Insights Blog

Viewing Volume Shadow Copies in BlackLight

BlackLight 2016 R1 includes many powerful new features to assist in conducting MS Windows system examinations. These features can have a crucial impact on digital forensics, and one of the most important is the parsing of Volume Shadow Copies (VSCs). In this entry we’ll take a look at VSCs’ significance in investigations and demonstrate how to view and work with VSCs in BlackLight.

The Importance

Volume Shadow Copies are a feature of Microsoft Windows, and essentially, they allow a user to create a snapshot backup of his or her system. From a forensic standpoint, these backups might prove extremely important, as they may contain files that the user believes he or she has permanently deleted. Also, Volume Shadow Copies offer a means of saving versions of a file. Comparing file versions between the active file system and VSCs may reveal items changed between backups.

Using BlackLight, examiners are able to review the contents of Volume Shadow Copies created by Windows systems from Vista to present, and view them within the same file paths the original user would have seen on his or her system. Rather than merely allowing examiners to view Volume Shadow Copy contents in one rigid, static view, BlackLight affords multiple ways to analyze the VSC contents in a practical and intuitive fashion.

Running Advanced Processing Options

In order for the contents of a Volume Shadow Copy to be parsed and displayed, advanced processing options must first be run on the volume. Let’s focus on that first.

Whenever an examiner adds a disk image to a BlackLight case, the ‘Evidence Selection’ window appears. This, of course, is nothing new. But with BlackLight 2016 R1 one will see a new ‘Advanced Processing Options’ section in the ‘Evidence Selection’ window.

Here the examiner is presented with various processing options, but for purposes of this article we are only concerned with the parsing of Volume Shadow Copies. Select the checkbox for that option, and remember that doing so will only yield results for an applicable Windows volume. Select the OK button when finished.

Note: If the examiner does not check the Advanced Processing Options checkbox when first adding a disk image to a case, he or she still has the option to run the advanced processing later from the ‘Evidence Status’ view by selecting the Run button under the ‘Advanced’ column.

viewing-volume-shadow-copies-1

Viewing Volume Shadow Copies

Now that we’ve gotten the advanced processing out of the way, any available Volume Shadow Copies are ready to be analyzed.

In the ‘Browser’ view, BlackLight displays a Volume Shadow Copy version of a file with a VSC icon. For example, in the following screenshot the upper file is the version from the active file system, while the lower file is a version from a Volume Shadow Copy.

viewing-volume-shadow-copies-2

Here’s an example of an Excel (.xls) file that has a version contained in a VSC. The VSC version of the file is selected, and the Preview tab is chosen in the ‘File Content Viewer’ in order to see the file contents.

viewing-volume-shadow-copies-3

In either the ‘Browser’ view or ‘File Filter’ view, double-click any file that is, or has, a Volume Shadow Copy version, and a separate ‘File History’ window appears. In this window all Volume Shadow Copy versions of a file can be further analyzed. Versions can also be compared for differences in content, metadata and hash values.

viewing-volume-shadow-copies-4

Special Fonts in the Browser View

Keep in mind that for NTFS and FAT volumes, BlackLight scans the MFT for records of files/folders that no longer exist in the active file system. Files/folders whose sectors on disk still contain data are shown in red italic font in the ‘Browser’ view, indicating the file/folder was deleted but the space it was occupying has not yet been overwritten. Files/folders whose sectors on disk are empty or belong to another file are shown in gray strikethrough font, indicating the file was deleted and the space has been overwritten. Gray font (without strikethrough) simply denotes that a file/folder has a hidden attribute set by the OS, meaning the file/folder would be hidden from a user during regular browsing.

viewing-volume-shadow-copies-5
Now things get even more interesting, especially if you’re wondering what this brief aside about special fonts has to do with the topic of Volume Shadow Copies. In the ‘Browser’ view, files that exist in a Volume Shadow Copy but not in the parent volume are shown in red strikethrough italic font, indicating the file was deleted from the active file system but a version remains in one or more Volume Shadow Copies.

viewing-volume-shadow-copies-6

So, with BlackLight we have the ability to see the artifacts contained in their proper path location, and if the meanings of the special fonts are understood, we can recognize valuable information about file versions with just a glance.

Volume Shadow Copy File Filter

The ‘File Filter’ view now includes a Volume Shadow Copy filter option, which has three option modifiers:

  • only files with a VSC version (default)
  • only files without a VSC version
  • files with or without a VSC version

viewing-volume-shadow-copies-7

As noted above, in either the ‘File Filter’ view or ‘Browser’ view, the examiner can double-click any file that is, or has, a Volume Shadow Copy version, and a separate ‘File History’ window appears. In this window all Volume Shadow Copy versions of a file can be further analyzed.

If the examiner wishes to view only a single Volume Shadow Copy’s data, this can be done by right-clicking (or Control-clicking) the Windows volume in the ‘Component List.’ A contextual menu appears. Select [Browse Alternate Version…] from the menu and choose the specific Volume Shadow Copy that is desired. The same method is used to switch back to viewing the active volume.

viewing-volume-shadow-copies-8

When viewing a specific Volume Shadow Copy, only Internet data, media, communications, ‘Actionable Intel’ view data, etc. related to that Volume Shadow Copy are seen in the various BlackLight views. The VSC icon remains next to the volume in the ‘Component List’ as a visual reminder.

viewing-volume-shadow-copies-9

Volume Shadow Copies in Searches

Volume Shadow Copies can also be included in searches. With BlackLight 2016 R1 one will see a new Search VSC Files option in the ‘Search’ view (circled in red in the following screenshot).

viewing-volume-shadow-copies-10

Activate the Search VSC Files checkbox to include Volume Shadow Copies in a search. Note that this option will only have an effect if the searched volume(s) have Volume Shadow Copies available, and only if those Volume Shadow Copies have been processed in the current case. For details see the ‘Running Advanced Processing Options’ section above.

By default, BlackLight deduplicates search hits across multiple Volume Shadow Copies, returning a hit on the oldest Volume Shadow Copy version if others have the same hash value. If a Volume Shadow Copy and primary file have the same hash, both the primary file and oldest Volume Shadow Copy version will be included in search hits, providing the file modification times differ.

To change the deduplication setting, navigate to the [BlackLight] menu and select [Preferences] (Mac), or [Edit] menu and select [Options] (Windows). A separate window appears. Choose the Options tab and mark or unmark the checkbox for Deduplicate Hits Across Volume Shadow Copies. This option applies only to file content searches and does not affect file filtering.

viewing-volume-shadow-copies-11

Need More?

We’ve covered the basics regarding Volume Shadow Copies, but as always, BlackBag’s training team is here to help if you have further questions about this or other areas of digital forensics.

Carpe Datum!

BlackBag Training Team
Latest posts by BlackBag Training Team (see all)