Thursday, September 06, 2018

Accessing Volume Shadows, re-revisited

As a follow-on to my previous post, I wanted to provide a concise summary or overview of the processes for accessing VSCs.

First, a couple of important factors regarding this exercise:

The goal of this exercise was to identify and validate processes for accessing VSCs within acquired images, using free and open source tools on a Windows analysis system.

The source image file was from Digital Corpora's Lone Wolf scenario (downloaded *.e0x files, also converted to raw/dd).  Note that when using mmls.exe to view the partition table, the partition type is "gpt", not "dos".  This is part of the reason I wanted to use this image, to see if the tools used have any issues with different partition types.  The other reason for using this image is that it is (relatively) easily accessible by almost anyone, and anything I did can be validated using the image.

Processes

*.e0x
Arsenal Image Mounter (Mount through libewf)
  |__ ShadowExplorer (v0.9)

*After I posted this article, Eric Zimmerman pointed me to his VSCMount tool, which would be a great alternative to ShadowExplorer.  Note that if you're using VSCMount, you won't be able to access the VSCs via Windows Explorer, but Eric was able to use PowerShell to navigate the file system.  Similarly, I had no issues using a command prompt.  There simply appears to be an issue when trying to use Windows Explorer.

raw/dd #1
Arsenal Image Mounter (Mount raw image)
  |__ vssadmin
          |__ vss (X:\)
                |__ FTK Imager (add X:\ as logical drive evidence item)

raw/dd #2
mmls
  |__vshadowinfo/vshadowmount (requires Dokan 0.7.4)
         |__ access individual VSCs via FTK Imager (Image File)

raw/dd #3
Convert to *.e0x format, use *.e0x process (above)

I've been able to repeatedly replicate raw/dd processes #1 and #2 on several other images to which I have access.

No comments: