Thursday, September 15, 2011

HowTo: Mount and Access VSCs

I've posted before regarding how to mount and access Volume Shadow Copies (VSCs), but I thought it might be useful to revisit this topic, as there's a great deal that you can do once you've mounted a VSC.

If you received/have an image acquired from a Vista or Win7 system, you'll likely want to mount the image and access data within the available VSCs at some point.  Commercial tools such as ProDiscover provide access to the VSCs within an image (PDF here), but how can you access this source of data in a more economical fashion?

Well, there are a couple of ways to go about this, both of which require that you're using a version of Windows that supports VSCs, such as Windows 2008 or Windows 7.

VMDK Method
Starting with your image, download a copy of either raw2vmdk or LiveView and create a VMWare virtual disk (.vmdk) file for the image (I say "for" because the .vmdk file will most likely contain a reference to the image file).  Once you've done this, you can add this .vmdk file as an additional hard drive to a VMWare virtual machine (VM), and then boot that VM.  You can add a .vmdk file as an additional hard drive via VMPlayer, but if you have VMWare Workstation, you can add the .vmdk file as an independent, non-persistent disk, which means that no changes are made to the .vmdk file.

Note: You should always work on a copy of an image, not the original image file itself.

As a test, I opened VMPlayer running on a Windows 7 64-bit host system and selected a 32-bit Windows 2008 guest VM.  I added a .vmdk file from a 32-bit Windows 7 guest VM to the Win2008 VM as an additional hard drive, and booted the Win2008 VM.  Once I logged in, I was able to list the available VSCs from the Windows 7 .vmdk file (mounted as the E:\ volume) using the command vssadmin list shadows /for=e:.  From that point, it was simply a matter of using the mklink command to mount a VSC.

VHD Method
To use this method, download a copy of vhdtool, and use it to convert the image to a VHD file (i.e., vhdtool /convert).  The tool adds a VHD footer to the image file, so the extension of the image file won't change automatically, although that's not needed in order to mount the VHD file (you can change the extension manually, if you like).  You can then use the Disk Management tool to add the VHD file to a Windows 2008 or Windows 7 system as a read-only disk.

What now?
Once you've mounted the image file, you can list the available VSCs using the vssadmin command, and even create a batch file that will mount each VSC using the mklink command, run various tools on the mounted VSC (i.e., rip.pl/.exe, LogParser, etc.), and then unmount each VSC using the rmdir or rd command.

I've used this method to cycle through the VSCs within an image from a Vista system to extract information from a user's UserAssist key using the userassist_tln.pl RegRipper plugin (via rip.pl), in order to determine not only the last time that the user launched an application, but previous times, as well.

Resources
This section provides links to blog posts from other analysts to demonstrate what they've done while having access to VSCs...

- Stacey Edwards' SANS Forensic Blog post on using LogParser against VSCs
- Corey's "A Little Help with VSCs" post
- SANS Forensics Blog post (using TSK tools)

5 comments:

Jimmy_Weg said...

I've explained my method before, so I won't repeat it here. However, you can shorten the vmdk method by just creating a vmdk descriptor file in Wordpad and pointing it to your dd image file. After you create a VM, just take a snapshot. You don't need to work on a copy of your image, though I would simply make it RO in Windows. Of course, once you run your VM in VMW or Player, it's a snap to examine the shadows.

Keydet89 said...

Jimmy,

I've explained my method before...

Have you ever posted it anywhere public?

Also, if you're running the VM, how to you address logging in, and Windows Activation?

Jimmy_Weg said...

Have you ever posted it anywhere public?
Yes, on several forums. I also have a short go-by that I'd be happy to email to you.

Also, if you're running the VM, how to you address logging in, and Windows Activation?

In most instances, I've cracked the login password by the time that I boot my VM. If not, I strip it with ntpwedit. Activation rarely presents. When it does, I can call MS or otherwise get around it to gain access. I realize that calling MS is not a option for non-LE, and that's unfortunate.

Keydet89 said...

Jimmy,

Thanks.

Google reveals multiple sites for ntpwedit, do you have a preferred site?

Jimmy_Weg said...

I don't recall where I got mine, but the download at http://cdslow.webhost.ru/en/ntpwedit/ looks good. To use the tool, I mount the VM as RW and use ntpwedit on the SAM. I've found that ntpwedit is more reliable than booting with Nordahl's disc.