I. Shadow Scanner
In the first section of this post, I’m going to review another way to examine shadow volumes, by using a commercial tool named Shadow Scanner, which is produced by EKLsoftware. One of our esteemed colleagues, Rob Erdely, is on the EKLsoftware team and is very well versed in Shadow Volumes. The link above also guides the reader to a couple of videos that nicely explain Shadow Volume basics and the Shadow Scanner application.
Please keep in mind that I’m not going to present a tutorial on Shadow Scanner (SS), beyond a simple demonstration. The guys at EKLsoftware already have done that through their videos and PDF documentation. My aim is to show that you can avail yourself of SS’s powerful features right in your SEAT workstation. You don’t need to restore the image (which is unnecessary with respect to almost any shadow volume exam).
As we’ve seen, accessing the Shadow Volumes from an image or mounted image (volume) directly on forensic workstation, through Windows, generally is not possible. While we can do so by converting our image to VHD format, doing so requires editing our dd image file as I described in a previous post.
In a nutshell, SS allows an examiner to compare Shadow Volumes with the target’s current system to see whether files were changed, deleted, or added. I’ll start with a video in which I set up a scenario. Previously, I added the virtual disk (vmdk file), which I created from my image of the target system, to my SEAT workstation. It’s Volume F:
As you saw, I added a file to, and deleted some files from, an arbitrarily chosen folder. Next, we”’ run SS.
As we saw, SS compared the target folder with the current volume and noted files that had been deleted, i.e., not present in the current volume, but present in the selected shadow volume. SS also noted the created file, i.e., present today, but not in the selected shadow volume. Using your SEAT VM allows you to employ SS without restoring the image file or installing SS in a booted image of the target.
Again, there are all kinds of options that SS affords an examiner. For one, you’re not limited to selecting only one shadow volume to scan and compare. Visit the SS site and have a look. The publishers also are kind enough to offer a trial version.
II. Another Approach
One last point on getting your image file into your SEAT workstation. In an earlier post, I described how we add a custom-built, virtual disk to our SEAT workstation. Generally, I create VMs from my target image files because I want to boot the target and kind of immerse (pun on Windows 8 intended) myself in the user’s system. However, you don’t have to create a vmdk disk. You can mount an image (any format) in your host and add the mounted image to your SEAT workstation. Watch.
Note that, in FTK Imager, I selected the Block Device / Writable method. This allow “writes” to the disk to be cached, as opposed to actually being written to the mounted image. I also left the Mount Type as Physical & Logical, although I could have chosen Physical Only.
Next, we’ll add the mounted, physical disk to our SEAT workstation.
If we mount the image as Block Device / Read Only with FTK imager, we have to take a snapshot of the SEAT workstation before we boot it with the mounted disk attached. When you boot your VM, you may see a couple of things that catch your attention.
Insofar as the SCSI disk warning is concerned, you may ignore it and click OK. The second screenshot reveals that Windows wants to check one of our disks, which is the newly added physical disk, for consistency (CHKDSK). You may just let it proceed, or canceling likely will have no effect.