Where is Volume Shadow Copy on your system?
In part two of our blog series on Volume Shadow Copies, we clear up the common misconception that VSC has been removed from Windows 8 and briefly describe how to find the VSC files. We are again looking at Windows XP, Windows 7, and Windows 8.1.
Volume Shadow Copy on Windows 8.1
Volume Shadow Copy (VSC) is a component included in Windows that allows the taking of automatic or manual backup copies of data on a specific volume at a designated point in time. Shadow copies can be created on local and external volumes by any Windows component that uses VSC, such as when creating a System Restore Point or Automatic Windows Backup.
The VSC is still available on Windows 8.1, but it varies from previous versions of the component. On 8.1, you will need a second drive to back up the system image to. Additionally, you will need to open PowerShell as Administrator and run a command (wbAdmin start backup -backupTarget:E: -include:C: -allCritical –quiet) to start the backup. “System image backups cannot be restored from within Windows as they are overwriting the Windows system entirely. To restore a system image backup, you will need to boot from Windows 8.1 installation media, recovery drive, or system repair disc”(How-To Geek).
VOLUME SHADOW COPY ON WINDOWS 7
In order to view the VSC for Windows 7, you first have to use the PDE feature of Encase 7 to mount the disk. You are then able to mount the Windows 7 system volume with the command prompt. You will need to use the vssadmin command to see the Volume Shadow Copies that are available. The command will look similar to C:>vssadmin list shadows /for=f:. Once you locate the file path of the VSC that you want, you can use the mklink command to create a symbolic link. The mklink command will look similar to C:>mklink/dc:shadow?GLOBALROOTDeviceHarddiskVolumeShadowCopy6. This will allow you to run tools such as RegRipper against the hive files. After that, you can download George M. Garner, Jr.’s FAU tools to be able to copy a .dd image of the VSC to view in FTK. The command to copy a .dd image looks like C:tools>dd if=.HarddiskVolumeShadowCopy6 of=g:shadow6.dd –localwrt.
Volume Shadow Copy on Windows XP
Windows ME, those that can remember the failed OS refer to it as the “Mistake Edition.” Although it was replaced after a year with Windows XP, ME did introduce a new feature: System Restore. Meant to allow the user to restore critical files in the case of a crisis, it is also a valuable source of forensic information.
On XP systems, it is enabled by default- system and application changes are monitored, and restore points are created for recovery. These restore points can also be made on a set schedule (once every 24 hours is standard).
Registry location of restore point information:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionSystemRestore
Disk path to restore points:
System Volume Information-restore{GUID}RP## (where ## are sequential numbers as restore points are created)
More research is being done to examine the various triggers that will create a restore point, as well as what information is being stored.
Coming soon with Part 3
The next part of this blog series will highlight some of the artifacts we were able to find in the Volume Shadow Copy files and how we found them.
References:
http://www.howtogeek.com/167984/how-to-create-and-restore-system-image-backups-on-windows-8.1/
http://msdn.microsoft.com/en-us/library/windows/desktop/hh848072(v=vs.85).aspx
Image source: http://technet.microsoft.com/en-us/library/cc785914(v=ws.10).aspx
Volume Shadow Copy on Windows 8.1- Ryan Montelbano
Volume Shadow Copy on Windows 7- Scott Barrett
Volume Shadow Copy on Windows XP- Jacob Blend