Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Windows Shadow Volumes
Volume Shadow Copy Service
Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to mount shadow volumes on disk images. In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.
Windows Shadow Copy is a service that either manually or automatically creates backup copies of disk volumes. These backups are automatically created when Windows performs either a scheduled backup or a system restore point. This happens before Windows Updates are installed, or when Windows determines that it is time to create a new system restore point, which is determined by both system idle time and the time since a previous system restore point was created. In Windows Vista, this is one day. On Windows 7 and newer, this is seven days. Windows XP creates them every 24 hours regardless of system activity.
Shadow copies are initially created as block-level clones of entire drives. From there, only the changes to the drive are tracked. This means that in a forensic investigation, not all relevant information may be in the same Shadow Copy.
Shadow copies were first available in the Windows XP and Server 2003 operating systems, and are still present in each subsequent Windows and Server operating systems, including the present day Windows 10.
Although all present Windows and Server operating systems contain shadow volume capability, the process in which each operating system creates and accesses them varies, and is explained below.
Windows XP and Server 2003
Windows first added Volume Snapshot Service to windows XP, which is used by NTBackup. The creation of persistent snapshots has been added within Windows Server 2003. This addition gives the ability of having up to 512 snapshots to exist for a single volume. Windows 2003 is used to create incremental snapshots of the data that have changed.
In Windows XP, the process of system restore, or the creation of the shadow copies is different from the more recent versions of windows. Windows XP uses a simple mechanism- the moment an application attempts to overwrite any system file, Windows XP makes a copy of the file and saves that file to a separate folder. That way, in windows XP, system restore will not affect a user's documents, but only files such as dll, exe, and registry files, along with a few others.
Windows Vista, Windows 7, and Server 2008
Many of the components of Windows have been updated to make use of Shadow copies in these versions. The backup and restore utility within these windows versions, use both shadow copies of files in both file-based and sector-by -sector backups. VSS is used by the System Protection components, which creates and maintains periodic copies of system and user data on the same local volume, allows it to be locally accessed by the System Restore Utility.
Windows 8 and Server 2012
These versions of Microsoft’s operating systems support persistent shadow copies. However, Windows 8 is lacking a GUI portion that is necessary to easily browse the shadow copies. So, within Windows 8 the Previous versions tab of the properties dialog of files was removed for local volumes, so the ability to browse, search or recover older versions of files is not present.
This version of Microsoft Windows has restored the Previous versions tab within the properties dialog of files. However, it now depends on the the File History feature instead of Volume shadow Copy.
Shadow Volume Copies in Digital Forensics
Why Shadow Copies are Important to Forensics
Windows Shadow Volumes are important to digital forensics because they can provide additional data that otherwise would not be available. They can allow a forensic investigator to recover deleted files, and to learn what was taking place on a system before he/she began the investigation. They are an excellent tool for discovering data that was previously deleted by a system user.
Limitations of Shadow Copies in forensic investigations
Although Shadow Copies can provide forensic investigators with files that have been deleted between the time the Shadow Copy was made and the time the investigation began, they only provide one previous version of files. If previous changes to files were made before the Shadow Copy was created, those changes will not be known. Because Shadow Copies clone on a block-level rather than a file-level, changes to individual files may not be enough to cause Windows to make the changes in a corresponding Shadow Copy.
Additionally, depending on the user’s individual settings, the Shadow Copy service might be turned off, resulting in no Shadow Copies being stored. Other times, the disk space settings might be set too low for multiple Shadow Copies to be saved, or even for one Shadow Copy to be saved if it is larger than what the settings allow. Windows automatically overwrites Shadow Copies when the disk space limit is reached. For these reasons, Shadow Copies should be an aid in a forensic investigation, but they are not guaranteed as a means to discover useful information.
How to analyze Shadow Volumes
- VISTA and Windows 7 Shadow Volume Forensics, by Rob Lee, October 2008
- Accessing Volume Shadow Copies, by Harlan Carvey, January 2011
- More VSCs, by Harlan Carvey, January 2011
- A Little Help with Volume Shadow Copies, by Corey Harrell, April 2011
- Volume Shadow Copy with ProDiscover, May 2011
- HowTo: Mount and Access VSCs, by Harlan Carvey, September 2011
- Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows, by Rob Lee, September 2011
- Ripping Volume Shadow Copies – Introduction, by Corey Harrell, January 2012
- Ripping VSCs – Practitioner Method, by Corey Harrell, February 2012
- Ripping VSCs – Practitioner Examples, by Corey Harrell, February 2012
- Ripping VSCs – Developer Method, by Corey Harrell, February 2012
- Ripping VSCs – Developer Examples, by Corey Harrell, February 2012
- Examining VSCs with GUI Tools, by Corey Harrell, February 2012
- VSC Toolset: A GUI Tool for Shadow Copies, by Jason Hale, March 2012
- Examining Volume Shadow Copies – The Easy Way!, by Simon Key, June 2012
- Getting Ready for a Shadow Volume Exam, by Jimmy Weg, June 2012
- Mounting Shadow Volumes, by Jimmy Weg, July 2012
- Examining the Shadow Volumes with X-Ways Forensics, by Jimmy Weg, July 2012
- “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”, by Jimmy Weg, August 2012
- "Examining shadow copies with Reconnoitre (and without vssadmin), it's as easy as 1, 2, 3", by Paul Sanderson, January 2013
- Volume Shadow Copy Part 2, by Ryan Montelbano, Scott Barrett, Jacob Blend, February 5, 2014
- Volume Shadow Copy Part 3, by Scott Barrett, February 26, 2014
- Volume Shadow Copy Part 4, by Ryan Montelbano, March 26, 2014
Shadow Volumes in depth
- Reliably recovering evidential data from Volume Shadow Copies in Windows Vista and Windows 7, by James Crabtree and Gary Evans, 2010
- Into The Shadows and Presentation, by Lee Whitfield, April 2010
- Volume Shadow Snapshot format, by the libvshadow project, March 2011
- Windowless Shadow Snapshots - Analyzing Volume Shadow Snapshots (VSS) without using Windows and OSDFC 2012 Slides, by Joachim Metz, October 2012
- Lurking in the Shadows – Hack3rcon II
- Volume Shadow Copies - The Lost Post, Mark Baggett, October 2012
- EnCase with VSS Examiner Enscript (available from the downloads section of the GSI Support Portal)
- VSC Toolset
- X-Ways Forensics
- Vssadmin - Command Line utility included in Windows XP and later, which can list, create, or delete volume shadow copies. This utility will also list the installed shadow copy writers and providers.
- Forensic Tool Kit