boxes.

8. A user can then export the files selected, with an option to synchronize the created, last accessed, and last written times to the times as they existed in the shadow volume.

9. Once exported there are artifacts which document the entire forensic process.

• C 2010-12-03 0151.48 - this is the directory which contains the exported files • C 2010-12-03 0151.48 - export errors.txt – files which were unable to be exported • C 2010-12-03 0151.48 - export files.csv – file names, paths, created, access, and written times • C 2010-12-03 0151.48 - scan errors.txt – a list of files which could not be scanned • C 2010-12-03 0151.48 - vssadmin output.txt – the output received from the vssadmin command

The Bottom Line Shadow Scanner reveals the lost evidence! When your suspect hides their tracks by changing a file or deleting a file on a Windows® 7 or Vista computer, Shadow Scanner is the tool that can help you quickly and easily recover those changed or deleted files.

Contact PATCtech today to receive a quote for Shadow Scanner