Microsoft has included the Volume Shadow Copy Service in versions released since Windows XP. The volume shadow copy service creates different backups intermittently to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to place shadow volumes on disk images. In Windows 8, shadow volumes seem to be superseded by File History.
Windows Shadow Copy is a service that manually or automatically creates backup copies of disk volumes. These backups are created automatically when Windows performs a scheduled backup or system restore point. This determines when it is time to create a new system restore point, either before Windows Updates are installed or determined from Windows, system idle time, and the time the previous system restore point was created. In Windows Vista, that's a day. Windows 7 and newer, that's seven days. Windows XP generates it every 24 hours regardless of system activity.
Shadow copies are initially created as block-level clones of all drives. From here, only changes in the driver are tracked. This means that in a forensic investigation, not all relevant information can be found in the same Shadow Copy.
Windows XP and Server 2003
Windows first added the Volume Snapshot Service to Windows XP used by NTBackup. The creation of persistent snapshots was included in Windows Server 2003. This addition provides the ability to have up to 512 snapshots for a single volume. Windows 2003 is used to create incremental snapshots of changed data.
In Windows XP, performing a system restore or creating shadow copies is different from newer versions of Windows. Windows XP uses a simple mechanism; Whenever an application tries to overwrite any system file, Windows XP makes a copy of the file and saves it in a separate folder. This way, in Windows XP, system restore does not affect a user's documents, but only files such as dll, exe, and registry files, along with a few others.
Windows Vista, Windows 7 and Server 2008
Most versions of Windows have been updated to take advantage of Shadow copies in these versions. The backup and restore utility in these versions of windows uses shadow copies of files for both file-based and sectoral backups. VSS is used by SystemGuards components, which create and maintain periodic copies of system and user data on the same local volume and make it accessible locally by the System Restore Utility.
Windows 8 and Server 2012
These versions of Microsoft's operating systems support permanent shadow copies. However, Windows 8 lacks a GUI part, which is essential for easily browsing shadow copies. Therefore, the Previous versions tab of the files property dialog in Windows 8 has been removed for local volumes. Therefore, the ability to browse, search or recover old versions of files is not available. This functionality can be recovered using third-party tools such as ShadowExplorer.
Windows 10
This version of Microsoft Windows has restored the Previous versions tab in the files properties dialog. However, it now depends on the File History feature instead of Volume Shadow Copies.
Suitability
While different versions of NTFS have both forward and backward compatibility degrees, certain problems can occur when installing newer NTFS volumes that contain permanent shadow copies on older versions of Windows. This happens because the old OS doesn't understand the newer format of permanent shadow copies.
Volume Shadow Copies in Digital Forensics
Why Are Shadow Copies Important for Forensics?
Windows Shadow Volumes are essential for forensics because they can provide additional data that might not otherwise be available. They can allow forensic investigators to recover deleted files and find out what's going on in the system before they start investigating. It is an excellent tool to find data that was previously deleted by a system user.
Limitations of Shadow Copies in forensic investigations
While Shadow Copies can provide forensic researchers with deleted files between the time the Shadow Copy was made and the time the investigation began, they only provide a previous version of the files. If previous changes were made to the files before the Shadow Copy was created, those changes will not be known. Because Shadow Copies are cloned at a block level rather than a file level, changes to individual files may not be sufficient to cause Windows to make changes to a corresponding Shadow Copy.
Also, depending on the user's personal settings, the Shadow Copy service may be turned off and Shadow Copies may not be stored. Other times, disk space settings may be too low for multiple Shadow Copies that can be saved, or even for a Shadow Copy if greater than the settings allow. Windows automatically overwrites Shadow Copies when the disk space limit is reached. For these reasons, Shadow Copies should aid forensic investigations, but are not guaranteed as a tool for discovering useful information.
Volume Shadow Copies in the Registry
We can also recover information about Volume Shadow Copies and its properties from the Windows Registry. Especially since it's a Windows service, it has lots of interests. The following registry key provides information about the service itself:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ VSS
Bu yazı için aşağıdaki kayıt defteri anahtarına odaklanacağım:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ BackupRestore
Within this path we have three subkeys:
FilesNotToBackup
Within this path we have three subkeys:
FilesNotToSnapshot (Vista / 2008 + only)
Specifies files that should be deleted from newly created shadow copies.
KeysNotToRestore
Provides the names of registry keys and values that backup applications should not restore.
If you find any inconsistencies in a system you are analyzing, we recommend pulling these registry keys and determining if the modified data within a VSC has been modified.
Analyzing Volume Shadow Replicas
When including VSCs in the analysis, consider the following possibilities:
When a researcher does an image search and has found data of potential evidentiary value in a volume shadow copy, it would be an excellent use case, however, to dig deeper into the original source or see if there is any additional data to be found. The Report Viewers we use will provide you with details of which file the searcher, the shadow copy, and the data piece came from. The researcher can then perform a second search on only one or more volume shadow copies containing the modified files. This will provide the researcher not only with a more complete data set, but also with potential historical information.
Often, shadow copies will have a historical version of registry hives, databases like SQLite, and many other artifacts that don't traditionally store a lot of historical data, but have a wealth of valuable information. A good example of this would be the potential to find additional chat logs that have been deleted and overwritten or only temporarily stored in memory but may still be present in the shadow copy from two weeks ago.
When using tools like libvshadow you can have the Volume Shadow Copy displayed as a logical volume, apply secondary analysis tools like log2timeline / Plaso and create large MEGA supertimelines that will look further into the past. Just remember that there can be more than one of the same data;
If you have time indicators, such as malware or interest, to assist in the analysis, observe how your volume shadow copies interact with these time slots. You may find yourself in a situation where you can browse the system before the infection. Also, if you're in doubt about the timestamp, see if your Volume Shadow Copy backs up that theory.
Just because the data is in the Volume Shadow Copy does not mean that analysis techniques need to change. We can still run automated scripts, hashes, do keyword searches. This is just another source of data.
Analysis Summary
We have installed a 60 GB Windows 7 operating system on our virtual server, as our work here will be very difficult in the local area. Then we got an image of this operating system (in the form of a Volume Shadow Copy) that has only been used for a few days to examine it with any open source Logparser. Mounting has been done.
For a particular folder, Shadow copies are stored in the System Volume Information folder. This can also be verified by paid software if necessary. In Shadow Explorer, we saw what is affected by the creation of a volume copy of Shadow. Specifically, an NTUSER.DAT file and a BCD file are affected by the creation of a Shadow copy. BCD (Boot Configuration Data) is a registry hive and BCD.LOG files act as a registry for the hive and are available for recovery if needed. NTUSER.DAT, another registry file, contains information about specific individual account settings. It makes sense that the NTUSER.DAT file will be affected, as the primary Shadow copies on our virtual machine are mainly associated with installations and updates.
To summarize briefly;
We explained that there are certain files that change when a Shadow copy is created, and how a system/file structure can be viewed and displayed at the time of creation of any Shadow copy in GUI format of certain tools.
Forensic Perspective
From a forensic point of view, volume Shadow copies contain information about a particular file, folder, or even how the system has changed. This can be used to prove whether a suspect has committed a particular crime and can be interpreted as “trying to conceal or erase the evidence”.
Research / Review
Shadow copies can play an important role in digital forensics because of the information they contain. It contains information about how a Shadow copy of a file system or folder structure looks at when it was created, which programs were installed, and which files were intact or deleted.
How can we access them?
There are various methods for forensically accessing and extracting data from Volume Shadow Copies, as described above.
What are the Specific Methods Used?
There are command line and GUI methods for forensically accessing and extracting data from Volume Shadow Copies. With command line interfaces, either method may work, depending on the prevailing circumstances and the user's comfort level. These programs may allow examining how a file system or folder structure looks at the time a Shadow copy was created without interfering with the original copy.