Examining the Shadow Volumes with X-Ways Forensics

At this point, we have all of the shadow volumes mounted, or at least those that we deem worthy of review.  I think that many folks delve into shadow volumes looking for things that don’t appear in the present system or which might have changed over time.  We all know that hashing is one of the most efficient ways in which to find objects of interest.  We can start with a hash set from our current system (target image) or dive in and hash all of the relevant file types “throughout history” and then compare and harvest what we need.  I usually start with a hash database crested from the current system.  That way, I can quickly filter out duplicates.

However, sometimes it’s important to look over dupes, as it may be noteworthy that two, identical files existed in different locations.  For example, let’s say that, in the current system, you find \<user>\Pictures\Dupe1.jpg, which is an evidentiary file.  That path is a default location to which graphics are downloaded. If you go back in the shadow volumes and find the same file at \MyIllegalFiles\Dupe1.jpg, the evidence may be enhanced.  The point is to use hashing as means to reduce the load, but use it wisely.

X-Ways Forensics (XWF) includes very robust hashing and filtering mechanisms.  It also affords an examiner the ability approach a task like hashing most efficiently by discriminating among the files of interest.  Maybe we want to exclude all graphics in the Windows tree.  If so, there is no need to hash-compare them.  I should mention that other XWF users might recognize approaches that differ from mine. One of the key features of XWF is that it allows any number (“X”) of ways to tackle a job.

I encourage readers to check Ted Smith’s library of XWF video tutorials at http://xwaysclips.blogspot.com/.  My premise is that many viewers are XWF users and have at least a modest degree of comfort with the application.  For those who are not XWF users, perhaps you’ll be impressed enough to pick up a copy or at least be able to adapt the techniques to your environment.

I usually start by creating a hash set from the current system.  In XWF, it’s as easy as a few clicks.  Watch the video:

My aim is not to provide a primer on hashing, but to demonstrate the mechanics.  I marked the hash set as notable, but could have checked the opposite.  Depending on your needs, you choose the best option.

We created our hash set in our host system, so we’ll export it for use in our SEAT workstation.  The following screenshot shows where we begin the export process.

Next, the Hash Database manager box opens.  We select the hash set and click Export.  XWF then exports the hash list in a delimited text file that can be used by other applications as well.

Once we have our hash set, we’re ready to examine the shadow volumes to see whether the files exist in them.  Again, there are X ways to approach a task.  Let’s now go back to our SEAT workstation, which contains our mounted shadow volumes.

Next, we’ll run XWF in the SEAT workstation and create a case.  XWF users should configure their general options for case and data locations.  Also, remember to make your dongle active in VMware, and copy your hash set to your VM.  First, I create a case, which I name MyImage, from the Case Data window’s File menu:

From the case name (MyImage), the context menu provides the objects that I can select and add to my case.  This is similar to all forensics tools in which we add the objects that we want to examine.  We’ll select the Add Medium option, which presents the physical and logical media that are available on the system (SEAT VM):


We can see a partial list of mounted shadow volumes in the above screenshot.  Now, we choose which shadow volumes to add to our case.  As I discussed in an earlier post, we should approach our exam intelligently.  While we can add all 19 shadow volumes to our case, we may not need to do so.  Consider your processing overhead, too.  After all, setting aside shadow volumes, how many times do you add 19 E01/dd image files to a single case?  To choose my target volumes, I find it helpful to create a text file that’s the output of the vssadmin command by directing it to a file:

Now, we have a reference of shadow volumes by date.  We also have the output of Danny Mares’ VSS:

For my demonstration, I’m going to add only a few shadow volumes to my case.  XWF easily can handle them all, as it does a great job of processing cases with hundreds of thousands of objects.  In my case, XWF took about 35 seconds to mount each shadow volume and identify its contents.  Speed, of course, is a factor of size and object numbers.  The next screenshot shows XWF adding one of the shadow volumes:

I added five shadow volumes, and my case tree looks like this:

In XWF, go back to the Tools menu, select Hash Database, and then Import Hash Set.  Then navigate to the hash set that you copied to your SEAT VM.  Once you select your hash set, you may elect to categorize it as irrelevant or notable.  I’ll leave mine as notable.

After importing, the hash set will appear in the Hash Database box that we saw before.  There are a number of things we can do at this point before searching for files.  XWF has a very powerful feature known as Refine Volume Snapshot (RVS).  I present the RVS box below, just to show its features.  Powerful as it is, it is also remarkably simple to employ.  I can invoke any of the options and direct XWF to refine every shadow volume at once.

I’m not going to refine my shadow volumes.  My goal is to identify “existing” files that match hash values from the current system.  To maximize efficiency, I’ll direct XWF to present a list of JPG files in the Directory Browser, which is analogous to Windows Explorer, but with many more options:

I should point out that, aside from the configurable fields and options available through the Directory Browser, XWF provides many more with respect to individual objects.  For example, MFT File Name date/time stamps are presented in the Details view for files.

The next video will take us to the point where XWF presents us a list of potentially notable files, based upon chosen criteria.

I want to emphasize that the filtering possibilities are limitless.  For instance, if I were interested in files in only a given user’s account, I could filter the Path with the string users\jimmy. So, let’s move to complete our hash analysis:

XWF traverses each volume and reports when the job is done.  We began with about 17,000 files, and the operation completed in about one minute.  Now that we finished the hash-match operation, let’s explore the results.

The results of our filter revealed 505 notable files.  XWF again provides an exceptionally adaptable filtering mechanism when it comes to hashing.  Regardless of how we categorized our hash set, we can filter to present files on either side of the “fence.”  We can, of course, change the category of our hash in the database manager.

Let’s go through one more step that may make more sense with respect to shadow volumes specifically.  I want to find all graphics that are not in my hash set because I know already that my hash set contains notable files that are present in the current system.

We can create additional hash sets right within our SEAT workstation and narrow down files quite a bit further. Again, I’m demonstrating techniques and not lecturing on hash analysis.  In the next post, I’ll show how we can export files securely and import them into our original case.  Oh, and be sure to get the latest VSS from Dan Mares’ site, as he’s added a number of very helpful enhancements http://www.dmares.com/pub/nt_32/vss.exe. Thanks for watching!



  1. Dave Reid says:

    I think I must have missed something. I have an E01 file of a laptop which I have mounted and then following the instructions you give elsewhere I have created a VM using this physical disk. I created the snapshot and the VM runs fine. The issue I am having is when I try to run VSS there appears to be no Volume Shadow Copies to mount. I have checked the system restore settings and I am informed that the only available restore is from the time the snapshot was made. I know that there are at least 19 Shadow copies on the original OS. Any ideas

    • jimmyweg says:

      First, make sure that the shadow volumes are existing files. Did you install VMware tools? If you did, it probably created a new restore point, which deleted all existing ones.

      • Dave Reid says:


        Did install VMWare tools so this could be the issue. Will have another look at it when I get a minute.



Leave a Reply

Your email address will not be published. Required fields are marked *