This is a second post in a series on Volume Shadow Copy.  A quick recap on the previous post shouldn’t hurt much, we discussed that VSCs are a valuable artifact and how significant are they for forensic investigators as they may contain evidence data that has been previously deleted, but has been captured during the creation of a VSC. Shadow copies are read-only, so there is no way to delete files from them, this makes them a wealth of information as each version of a file recovered from shadow copy gives the examiner additional metadata that contributes to evidence. As this is a background service, users may be unaware of these incremental backups aka shadow copies and when deleting or wiping their evidence they ignore shadow copy files.

This post is focused on the technical aspects involved and other things an examiner needs to be aware of. I’ll discuss about Volume Shadow Copy Service and how to access or configure shadow copies in Windows environment, in the next post I’ll demonstrate how to mount the volume shadow copies and acquire them in a forensically sound manner along with examining them using VSS enscript and few of the other tools available in the market.

Volume Shadow Copy Service

The Volume Shadow Copy Service (VSS) is a built-in Windows service that enables the creation of point-in-time copies of data known as Snapshots or Shadow Copies. VSS coordinates with other applications, system/software/hardware providers, file-system services, backup applications to produce consistent shadow copies. The shadow copies are differential in general and each shadow copy isn’t a complete copy of the drive, as it doesn’t duplicate the entire contents, which would require huge disk space capacity for every snapshot. Shadow Copies are created through various mechanisms: clone, copy-on-write, redirect-on-write etc., The Volume Shadow Copy Service uses copy-on-write mechanism for Previous Versions feature in Windows OS as a  default

  • Clone Shadow Copy: 

A clone shadow copy, also called a split mirror, is a full duplicate of the original data on volume, created either by the software or hardware mirroring.

  • Copy-on-Write:

​The built-in VSS service in Windows supports only copy-on-write shadow copies. Similar to a clone shadow copy, copy-on-write copy is created by software or hardware mechanisms. They are also known as Differential Copy, as it creates a differential instead of creating a full-duplicate of the original data like clone shadow copy.  Whenever a change is detected, the block of data being modified is copied to a “differences area” associated with the shadow copy before the  change is written to live data block. Overlaying the modified data on the live data creates a view of the live data at the point in time when the shadow copy was created.

It is quite often that the only thing that gets captured initially by VSS for a deleted file is it’s MFT record. The file’s data won’t be written to a VSS differential file until the cluster it occupied are modified, till then the file’s data will remain in the unallocated clusters.

Differential file.I’ve tried to demonstrate the differential copy mechanism in the above picture, where X indicates blocks that are changed and the cells highlighted in yellow indicate the updated blocks that have been modified from the previous snapshot. As we can see instead of copying the entire volume, only the blocks that have been modified are updated in the next snapshot. In the current snapshot, all the updated blocks over the period of time are captured making a complete backup of the previous versions at a given point in time. ​

  • Redirect-on-Copy

Similar to copy-on-write, except that the original data is written to a separate destination, like a network share, external backup or another volume.

VSS Architecture

Volume Shadow Copy Service, located at %SystemRoot%\System32\Vssvc.exe, coordinates with VSS Writers, VSS Providers and VSS Requestors to create a consistent shadow copy. It is important to understand that disabling the Volume Shadow Copy Service may affect other applications such as Windows Backup. As such, care should be taken in disabling this service. Now let’s discuss in brief what these Requestors, Writers and Providers are and how they aid in the creation of a shadow copy

  • VSS Requestor:​ VSS requestors are the applications that issue backup requests to VSS for the creation of snapshots. Examples of VSS requestors are System Restore and Windows Backup.
  • VSS Writer: ​VSS Writer is a software component that enables shadow-copy-aware applications, such as Active Directory, Exchange Server and SQL Server to receive freeze and thaw notifications to ensure that backup copies of their data files are internally consistent. In general, VSS writers are applications that coordinate their I/O operations with the backup and restore operations of VSS.
  • VSS Provider: VSS Provider allows an Independent Hardware/Software Vendor with unique storage schemes to integrate with the shadow copy service. These provide the mechanism by which backup data is actually stored.

vss ARCHITECTURE

1. The requestor, generally a backup application, contacts Volume Shadow Copy Service and requests for a snapshot to be created. VSS reviews the request for validity.

2. Once validated, Volume Shadow Copy Service builds a list of writers which are asked to provide a list of data that may need to be backed-up. This list is passed to the requestor which chooses the items to be backed-up from the list. Once the data is ready, the writer signals the VSS. VSS directs the writer to freeze data Input/Output operations.

3. At this point, VSS flushes all the file-system buffers and tells the provider to create the volume shadow copy. The provider captures the prepared data and creates a shadow copy/snapshot that exists side-by-side with the live volume.

4. Once the shadow copy has created, the provider signals the Volume Shadow Copy Service to update the writers to thaw the file-system operations and information about the backup is returned to the requestor. The application-freeze is not allowed to last for more than 60 seconds.

The process of creating a snapshot and the amount of time it takes depends on number of factors.

VSS Registry Keys

Being a Windows service in property, several registry keys have a direct impact on the performance of Volume Shadow Copy Service. We will discuss about three significant keys an examiner should be aware of

  • HKLM\System\CurrentControlSet\Services\VSS
  • HKLM\System\CurrentControlSet\Control\BackupRestore
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients

 

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS is the primary registry key that impacts Volume Shadow Copy Service. Using the registry editor the start type for the service can be modified. You can change the Start value, to the options provided below, by double-clicking on it and entering the desired value.
  • Automatic or Automatic(Delayed Start): 2
  • Manual: 3
  • Disabled: 4

services

  • SubkeysHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore is another key within the Registry Hive that affects the VSC behavior. Beneath this key there are three subkeys: FilesNotToBackup, FilesNotToSnapshot, and KeysNotToRestore
  1. FilesNotToBackup: Contains a list of files and directories that backup applications should not backup. This includes files from Temp folder, pagefile.sys, hiberfil.sys, IE index.dat, log directories and offline file caches to name a few.
  2. FilesNotToSnapshot: Contains a list of files that should be deleted from newly created shadow copies
  3. KeysNotToRestore: Contains list of subkeys and values that should not be restored
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients is another key of importance, this key contains a value, in my workstation it is named “{3E7F07C9-6BC3-11DC-A033-0019B92BB8B1}” and this value is same across all the volumes.The data within that value represents which volumes are being monitored by the Volume Shadow Service. The data for this value can contain multiple strings, each of which references a volume GUID and the drive letter for the volume, separated by a colon. This value will mirror what is listed in the Protection Settings section of the System Properties dialog. For instance, the screenshot below represents two volumes, Volume F (Books & Docs) and Volume R (4n6_TestVolume), on my workstation for which VSC has been enabled & which are being monitored by VSS, each representing different volume GUID but are under same registry key value.

SPP_Clients

Accessing and Configuring VSS, VSC & Previous Versions

  • Volume Shadow Copy Service can be viewed through Microsoft Windows Services Management console which can be accessed by using services.msc command. Then navigate to Volume Shadow Copy under the Name column, you can set the service to Disabed, Automatic or Manual Mode, the same as HKLM\System\CurrentControlSet\Services\VSS

services

VSS Serivces management consolde

  • VSC settings can be configured at the System Properties window that can be accessed by right-clicking on Computer icon and then select Properties > System Protection. You can also navigate through Control Panel by clicking on System and Maintenance > System. Using this dialog box you can select the volumes on which System Restore (also affects Previous Versions) needs to be enabled and to create an immediate restore point.

Accessing VSC

  • Previous Versions tab can be utilized to list all the versions of volume, each time windows creates a new system restore point, this result in a shadow copy being taken for that volume. Right-Click on a partition, such as C:\ or D:\, and select Properties and open Previous Versions tab. You will see a dialog box similar to the one shown here, pick any of the versions shown and then click on Open button. This opens a new explorer window displaying that volume at the point in time what the snapshot was taken. The path shown will include localhost\C$\<volume label> (<drive>:) (<date,time>), which is how explorer virtualizes the different shadow copies taken. This path is a friendly name, to see the actual path click within the address bar.

123_1

Windows 8 has different mechanism when it comes to Shadow Copy. Previous Version tab has been replaced with File History, the later allows you to save infinite number of versions. Unlike Shadow Copy, which performs block level monitoring File History utilizes the USN Journal to track changes and simply copies earlier versions of these files to the backup location specified by the user. File History will automatically backup Favorites, Contacts, desktop items and many more. Each time any of the file changes, its copy will be stored on the dedicated storage location. Moreover, there are only two options in System Protection: ON and OFF. Though Previous Versions option has been depreciated from local files, folders and volumes, they still exists for local and remote network shares. And most importantly,Windows 7 cannot read shadow copies created by Windows 8.

This brings us to the end of the post. As told earlier, the initial two posts I’ve stressed on the importance and technical aspects of VSC and VSS, the next post gonna be more interesting with demos and more forensic oriented stuff. Any questions, thoughts, comments or suggestions are much appreciated.