Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Windows Forensics Analyst Field Guide

You're reading from   Windows Forensics Analyst Field Guide Engage in proactive cyber defense using digital forensics techniques

Arrow left icon
Product type Paperback
Published in Oct 2023
Publisher Packt
ISBN-13 9781803248479
Length 318 pages
Edition 1st Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Muhiballah Mohammed Muhiballah Mohammed
Author Profile Icon Muhiballah Mohammed
Muhiballah Mohammed
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Part 1:Windows OS Forensics and Lab Preparation
2. Chapter 1: Introducing the Windows OS and Filesystems and Getting Prepared for the Labs FREE CHAPTER 3. Chapter 2: Evidence Acquisition 4. Chapter 3: Memory Forensics for the Windows OS 5. Chapter 4: The Windows Registry 6. Chapter 5: User Profiling Using the Windows Registry 7. Part 2:Windows OS Additional Artifacts
8. Chapter 6: Application Execution Artifacts 9. Chapter 7: Forensic Analysis of USB Artifacts 10. Chapter 8: Forensic Analysis of Browser Artifacts 11. Chapter 9: Exploring Additional Artifacts 12. Index 13. Other Books You May Enjoy

Windows VSS

VSS is a feature of Windows OSs that allows users to take snapshots of the state of their hard drive at a specific point in time. These snapshots, known as shadow copies, can be used to restore previous versions of files and directories in the event of data loss or corruption.

From a digital forensics perspective, volume shadow copies can be a valuable source of evidence. They provide a historical record of the state of the hard drive, including deleted and altered files. This information can be used to reconstruct the chain of events that occurred on the system and to identify any suspicious activity.

Volume shadow copies are stored as part of the VSS, which is a component of Windows that provides the functionality to create and manage shadow copies. VSS maintains a list of all shadow copies on a particular volume, allowing a user to select and restore the desired shadow copy.

One of the key benefits of volume shadow copies is that they are created automatically in the background, without the user’s intervention. This means that even if a user is unaware of the feature, it can still contain valuable evidence. In addition, the shadow copies are stored in a hidden and protected area of the hard drive, making it difficult for attackers to tamper with or destroy them.

When conducting a digital forensics examination, it is important to capture and preserve shadow copies to ensure that evidence remains intact. This can be done by creating a forensic image of a hard drive, which can then be analyzed for the presence of shadow copies. Once the shadow copies have been identified, the forensic examiner can extract and analyze the contents to identify any relevant information.

By using VSS, we can track changes in an New Technology File System (NTFS) filesystem. However, it does not store data every time a user changes a file; instead, it typically stores data once a week or as configured by a user on the machine.

When conducting a digital forensic investigation and searching for any suspicious or malicious activity, such as file deletion, we can utilize the VSS to obtain valuable forensic evidence. By comparing the original content of the hard drive with that stored in VSS, we can determine whether any changes or tampering have occurred.

To check VSS on your local machine, you can run CMD.exe with admin privileges and use the following command to list the shadow copies:

Vssadmin list shadows

The following screenshot shows the output of the preceding command:

Figure 1.6 – Vssadmin command output

Figure 1.6 – Vssadmin command output

Another useful trick is mounting a shadow copy using a Windows command line. On a live machine, we can manually mount and browse VSS data using the following mklink command, which creates a symbolic link to VSS. To do this, we need to invoke cmd.exe to use the mklink utility, as powershell.exe will not work:

mklink /d C:\shadow_copy_test \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

Create a symbolic link to VSS by using the following command line:

Figure 1.7 – Mounting a volume shadow using mklink

Figure 1.7 – Mounting a volume shadow using mklink

Now, in the C drive, we can see a new symbolic link has been created and linked to the shadow copy, and we can browse it as a normal file:

Figure 1.8 – Mapped shadow copy in the C drive

Figure 1.8 – Mapped shadow copy in the C drive

There are other utilities and tools that help to mount VSS, such as Arsenal Image Mounter and VSCMount; however, we will leave the option to you to explore more tools and test them within the labs.

In the next section, we will discuss and prepare the lab environment for digital forensic investigations.

You have been reading a chapter from
Windows Forensics Analyst Field Guide
Published in: Oct 2023
Publisher: Packt
ISBN-13: 9781803248479
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image