So, we found some evidence in the shadow volumes. The next step is gathering the relevant files so that we can present the evidence to our audience. There is more than one way to do this, and I’ll present one.
Before venturing into the subject matter of this post, I want to bring my audience up to date on enhancements to VSS. Dan Mares has been making our jobs easier! Dan also has updated the Help file, so be sure to pick up both at http://www.dmares.com/pub/nt_32/vss.exe and http://www.dmares.com/maresware/tz.htm#VSS, respectively. Let’s start by mounting every shadow volume.
VSS now produces log file named MOUNTED_LOG.TXT in the path from which we run VSS. This handy file records the shadow volumes that we mounted in a simple string: H:I:J:K:L:, etc. Now, to unmount them all at once, we need only enter the following command vss MOUNTED_LOG.TXT
You still can mount and unmount individual shadow volumes in the other ways that I described in an earlier post. In addition, users can rename respective copies of VSS to VSSMount and VSSUnmount, which obviates the need to type the mount or unmount commands in the respective mounting and unmounting scenarios.
Okay, back to the main topic. We’ll begin by opening out X-Ways Forensics (XWF) case in our SEAT workstation. The next screen shot shows our XWF case, together with the VSS command box and our text file list of mounted shadow volumes. We’ll presume that every file in the window is relevant to our case, and we want to document and export those files.
Every volume in our case is a shadow volume: H:, K:, N:, Q:, U: Every shadow volume is tied to a ShadowCopy number. If we follow the arrows, we can see that H: is ShadowCopy6, which was created on 11/19/2011. Here’s another representation, and we can see how every file is tied to a specific shadow volume.
We can export our files, but let’s use a neat feature of XWF to document and report the shadow volume evidence. We’re going to create XWF Report Tables to segregate our relevant files and document their origins. We start with all relevant files from ShadowCopy6 (Volume H:) highlighted. As usual, there are X way to do this, but here’s one. I’ll explain more after you watch the video.
We’ll repeat the Report Table creation process by highlighting and creating a Report Table for each group (by volume) of relevant files. When we’re done, it looks like this:
We have five Report Tables that include the respective, relevant files. Once we create Report Tables, we can filter our case to present or exclude any combination of such objects. As one alternative, I could have included every file in a single Report Table and then added Comments to each file to designate the source shadow volume. The Comments option also is available from the context menu and can be applied to selected files.
We’ve seen how to find noteworthy files among any number of shadow volumes. Now, we need to save them in a presentable format. My approach is to extract the files from the shadow volumes and incorporate them into my primary case, which is based on the current system. Although you can simply copy the files out of the shadow volumes to your host system, I suggest a better way to preserve the evidence and its integrity. I use X-Ways Forensics Evidence File Containers.
A Container, as its name suggests, is a place to store objects. However, it is a lot more, in that we can include the original object metadata, such as date stamps, paths, deletion status, etc. Files can be hashed to ensure authenticity after they leave the shadow volumes. A Container is built on the X-Ways File System (XWFS), which also is readable by most forensics tools. I’ll explain a little more after we view the following video, which shows how I create and add files to a Container.
We filtered Volume H: for Report Table files. We can leave all Report Tables highlighted because we selected only Volume H: in the case tree. We’ll create one Container for each shadow volume and name them accordingly. When I created the Container, I kept the default settings, with the exception of exporting hash values. Then, I elected to retain full path information for each shadow volume. As you saw, there are lots of options as well as space to add comments and the like. As I create each container, I filter each shadow volume by the Report Tables, and that presents each volume’s files of interest. I select each volume’s files, right-click, and add the files to the appropriate Container.
That’s it for now. Next, I’ll post my method for incorporating our Containers (shadow volume evidence) into our main case.