Mounting Volume Shadow Copies

Volume Shadow Copies contain a wealth of information not easily accessible to the foresnic investigator. You can, however, check for the presence of them with vssadmin.exe and mount them with mklink. Here is how you do it:

Mount the forensic image with either Encase PDE with caching turned on or mount the physical drive behind a write blocker.

Then you can look at the drive either through Windows Explorer or from the command line with vssadmin.

Windows Explorer Previous Versions

 

vssadmin.exe list shadows /for=e:

Where e: is the mounted forensic drive. If there are Volume Shadow Copies, they will be listed.

Contents of shadow copy set ID: {487c3d8a-6e7f-470d-8cf5-3e99968c9e77}
Contained 1 shadow copies at creation time: 12/12/2014 8:53:51 AM
Shadow Copy ID: {f4d6f433-3734-4f59-a49d-94b8f99951de}
Original Volume: (C:)\\?\Volume{b12e4ef0-2846-11e2-9e04-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy28
Originating Machine: XXXXXXXXXX
Service Machine: XXXXXXXXXXXX
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessibleWriters
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

You can open Volume Shadow Copies directly from Windows Explorer or mount them with mklink in a dos command shell.

With mklink you give it a directory where the link will be created and the Shadow Copy Volume from the vssadmin.exe list shadows command.

Then you can just browse the Volume Shadow Copy with normal tools.

I, of course, created a powershell script to automatically mount all Volume Shadow Copies from whatever volume you give it.

mount-vss.ps1

<#

.SYNOPSIS

Mount Volume Shadow Copies on a system so they can be browsed like normal file systems

.DESCRIPTION

The vssadmin command is used to list all the Volume Shadow Copies available on a system.
The script then mounts all these copies on c:\vss or a directory you provide. If the
mount directory is not present it is created.

You can examine evidence drives by mounting them on your system before running this command.

.PARAMETER VSSVol

The volume (n: d: etc), for which, you want to mount the shadow copies.

.EXAMPLE

.\Mount-vss.ps1

Mounts all the Shadow Copies available in c:\vss

.EXAMPLE

.\Mount-vss.ps1 f:\vss

Mounts all the Shadow Copies available in f:\vss

.EXAMPLE

.NOTES

Author: Tom Willett
Date: 12/6/2014
2014 Oink Software

#>

Param([Parameter(Mandatory=$False,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)][string]$VSSVol)

$mountdir = "c:\vss"

if ((test-path $mountdir) -eq $false) {
mkdir $mountdir
}
if ($MountDir.endswith("\") -eq $False) {
$MountDir += "\"
}
if ($VSSVOL.length -eq 1) {
$VSSVOL += ":"
}
if ($VSSVOL.length -gt 2) {
$VSSVOL = $VSSVOL.substring(0,2)
}
$vss = vssadmin list shadows /for=$VSSVOL
$v1 = $vss | select-string "Shadow Copy Volume"
$tmpPath = $MountDir + "vss.txt"
$vss > $tmpPath
$v2 =@()
foreach($v in $v1) {
$v2 += $v.tostring().replace("Shadow Copy Volume:","").trim()
}
foreach($v in $v2) {
$tmp = $v.split("\")
$tmpPath = $MountDir + $tmp[5]
"tmppath = " + $tmpPath
$tmpVss = $v + "\"
$tmpVSS
cmd /c mklink /d $tmpPath $tmpVss
}

 

Note: If you have any TrueCrypt volumes mounted vssadmin.exe will error out. You might be able to use this to detect if any hidden TrueCrypt volumes are mounted!!

If vssadmin.exe is run and a TrueCrypt volume is mounted you will get the following error: