I recently had to analyze a Windows 7 system’s Volume Shadow Copies (VSCs) that were stored on a Virtual Machine Disk (VMDK) as part of an advanced-level DC3 challenge exercise. While there are a few great resources out there regarding forensics and VSCs, most of these methods use Windows workstations or commercial tools for conducting an examination.
More often than not I’ve found the aforementioned methods limiting, their success either hit-or-miss. I’ve been looking for open source alternatives for VSC analysis that work on my Linux workstations.
While reading the Malware Analyst’s Cookbook section entitled “[w]orking With Virtualbox Disk and Memory Images,” I decided to convert the VMDK the DC3 provided to VHD using VBoxManage. Harlan Carvey’s post entitled, “How to Mount and Access VSCs” also helped me understand VHDs and how they were used in forensics. But for some reason I couldn’t mount my VHD properly in Windows using his approach. After re-converting the VHD to every major image file type, I decided to go with a libvshadow approach that tackled both the VMDK conversion and provided the ability to analyze the evidence on my Ubuntu box.
Knowing I needed to convert the VMDK provided into some kind of usable format, I set out to find the best guide to mounting VSCs. EpyxForensics has a terrific guide to this entitled,“Mounting Shadow Volumes in Linux Ubuntu 12.04” (see “Resources” below).
Using the EpyxForensics approach, I was able to both mount the virtual disk and extract the data I needed in a fast and efficient way. I’ve tweaked some of those methods below to suit my needs for the challenge and I’m more than pleased with the results. Although you – the reader –may not be using VMDKs, using libvshadow to analyze VSCs is extremely beneficial and worth trying.
What follows is my experiences with the 2013 DC3 Forensics Challenge as well as my methodology on the Volume Shadow Copy exercise.
Why Shadow Copy Analysis?
Without re-quoting every single resource on the topic I’ve read, VSCs provide a great way for examiners to see a system up to the time of a snapshot. This snapshot is a sort of time machine that can be crucial in understanding the intricacies of user activity on the system.
Volume Shadow Copy analysis is also an interesting avenue if other anti-forensics techniques were used. Smart criminals can cover their tracks by wiping Prefetch, using encryption, scripting tools to sanitize registry keys, use timestomp to control timestamping, perform drive wipes, tamper with MFT records or other anti-forensics measures.
Snapshot and backup examination techniques are often left out by forensics suites. All too often developers of such suites are left playing “catch up” when adding new features to their tools. But criminals are people too; sometimes the convenience of having a backup outweighs the desire to hide data. Enter VSCs.
An example could be a snapshot that was created after the installation of a new program. The user may not be aware that VSC is being created to begin with. Once created, the snapshot may contain unencrypted copies of files that were later encrypted. Other artifacts important to your case may also reside within copies.
It goes without saying that I found this DC3 VSC to be extremely rewarding. While I can’t give actual exercise questions or case files, I’ve tried to outline the steps I used below.
Installing VBoxManage & Sleuthkit 4.0.2
On Ubuntu I was able to install the required tools automatically with APT:
For Sleuthkit you can: sudo apt-get install sleuthkit
For VBoxManage you’ll need Oracle VM Virtualbox:
sudo apt-get install virtualbox
Linux: VMDK to RAW
To convert a VMDK to a RAW/dd image you can:
VBoxManage clonehd vdisk.vmdk newvdisk.dd –format RAW
The percent status of the conversion will keep you informed as to the status of the conversion.
Windows: VMDK to RAW (QEMU)
The alternative to the linux method in Windows is to use the QEMU Windows Binaries. Due to a lot of misinformation on the subject, I’ve included the method used for performing the conversion on Windows below.
With QEMU installed on Windows, navigate to your QEMU folder (or if you have it in path), open a cmd shell. We can use qemu-image to convert the VMDK to the desired format:
qemu-img convert -f vmdk shadows.vmdk shadows.raw
Determining Offset of Partition
Calculating an offset is fairly straightforward if you’ve used linux for forensics in the past. First see the partitions and their starting locations with:
mmls newvdisk.dd
Multiply the starting point with the sector size (usually 512, mmls reports this when you run the command). The resulting number will be what we use to target the NTFS partition on the image. This is important if the image represents a physical whole disk or multi-partitioned system. In my case, it simply represented one partition on which resided the critical files. My working offset was 65536, the subsequent mount would look like:
sudo mount -t ntfs -o ro,offset=65536 shadows.dd /mnt/evidence
Take a peek inside with:
cd /mnt/evidence/System\ Volume\ Information/; ls -la
For those that don’t know the format of VSCs, check the MSDN article here. We see the identifying GUID and unique set IDs. This is a great way of gauging where to focus your efforts.
libvshadow by Joachim Metz is an excellent tool for conducting a deeper analysis of shadow copies. We’ll set up the tool’s requirements and set it up from its latest source below.
libvshadow
Install the requirements:
sudo apt-get install libfuse-dev
Install libvshadow’s latest source and unpack it, configure and make install.
To get basic information about the VSCs, we can use vshadowinfo with the following syntax:
vshadowinfo -o [offset] [image]
The order of shadows listed is also neat. The top store will be the furthest back in time while the latest would be the last (kind of self-explanatory but you probably know that I enjoy being long winded online). The listing also helped me answer a number of temporal questions in the exercise. This information can correspond with your case’s timeline so examining the output is critical.
The output looks like:
vshadowinfo 20131003
Volume Shadow Snapshot information:
Number of stores: 4Store: 1
Identifier : e132d30a-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID : f24f1ec4-e556-473f-b8dd-3417944d613d
Creation time : Jun 22, 2011 17:26:18.953125000 UTC
Shadow copy ID : 4db4b198-10bf-412a-8168-82aab3ad66e5
Volume size : 2144337920 bytes
Attribute flags : 0x0042000dStore: 2
Identifier : e132d310-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID : 7d330a7f-eaaa-47e6-a7ae-ec586cb60705
Creation time : Jun 22, 2011 18:11:35.484375000 UTC
Shadow copy ID : a3de8297-e174-4cc6-af1e-14b97b228b91
Volume size : 2144337920 bytes
Attribute flags : 0x0042000dStore: 3
Identifier : e132d31d-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID : ca46eac5-70eb-4c53-a21a-b6a6b66ba245
Creation time : Jun 22, 2011 18:15:52.140625000 UTC
Shadow copy ID : 94d3e514-62db-4dd2-89e1-7ff3810bb861
Volume size : 2144337920 bytes
Attribute flags : 0x0042000dStore: 4
Identifier : e132d322-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID : 31f43d93-881f-43b2-bd40-86133cba47d7
Creation time : Jun 22, 2011 18:19:45.484375000 UTC
Shadow copy ID : 2740b68b-cdb2-4c13-a535-f2f6f1ecb352
Volume size : 2144337920 bytes
Attribute flags : 0x0042000d
But what if you need access to the actual data within the shadow copy? The EpyxForensics post told me about a great utility in libvshadow, vshadowmount. This awesome feature allows you to select which VSCs to mount with traditional linux mountings. It does this by allowing you to mount the partition by offset on the image and mount each store individually (the latter is the amazing part).
sudo vshadowmount -o 65536 shadows.dd /mnt/vssvolume
To mount each store individually (if you know what time frame you are working with), you can:
sudo mkdir /mnt/vss1; sudo mount -o ro /mnt/vssvolume/vss1 /mnt/vss1
There were 4 VSCs to mount in the exercise (as seen in /mnt/vssvolume). To mount them you could also create a bash or Python script to do it for you automatically. I ran the commands by hand for each store. Tedious but I like having control over what’s going on. The not-so-simplified version looks like this:
sudo mkdir /mnt/vss1; mkdir /mnt/vss2; mkdir /mnt/vss3; mkdir /mnt/vss3; mkdir /mnt/vss4; sudo mount -o ro /mnt/vssvolume/vss1 /mnt/vss1; sudo mount -o ro /mnt/vssvolume/vss2 /mnt/vss2; sudo mount -o ro /mnt/vssvolume/vss3 /mnt/vss3; sudo mount -o ro /mnt/vssvolume/vss4 /mnt/vss4
If you want to find a particular file that’s pertinent to your case, you can do that with the find command (find -name [file]*). You can also view the shadow copies from your desktop environment’s built in file manager as you can with any mounted device in Linux (this helps with viewing thumbnails of JPGs captured in the shadow copy).
Another good find trick is to use the –mtime [day] option to find files that were modified after a certain amount of days in the past. Or use your favorite regular expression against the mounting to find specific pieces of information.
Since the primary questions dealt with timestamps I set up Phil Harvey’s ExifTool and ran it against the desired files within the copies. Obviously you can also use this tool to acquire metadata timestamps residing within the file’s themselves (such is the case with artifacts like LNK files).
Shadow Explorer
The only tool I really don’t like using is Shadow Explorer for Windows. It may be a fine tool for general VSC work but I don’t see it as useful in forensics. This is a personal opinion and I know many great examiners that use it regularly. I certainly mean no disrespect to the tool’s author. I’d try it if you are limited to working on a Windows forensics workstation but much prefer using a Linux-oriented approach.
My main reason for disliking Shadow Explorer is that it doesn’t seem to work with virtual mountings (FTKi mountings set physical or logical, ImDisk, Winmount, etc). The author recommends enabling system protection on devices so that they appear in Shadow Explorer but this isn’t an option for as I’m concerned.
Closing Remarks
The solution above worked for me and fulfilled my needs on the challenge but this approach isn’t the only approach. I’ve created a list of VSC references below in hopes of helping others find a solution they’re comfortable with. Feel free to submit your own site or article by emailing me at adam [at] forensicsblog.org — I’ll add it to the list.
Lastly I should note that the methods I’ve described above are not new or Earth shattering, libvshadow is used by other examiners. It’s simply new to me, now it’s also my method of choice.
DC3 Challenge Exercises Completed
The forensics challenge was hosted by the DoD Cyber Crime Center (DC3) and was a terrific experience for me considering I’m relatively new to forensics (the challenges are similar to online jeopardy style CTF). While there will be other challenges, this will likely be the DC3’s last. This is really unfortunate news: nothing reinforces infosec skills like challenges and competitions. I have yet to see a forensics-specific competition that has as much scope and depth as the DC3 Forensics Challenge.
I got into the challenge during its last month by running solo and without a boost from the missed bonus rounds. Despite these set backs, I did manage to get in the Grand Champion category with pretty good standing in both the Overall Civilian and the U.S. Overall categories. I’m proud of this, I did much better than I thought I would. While it doesn’t make me an authority on digital forensics (I’m not), I’d be glad to write about other exercises attempted.
Special thanks to the DoD Cybercrime Center (DC3) and the Air Force Office of Special Investigations (AFOSI) for hosting such a cool event for civilians and military personnel alike. I’m in no way affiliated with and/or endorsed by AFOSI or DC3.
Resources
There’re a lot of good resources out there regarding Volume Shadow Copies. Many of which are written for examiners by examiners. Anyone interested in VSS or VSC analysis should definitely check them out:
“Mounting Shadow Volumes in Linux Ubuntu 12.04” by EpyxForensics.
“Ripping Volume Shadow Copies – Introduction,” Journey Into Incident Response (blog) by Corey Harrell – note: his entire VSC series is really terrific.
“Shadow Timelines and Other VolumeShadowCopy Digital Forensics Techniques with Sleuthkit on Windows,” SANS Computer Forensics Blog by Rob Lee
“Accessing Volume Shadow Copies,” by Harlan Carvey
“Mount shadow volumes on disk images,” forensicswiki.org (site lists various methods)
“Into the Shadows,” forensic4cast, by Lee Whitfield
libvshadow’s Project Page: http://code.google.com/p/libvshadow/
“How Volume Shadow Copy Service Works,” TechNet (Microsoft)
“Volume Shadow Copy Service,” MSDN on VSS and how it works
“Volume Shadow Copy System Restore” (VSS FAQs) by Tomasz P. Szynalski
“Volume Shadow Copy Forensics.. cannot see the wood for the trees?” by Richard Drinkwater, FFTSF blog
“Examining Volume Shadow Copies – The Easy Way!” by Simon Key, Digital Forensics Today (EnCase/Guidance Software) – note: this piece is very interesting and helps explain what’s going on behind the scenes when snapshots are taken. It also discusses the EnCase PDE approach to analyzing them.