An Overview: Windows Volume Shadow Copies
Next up in our Windows Forensic Essentials Blog Series is a look at Volume Shadow Copies. Looking for other blog posts in this series? We have great information on Event Logs, and the Windows 10 Recycle Bin and Jump Lists.
Despite being around since the halcyon days of Windows Vista, there is still a lot of questions surrounding the Volume Shadow Copy Service. Further some confusion has been expressed on the difference between a Volume Shadow Copy (VSC) and System Restore Points (SRP) available previously on Windows XP.
Difference Between Volume Shadow Copies and System Restore Points
System Restore Points that were available on Windows XP allowed users to restore the Windows System back to a particular point in time. This was accomplished because the service would generate a “Restore Point” just prior to installing a new piece software, or a system update. Let’s be clear about this service, it was designed to restore only the operating system, not user files.
Conversely, the Volume Shadow Copy service performs a snapshot of the system at a given point in time. This includes user created files and folders. As such, the Volume Shadow Copy will allow a user to revert to a previous version of a file or folder, not just restore the system.
So How Does it Work?
In general terms, Volume Shadow Copies are created for Windows 7 on a weekly basis, or when new software or system updates are added. These snapshots are stored locally, at the root of the Windows volume in the System Volume Information folder.
Being that they are stored locally one would think that Volume Shadow Copies present a problem of gobbling up storage on your computer. Not true, Volume Shadow Copies are limited to 5% of the volume space in Windows 7. This is because the service works at the block level, recording every block that has changed, and backing up only the blocks that are being modified. Hence it is an efficient process. Learn more about the service in detail.
Using Volume Shadow Copies in Examinations
Volume Shadow Copies generally require additional processing in order to access the data. This is not possible in all cases, due to the increased processing time and the time constraints that most forensic labs face.
However, when deleted files of an evidentiary value are discovered an examiner may want to look at what was going on with the system at that particular point in time. The genesis of a document may be of value, so determining how a document has changed may be beneficial to the examination.
Further, as Volume Shadow Copies are snapshots of the system, examiners can track changes to a user’s registry (NTUSER.dat) or to files and databases associated with applications on the system (for example databases in “Peer To Peer” file sharing cases).
Remember that Volume Shadow Copies are volume snapshots and it has been said that each one potentially mirrors the active volume. So, be wise when choosing to process Volume Shadow Copies.
Figure 1: Choosing Volume Shadow Copy processing in BlackLight
Now that the Volume Shadow Copies have been processed, there is a ton of data to wade through. Focusing attention on a particular point in time may be the best way to organize your analysis.
Figure 2: Focusing on a Volume Shadow Copy to analyze
Finding files that are deleted from the active volume but captured by a Volume Shadow Copy is a plus.
Figure 3: These files are being shown in the active volume, but are deleted and have been captured in a Volume Shadow Copy
Figure 4: Viewing information about the deleted picture
In this instance we know that the file was on the active volume on November 24, 2015 at 15:50:17 UTC because it is contained in that particular Volume Shadow Copy. This can be used as a marker in determining what happened to that file.
Further, these files are HASHED and therefore can be compared to hash sets of the examiner’s choosing.
There is little doubt that most examiners will need to, at one time or another, analyze a case that involves Volume Shadow Copies. Working smart and using your tool efficiently can save time, resulting in better and more accurate examinations.
forensics research and development, and corporate investigations, our team understands forensics. Digital Forensics is more challenging than ever before due to advancements in technology. The BlackBag Team exists to find solutions for these challenges, thereby empowering our customers to seek, reveal, and preserve the truth.Meet some of our experts at https://www.blackbagtech.com/company/our-team/