Shadow Trash:

$Recycle.Bin Forensics for and Shadow Volumes

Timothy R. Leschke Forensic Computer Engineer U.S. Department of Defense Cyber Crime Institute 911 Elkridge Landing Road, Suite 450 Linthicum, MD 21090 [email protected]

ABSTRACT “shadow volume.” Because a “shadow According to , over one- volume” is not located within the third of all data loss is the result of traditional file- structure of the accidental file deletion or modification , the usual methods (Microsoft, 2003). The Volume Shadow employed by forensic computer examiners Service is a Windows operating to analyze this data cannot be used. A system service that archives key data and new approach for examining this data is system . This allows Windows 7 required. and Windows Vista to from In the following pages, the author accidental data deletion and from explains how the Volume destabilizing events, such as a virus Service archives Recycle Bin data into attack or the incorrect installation of a shadow volumes. The use of the software or hardware device. This “vssadmin list shadows” command is archiving service also makes it possible introduced as a way to identify the for a to view “previous versions” of shadow volumes that exist within an documents. Because of the amount of operating system. The author further data that this service archives, it has been explains how to create “symbolic links” referred to as a gold mine of forensic to access individual shadow volumes. evidence. The challenges that a forensic computer One of the key sets of data that examiner faces when attempting a manual gets copied by the Volume Shadow Copy examination of a shadow volume are also Service is the user’s Recycle Bin data. explained. The author concludes his Recycle Bin data includes records of the exposition by suggesting the forensic most recently discarded (“deleted”) files computer examiner should use the of the user. The process of archiving software tool Shadow Miner, a tool that Recycle Bin data by the Volume Shadow automates the forensic examination of Copy Service is achieved by taking a Recycle Bin data that has been archived “volume snapshot.” “Volume snapshot” into a shadow volume. data is stored in what is known as a 1

1. INTRODUCTION to light some of the challenges and In the previous paper (Leschke, impossibilities that a forensic examiner 2010), the implementations of the faces when trying to conduct a manual, Recycle Bin as found in the Windows XP, command-line, examination of shadow Windows Vista, and Windows 7 volume data. The discussion ends with operating systems were explored. Drastic the reader being encouraged to use changes to the Recycle Bin have occurred Shadow Miner, a software tool that as it evolved from Windows XP to facilitates the examination of shadow Windows Vista, but minimal changes to volume data the Recycle Bin were noticed as it evolved from Windows Vista to Windows 2. VOLUME SHADOW 7. Users learned that the implementation COPY SERVICE of the Recycle Bin in Windows Vista and The Volume Shadow Copy Windows 7 are almost identical to each Service was introduced in Windows other. As the Recycle Bin 2003 and was known as “Shadow implementations from these three Copies for Shared Folders” (Microsoft, operating systems were explored, those 2003). This technology was not known as details that were thought to be of greatest the “Volume Shadow Copy Service” until interest to the forensic computer examiner it was included in the Windows Vista were highlighted. operating system, released in 2007. By In the previous paper, an overview the this technology was included in of the Volume Shadow Copy Service was Windows Vista, the Volume Shadow given. This plays a Copy Service evolved into a much very significant role in both Windows robust application with a much more Vista and Windows 7. One of the most prominent role. interesting aspects of the Volume Shadow The Volume Shadow Copy Copy Service is its ability to create what Service allows for the creation of a is known as a “shadow volume”. A backup copy of key data. The process of shadow volume is a copy of key data that creating the backup copy is known as is used by the system to recover from an taking a “volume snapshot” and the actual unstable state, such as after a virus attack backup copy of data is known as a or the incorrect installation of a software “shadow volume”. Having a backup copy application or hardware device. Shadow of key data, i.e. system settings, is useful volume data is also used to allow a user to when trying to recover from a virus attack view “previous versions” of a document, or the incorrect installation of software and to recover from the accidental that has put the computer into an unstable modification or loss of data. state. In addition to helping the operating In the following pages, the reader system recover from an unstable state, the will learn, (1) an explanation of the Volume Shadow Copy Service also Volume Shadow Copy Service, (2) how makes it possible to work with a previous to identify the shadow volumes that are version of a file and to recover from the present within a Windows Vista or accidental modification or deletion of Windows 7 system, (3) how to create data. symbolic links to each shadow volume, Previously, it was thought that and (4) how to analyze the Recycle Bin 15% of a volume was set aside by default data that are found in a shadow volume. for storing shadow volumes. However, The discussion will conclude by bringing 2

experimentation with both Windows 7 file (child pornography) or a software tool and Windows Vista systems has resulted that has been “deleted” (sent to the in shadow volumes that are only 2-4% of Recycle Bin) - perhaps as an attempt to the volume’s size. An explanation for hide a crime. Now suppose that the user this inconsistency cannot be provided. attaches a new USB thumb drive to the Regardless of what the default size of a computer. Since this is a new USB shadow volume is, the amount of space thumb drive, the operating system will allocated for the storing of shadow need to install new drivers to support this volumes can be changed by using the USB device. When the new drivers get “Vssadmin Resize ShadowStorage” installed, the Volume Shadow Copy command. (See Service will be triggered to create a new http://technet.microsoft.com for further shadow volume. When this occurs, the details.) contraband image or software tool that is The Volume Shadow Copy in the Recycle Bin will be copied to a Service makes copies of key files and shadow volume. this point, if the user directories at various times; including just were to empty his Recycle Bin with the prior to installing new software, as well as intention of permanently deleting the when a restore-point is established. One discarded contraband image or tool, the of the key directories that gets copied as user may incorrectly conclude that he has part of the Volume Shadow Copy Service removed the only copy of the file that is the $Recycle.Bin. there is. The user would not be aware of When the $Recycle.Bin the copy of the file that was archived into is copied by the Volume Shadow Copy the shadow volume. Since the only Service, the entire contents of this remaining copy of the evidence has been directory appear to be copied. The data archived into a shadow volume, being that is copied is stored in a “shadow able to access the shadow volume is now volume”. This “shadow volume” is a critical step in the successful located on the logical drive volume, in a examination of this evidence. location that is allocated by the operating system for the storing of backup copies of 3. VSSADMIN LIST files. Even if a Recycle Bin is SHADOWS “emptied” and all of its contents are The successful examination of a “permanently deleted”, if a shadow copy shadow volume begins with being able to was made of the Recycle Bin data prior to access the shadow volume. However, the Recycle Bin being emptied, then it is before one can access a shadow volume, still possible to recover Recycle Bin data one must first out which shadow from the shadow volume. Thus, the volumes are actually present within a forensic examination of Recycle Bin data system. This is easily accomplished by does not end until the examiner has also using the command “vssadmin list examined the backup copy of the data that shadows”. When one types this has been archived into a shadow volume. command at a command-line prompt with As an example of how forensic Administrator privileges, he or she will evidence might be archived by the see a report that displays the information Volume Shadow Copy Service, consider about the shadow volumes that are found the following scenario. Suppose there is a within the system. Figure 1 below is an malicious user with either a contraband example of a “vssadmin list shadows” 3

report that was generated on a Vista Microsoft copyright marking that machine. Highlighted in red is the name designates this as a Microsoft application. of the one “shadow copy volume” that The next line of text states exists on the target machine. The name “Contents of shadow copy set ID: “\\?\GLOBALROOT\Device\HarddiskVo {6bb7123a-61c7-4890-984e- lumeShadowCopy1” will be used to a617f9599a37}”. This is understood to identify the shadow volume when be the identifier of the shadow volume creating a to this data blob. “copy set”. When shadow volumes are A source that explains each line of created, they are created in a “set”. A set the “vssadmin list shadows” report could can consist of one or more shadow not be found, however the material volumes. For example, if a computer has provided by Microsoft two volumes (i.e. two hard drives), a (http://technet.microsoft.com) and some volume snapshot can be taken of both independent experimentation has shadow volumes at the same time. The provided some insight. What follows is volume snapshots of each of the two conjecture to make sense of this report. volumes are combined in one set which The first line of the “vssadmin list has its own unique identifier. This shadows” report is most likely the name identifier is the “shadow copy set ID”. of the “service” that provides the shadow The next line of this report states volume. A service is simply an “Contained 1 shadow copies at creation application that is capable of generating a time: 11/5/2009 10:54:16 AM”. This shadow volume. A service can be written entry in the report is a time-stamp for by Microsoft, an independent software when the shadow volume was created. It vendor, or an individual user. In this also specifies that there is only one case, the line states “vssadmin 1.1 – shadow copy in the set. Since there is Volume Shadow Copy Service only one shadow copy in the set, there is administrative command-line tool”. This also only one shadow copy listed below line is immediately followed by the this line. The listing of the shadow vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp.

Contents of shadow copy set ID: {6bb7123a-61c7-4890-984e-a617f9599a37} Contained 1 shadow copies at creation time: 11/5/2009 10:54:16 AM Shadow Copy ID: {3b4d5d3d-394a-4fa9-af55-5c8249a9affb} Original Volume: (C:)\\?\Volume{1d6e1a07-bf34-11de-b87b-806e6f6e6963}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 Originating Machine: ForensicExam-PC Service Machine: ForensicExam-PC Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessibleWriters Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

Figure 1

4

volume begins with “Shadow Copy ID”, the “Shadow Copy Volume” entry and it which is followed by a 32 alpha-numeric is the identifier of the shadow volume. unique identifier. Had there been two This name is important because it is used shadow copies in the set, the report would in conjunction with the “mklink” have stated “Contained 2 shadow copies command to create a symbolic link to the at creation time…”. Below this line there shadow volume. An example of the would have been two entries, one for each command is provided in Figure 2 below. shadow volume. Experimentation has The next two entries in the shown that if a restore point is created “vssadmin list shadows” report are the within a Vista machine that has two “Originating Machine” and the “Service volumes that are included in the restore Machine”. A review of the available point, then the “vssadmin list shadows” literature did not reveal what these entries report will show two shadow volumes, refer to. However, a logical conclusion is one for each volume. Furthermore, if that they refer to the “requestor” and the after the two shadow volumes are created, “writer”. A requestor is “An application one of the volumes is removed, the that requests that a volume shadow copy “vssadmin list shadows” report will still be taken. A backup application is an state “Contained 2 shadow copies at example” (Microsoft, 2009). The same creation time…”. However, since only source states a “writer” is “A component one shadow volume is currently present, of an application that stores persistent there will only be one entry that states information on one or more volumes that “Shadow Copy ID…”. This illustrates participate in shadow copy how being able to the “vssadmin list synchronization. Typically, this is a shadows” report might allow the forensic database application like SQL Server, or examiner to recognize that one of the Exchange Server, or a system service like original volumes from a Vista system is .” If this is the case, then missing. our example “vssadmin list shadows” In Figure 1, the Original Volume report (Figure 1) states the “requestor” entry is “(C:)\\?\Volume{1d6e1a07-bf34- and the “writer” are the same, the 11de-b87b-806e6f6e6963}\”. The “C:” is “Forensic Exam-PC” machine. understood to be the letter assigned by the Another inference as to what the operating system to the particular volume “Originating Machine” and “Service that is the target of the volume snapshot. Machine” refer too, is that they refer to The remainder of the entry is most likely the “source volume” and the “storage the unique identifier for that particular volume”. According to Microsoft volume. This conclusion is arrived at TecNet, the source volume is “The because the string appears to be a set of volume that contains the data to be hexadecimal values that follow the shadow copied” (Microsoft, 2009). On of a Microsoft Globally Unique Identifier the other hand, the storage volume is (GUID). “The volume that holds the shadow copy The next entry in the report is the storage files for the system copy-on- most import for this investigation. It is software provider.” mklink /d C:\myShadowVolume1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

Figure 2

5

The next entry in the report is the NTFS that points to another “provider”. The provider is the service object. This file-system object appears to that creates the shadow copies. In Figure the user as a normal file or directory. A 1, the provider is listed as 'Microsoft symbolic link is essentially a virtual name Software Shadow Copy provider 1.0'. for a directory (Arehart, 2009). The final two entries in the Symbolic links were designed to provide “vssadmin list shadows” report are the application compatibility with POSIX “” and the “attributes”. A review of operating systems. A user with the available literature did not reveal what Administrator privileges can create a these terms refer to. However, based on symbolic link by using the “mklink” naming convention and how the terms are command as shown in Figure 2. used, it seems that “type” refers to the type of “writer” that was used to create the shadow volume. The “attributes”, on 4.1 THE “MKLINK” the other hand, seems to be the attributes COMMAND for the shadow volume itself. No further The mklink command has the information could be found about either following syntax: of these terms. mklink [switch] [link] [target] 4. ACCESSING SHADOW There are three possible switches VOLUMES that can be used with the mklink Now that a way of identifying command. These switches are “/d”, “/h”, which shadow volumes are present on a and “/j”. The “/d” switch is the default machine has been established, a switch and it is used to create a procedure for accessing these shadow “directory” symbolic link. A directory volumes must be explained. A shadow symbolic link can link objects from volume cannot be accessed through different file systems. This linking traditional Windows tools such as method is the preferred method for Windows Explorer or the command-line linking to shadow volumes. The “/h” prompt. This might be because the switch creates what is known as a “hard shadow volume is not part of the link”, which is a link that can only link Windows file-tree structure, or at least, it objects on similar file systems. The “/j” is not part of the file-tree structure that switch is used for creating a directory can be accessed directly by the user. If a “junction.” A directory junction can only user wants to gain access to a shadow be used to link to a directory on a local volume, the user must be able to modify volume. the file-tree structure. This is done by The “[link]” of the mklink creating a “symbolic link”. command specifies the name of the Although symbolic links were first symbolic link that is being created. In the seen in the operating system, they example shown in Figure 2, the symbolic were not made available to the Windows link is called “shadowCopy1”. This is a user until the release of Windows Vista in name that is chosen by the user. 2007. In order for Vista to support The “[target]” specifies the symbolic links, the New Technology File relative or absolute path to what the user System (NTFS) is required. A symbolic wants the link to refer to. In this link is a file-system object within the example, the new link to refer to a 6

shadow volume. If Figure 1 is used as an will be displayed is the $Recycle.Bin example of a shadow volume report, the directory. For a thorough analysis of how name of the shadow volume that the user to conduct the forensic examination of a wants to link to is found after the string Recycle Bin outside of a shadow volume, that states “Shadow Copy Volume” entry. see Leschke, 2010. However, this current In this case, the entry is paper will explain how to examine a “\\?GLOBALROOT\Device\HarddiskVol $Recycle.Bin directory in the context of it umeShadowCopy1”. being one of perhaps many $Recycle.Bin If all of these parts of the mklink directories that have been archived into a command are put together, one will get shadow volume. the command that is found in Figure 2. Notice that a back-slash (“\”) was added to the end of the command. This 5.1 THE QUANTITY OF additional character is needed for the DUPLICATE DATA command to execute properly. One of the first problems that a If the command found in Figure 2 forensic examiner faces when he begins is executed properly, (1) from a the examination of shadow volume data is command-line prompt that has how to manage the large amount of data Administrator privileges, (2) from a that is available. This problem seems to Windows Vista or Windows 7 operating exist because the archiving of shadow system that supports the Volume Shadow volume data appears to multiply the Copy Service, and (3) on an NTFS file amount of forensic data that is available system that supports symbolic links - one for investigation. For example, suppose a should be able to navigate to the C:\ user has deleted a single file and this file directory and find a new directory named has been sent to the $Recycle.Bin “shadowCopy1”. This directory’s icon is directory. As explained in the previous distinguishable from the other directory paper, when this file gets sent to the icons because it has a small arrow $Recycle.Bin, it is separated into two files superimposed over the traditional folder (Leschke, 2010). The $R-file is a copy of icon. This arrow suggests to the user that the original file’s contents and the $I-file the associated directory is a “pointer” (a is a file that holds the original file’s symbolic link) to a different location metadata. Thus, the deletion of one file within that computer system. results in there being two files in the $Recycle Bin. 5. $RECYCLE BIN The number of $Recycle Bin files that need to be reviewed by the forensic ANALYSIS examiner becomes even greater because After the command in Figure 2 is the taking of a volume snapshot appears executed, and a symbolic link is created to create duplicate copies of the $Recycle to allow access to the shadow volume, Bin data. For example, suppose a one can access the shadow volume by Windows Vista or Windows 7 is executing the command “ configured to create a volume snapshot C:\shadowCopy1” at a command-line every evening. For every file that is in prompt. Once the user is in this the $Recycle Bin, a copy of that file directory, the command “ /a” can be appears to be made with every volume used to display a listing of the contents of snapshot. Therefore, if a file is sent to the that directory. One of the directories that $Recycle Bin through deletion, that one 7

file becomes two files (an $R-file and an and sent to the Recycle Bin, this file was $I-file). Furthermore, if the operating separated into two files, namely system is configured to take a volume $IY57PWC.txt and $RY57PWC.txt. The snapshot every evening, the $R-file and original file was restored and then sent to $I-file of a deleted file appears to be the Recycle Bin again by deleting it a copied every night. Thus, after 30 nights second time. This time, the file was of making copies by way of the volume separated into the files named snapshot process, the original deleted file $IC1IRLV.txt and $RC1IRLV.txt. can quickly grow into what appears to be Notice that the name of the files changed 60 files (30 copies of the $R-file and 30 even though the content of the file did not copies of the $I-file.) change. This suggests the naming As a real word example; the conventions used for deleted files are not forensic examination of a Vista machine based solely on content. Perhaps the was conducted in which the user deleted deleted file’s name is also based on the about 100 different files. These 100 files file’s metadata (such as its deletion time). quickly grew to 200 files as the original Or, perhaps the file name is purely files were separated into $R-files and $I- random. Whatever the case, it seems files. Furthermore, these 200 files were clear that one cannot determine a deleted archived in a volume snapshot every file’s content based on the name assigned evening for a period of about 30 days. to it by the operating system. Thus, what was once a manageable If we assume the name of the number of files (100), quickly grew into a deleted file (ignoring the “$I” or “$R” mess of about 6,000 $R-files and $I-files. characters that are common to all deleted Being able to manage the great quantity file names) is always 6 characters long, of duplicate data is a concern for the and each character is either a letter of the forensic examiner. alphabet or a number between 0 and 9, then each character can be one of 36 5.2 RECOGNIZING possibilities. This means that there are only 366 or 2,176,782,336 possible names DUPLICATE DATA for the deleted files. Thus, if the deleted Another challenge with analyzing file’s name is generated randomly, there Recycle Bin data within a shadow volume is a 1 in about 2 billion chance that any is the inability to quickly recognize two deleted files will have exactly the duplicate data. Because the naming same deleted file name. Furthermore, the conventions used by Windows Vista and accidental duplication of randomized file Windows 7 for deleted file names is names can be avoided by keeping track of unknown, it is not known for certain if which file names are currently in use, and one can assume that two files in the then re-randomizing a file name if a file Recycle Bins of different shadow name is ever duplicated. The probability volumes are identical simply because of having to re-randomize a file name is their names are identical. very low and therefore quite acceptable. A version of this same problem If this scenario is accepted, then one can occurs when files with the same content conclude that the names of the records of have different names. To illustrate this the deleted files (the $R-files and the $I- issue better, a simple text document files) are also unique. Thus, duplicate named “test.txt” with the content “Hello” records can be eliminated based on this was created. When this file was deleted uniqueness. In other words, if the user 8

ever encounters what appears to be However, the theory fell apart multiple copies of the $R-file or $I-file when the contents of the Master File (based on the names of the files), then the Table of the computer was viewed with user can eliminate the extra copies of the EnCase 6.14.3. This tool revealed that files because these are assumed to be only one copy (not three copies) of the duplicates of the same file. $R-file and $I-file existed. Thus, the Unfortunately, this approach is duplication of the $R-file and the $I-file still just a theory and perhaps should not is an illusion. This finding suggests that be embraced too strongly. It is a theory there is only one copy of the $R-file and that offers great confidence, despite the the $I-file, and each shadow volume fact that it has not yet been proven might have its own “pointer” to that one correct. copy. This pointer can make the $R-file and $I-file appear to be in each shadow volume when in fact there is just one copy 5.3 THE ILLUSION OF of these files. Thus, the duplication of “DUPLICATE” DATA data is really just an illusion that is Experimentation has shown that created by the operating system and despite what appears to be duplicate perhaps contributed to by how symbolic records of deleted files being maintained links are used for inspecting each shadow in different shadow volumes, this data volume. really is not duplicated at all. It is an illusion. It is a false presentation that 5.4 THE NEED FOR A seems to be made by the operating system. This conclusion is arrived at after NEW SOFTWARE TOOL having conducted the following As was just explained, there are experimentation. several issues with conducting a manual A file was deleted, which created examination of shadow volume data. For an $R-file and $I-file in the $Recycle.Bin one, the great volume of data makes a within the user profile that is associated manual examination too time-consuming with deleting the file. Three restore- to be practical. Second, the amount of points were created, which was theorized duplicated data merely adds to the should result in a backup copy of the $R- frustration of conducting a manual file and $I-file being archived into each of examination of the data. These issues are the three shadow volumes. Thus, it was best handled with a software tool that can expected that there would be three actual quickly “hide” duplicate data so that each copies of the $R-file and three actual file only has to be inspected once by the copies of the $I-file, one of each in each forensic examiner. of the three shadow volumes. The In addition to the issues that were shadow volumes were accessed by way of previously mentioned, there is also the symbolic links that were created by using issue of identifying identical files. For the “mklink” command as described in example, if the subject of an investigation section 4.1. Upon inspection of each of made several copies of an illicit picture, the three most recently created shadow and then “deleted” each copy of this volumes, it appeared as if each of these picture, sending each of the deleted shadow volume had its own copy of the copies to the Recycle Bin, there would be $R-file and $I-file. This was exactly as duplicate copies of the same file in the expected. Recycle Bin; but each deleted file would 9

have different $R-file and $I-file names. while Shadow Miner is executed from a The duplication of these files might best CD that is in this virtual machine’s CD be discovered by matching the file’s MD5 drive. Future versions of Shadow Miner values. Although it is possible to are not expected to require the evidence manually run an MD5 program against to be bootable. Efforts are being made to every file in a Recycle Bin and then allow Shadow Miner to be run from a compare the MD5 values manually, this is Vista examination station while the still a task that is best automated with a evidence being examined is attached to software tool. that station by way of FireWire and a In conclusion, because of many of write-blocking device. the issues that face a forensic examiner, One of the restrictions for using whom is conducting a manual Shadow Miner is that it can only be used examination of the Recycle Bin data that with operating systems that support is found within the Windows 7 and persistent shadow volumes and the Windows Vista shadow volumes, the “vssadmin list shadows” command. The reader must agree that a tool to assist in only operating systems that meet this this type of examination would be greatly requirement are Windows Vista and appreciated. This need for an automated Windows 7.2 tool was the motivation behind the When Shadow Miner runs, it development of Shadow Miner. executes the command “vssadmin list shadows” via a batch file, and the report 6. SHADOW MINER that is generated is redirected to a In response to the need for an which is stored at location that is automated tool for doing examinations of determined by the Shadow Miner settings. shadow volumes, the Defense Cyber The selected location for this text file is Crime Institute has begun development of usually a shared directory on the a software tool known as Shadow Miner1. examination station. Once the text file is This tool automates the process of generated, Shadow Miner parses the data generating the “vssadmin list shadows” in this file to get the names of each report, and then uses the results of this shadow volume. Another batch command report to create symbolic links to the is executed that creates the symbolic links shadow volumes that are present within to these shadow volumes. Once these the target environment. symbolic links are created, accessing the In order to run the current version data within these shadow volume is as of Shadow Miner (v. 1.0), the software easy as traversing a typical Windows file tool needs to be executed from within a structure. virtual copy of the evidence that is being Although there are several examined. The current version of analytical tools that are built into the Shadow Miner has been found to work current version of Shadow Miner, the one when an image copy of the evidence is that is the most relevant for this booted with LiveView and VMware discussion is the Recycle Bin analysis tool. This tool displays the contents of the Recycle.Bin directories for all of the 1 Shadow Miner is currently under development and is not available for general use. When user profiles that have been archived into Shadow Miner is fully developed, it is expected to be accessible through the National Repository for Digital Forensic Intelligence 2 Only the Ultimate version of each operating (https://www.nrdfi.net). system has been tested. 10

shadow volumes by the Volume Shadow deleted, and which user profile is Copy Service. The user has the option of associated with that file. This viewing the Recycle Bin data associated information is included by Shadow Miner with just one user, or viewing the Recycle because this information is often needed Bin data from several users at the same by the prosecution when trying to obtain a time. Furthermore, the user can view all successful conviction. Shadow Miner of the shadow volumes at once or select a also updates the user interface to show sub-set of shadow volumes to review. which files have been copied to the The design of the tool makes it easy for examination station for review. This the forensic examiner to perform helps the forensic examiner keep track of meaningful analysis on the Recycle Bin which files still need to be reviewed. data. Shadow Miner further supports Shadow Miner displays Recycle the analysis of Recycle Bin data by Bin data in columns, and this data can be providing tools that allow the forensic further sorted to support analysis. One of examiner to mark which files are the most interesting columns, is the “relevant” and “not relevant”. “Relevant” column that holds the original name of file names are displayed in green and “not the file that was deleted. This data is relevant” file names are displayed in red. obtained from the $I-file that is associated A separate column entry also allows the with the original file’s deletion. Since file examiner to sort files based on relevancy. names are usually very descriptive and Additional analysis tools allow the they often reflect the contents of the file, examiner to unmark previously marked being able to do a quick review of the files, as well as hide and unhide file original file names is often very useful for names for easier analysis. the forensic examiner. Thus, the column that holds these original file names is expected to be of great interest for the 7. CONCLUSION forensic examiner. As this discourse comes to a , When the forensic examiner finds the reader will recall that it began with an a Recycle Bin file that needs to be investigation into the Volume Shadow inspected further, he or she can use a Copy Service. This Windows operating special Shadow Miner tool that allows the system service is responsible for taking user to copy the selected file to the “volume snapshots” of key data and examination station for analysis. Because storing this data in what is commonly each “deleted” file is separated into a $R- known as a “shadow volume”. These file and a $I-file when it gets sent to the shadow volumes are found by using the Recycle Bin, these files need to be “vssadmin list shadows” command. Once examined together. Therefore, these two the shadow volumes are located, the files are paired-up by Shadow Miner “mklink” command is used to create before they are copied to the examination symbolic links that can be followed to station for review. When these two files access each shadow volume. From this are copied out, Shadow Miner includes a point, accessing the contents of each small text file that provides useful shadow volume is as simple as traversing information about the original deleted a traditional Windows file system. file, including where the file was found Once a forensic examiner is able within the evidence computer, when the to access a shadow volume, he or she file was created, when the file was must then address the issues that arise 11

from doing a shadow volume forensic issues are best handled by an automated examination. As was previously stated, tool that is designed specifically for this he or she must deal with (1) the great task. The tool that was introduced to volume of data, (2) the great amount of handle these issues is Shadow Miner – a duplicated data, and (3) the need to tool developed at the Defense Cyber identify files that have a common MD5 Crime Institute. hash value. It was determined that these

12

REFERENCES:

Arehart (2009). “Symbolic links on Windows: why and how” by Charlie Arehart. http://bluedragon.blog city.com/symbolic_links_on_windows_why_and_how.htm (accessed December 14, 2009)

Leschke (2010) “Cyber Dumpster Diving: $Recycle Bin Forensics for Windows 7 and Windows Vista” presented at the Department of Defense Cyber Crime Conference 2010.

Microsoft (2003) “Introduction to Shadow Copies of Shared Folders”, http://www.microsoft.com/windowsserver2003/techinfo/overview/scr.mspx (accessed December 23, 2009)

Microsoft (2009). “How Volume Shadow Copy Service Works.” http://technet.microsoft.com/en-us/library/cc785914%28WS.10%29.aspx (accessed December 14, 2009)

13