As a follow-on to my previous post, I wanted to provide a concise summary or overview of the processes for accessing VSCs.
First, a couple of important factors regarding this exercise:
The goal of this exercise was to identify and validate processes for accessing VSCs within acquired images, using free and open source tools on a Windows analysis system.
The source image file was from Digital Corpora's Lone Wolf scenario (downloaded *.e0x files, also converted to raw/dd). Note that when using mmls.exe to view the partition table, the partition type is "gpt", not "dos". This is part of the reason I wanted to use this image, to see if the tools used have any issues with different partition types. The other reason for using this image is that it is (relatively) easily accessible by almost anyone, and anything I did can be validated using the image.
Processes
*.e0x
Arsenal Image Mounter (Mount through libewf)
|__ ShadowExplorer (v0.9)
*After I posted this article, Eric Zimmerman pointed me to his VSCMount tool, which would be a great alternative to ShadowExplorer. Note that if you're using VSCMount, you won't be able to access the VSCs via Windows Explorer, but Eric was able to use PowerShell to navigate the file system. Similarly, I had no issues using a command prompt. There simply appears to be an issue when trying to use Windows Explorer.
raw/dd #1
Arsenal Image Mounter (Mount raw image)
|__ vssadmin
|__ vss (X:\)
|__ FTK Imager (add X:\ as logical drive evidence item)
raw/dd #2
mmls
|__vshadowinfo/vshadowmount (requires Dokan 0.7.4)
|__ access individual VSCs via FTK Imager (Image File)
raw/dd #3
Convert to *.e0x format, use *.e0x process (above)
I've been able to repeatedly replicate raw/dd processes #1 and #2 on several other images to which I have access.
Addendum, 7 Oct: I ran across Andrea Fortuna's blog post that addresses a few means for accessing VSCs, as well. At this point, I've already submitted that chapter for PWI that addresses this topic for technical review; this doesn't mean that there isn't time to address other methods; in fact, I'm going to be waiting until just prior to the due date to submit the chapter, as I'm keeping an eye on some tools to see if they're updated before the final submission of the chapter, and the overall manuscript.
3 comments:
Just an update - the old Garner FAU dd.exe tool still works in Windows 10 for the purpose of imaging VSCs as a physical disk dd image instead of just a logical like some of the other mentioned methods. Hope this helps.
Thanks, it does.
Do you have a link to the tool? An example of a command line?
Thanks.
Post a Comment