“Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”

First, you have my sympathy.  However, I’m glad that you Just Asked Weg. I’ll present one approach, knowing that there are others that also happen to be free.  To do this, were going to employ Microsoft’s Virtual Hard Drive (VHD) format.  We need a dd image, which we’ll convert to VHD format.  The converter is a command line program, VHD Tool (VHDT), that’s available freely from Microsoft. http://archive.msdn.microsoft.com/vhdtool/Release/ProjectReleases.aspx?ReleaseId=5344

Before we start, I want to point out that converting your image with VHDT changes your image file.  First, it adds a footer of 512 bytes.  If your image doesn’t end on a sector boundary, VHDT pads the original image with 0x00 to end on a sector.  (I think that you’re images typically will end with a complete sector.)  So, you have a couple of options.  You can create an extra image and use VHDT with the spare.  Nothing that VHDT does will affect the shadow volume data.

An alternative is to use the original and then edit the VHDT-converted image to return it to its former state when you’re done.  If you choose this approach, I’d hash the image after editing to be sure that you returned it to its original condition.  Whether you even consider this method depends on your view of actually making changes to your original image.  Remember, we started with the premise that you don’t have VMware (or some virtualization tool that uses the VMware formats).

So, let’s run VHDT against an image file, which is in the folder with our image.  First, I’ll show the screen with all of the VHDT options.

It’s pretty straightforward.  We’ll run VHDT with the /Convert option.  As in the screenshot, be sure to use the forward slash.  Note the size of the image file in the picture above the command box.  Next, we run vhdtool /convert myimage.001.

Note that the file is about 1KB larger than the original.  If we open our converted image and navigate to its end, we’ll find that the additional sector looks like this:

For those who want to produce only one image, discarding this last sector should restore your image to its original condition.  Hash it to be sure.  To show what a VHDT-converted, non-sector-ending image looks like, I present the following screenshot:

I’m sure that some will recognize that I used a “custom” image, so it was easy for me to determine positively where my original ended.  Of course, it would be just as easy to make note of where your original ends before you convert the image.

Okay, we now have a VHD file, so let’s append an extension: MyImage.001.vhd.  Next, we’ll mount our VHD file directly in Windows 7.  I begin with the Disk Management feature of Windows Computer Management.


As we mounted VHD as read-only, we won’t bother with setting that attribute with Diskpart as I demonstrated in an earlier post.  I should point out that, even if you don’t bother with Diskpart in your SEAT workstation, Windows doesn’t let you alter shadow volumes or their contents.  I seem to recall, however, that Windows may create a new restore point on your virtual disk and may delete an old one, although I haven’t tested that possibility.  Still, you could make other alterations otherwise, if you don’t use Diskpart.

At this point, we can examine our mounted disk as we would in the VMware method that I presented over the course of my posts.  As the next screenshot demonstrates, vssadmin can enumerate the shadow volumes on the system partition (K:) of our mounted disk.

When you’re done with your VHD disk, you can detach it as in the next screenshot.  That, too, is done in Disk Management, but by right-clicking on the Disk.

Note that other mounting tools, including FTK Imager and Mount Image Pro, will not mount an image in manner that allows you to access (allows you to mount) shadow volumes.  Mounting a VMware vmdk file with VMware also will not work.  Third party tools, e.g., WinMount, which can mount VHD files also produce a volume on which we can’t access shadow volumes. It seems that, if you can’t see your mounted image in Windows Disk Management, you won’t be able to access the shadow volumes.

Once your VHD is mounted, you can proceed with a shadow volume exam as though you were working in VMware.  Dan Mares’ vss will work splendidly, as will X-Ways Forensics.  I’ll also point out that you can probably boot your VHD image in Windows 7 with Windows VHD Boot or Microsoft’s Virtual PC, though I’m not conversant in their use.

If you have only an E01 image and don’t have VMware, you’ll have to convert it to a dd and then convert the dd to VHD.  One topic that’s on my agenda is doing a shadow volume on a mounted E01.

7 comments

  1. H. Carvey says:

    Just saw someone post to ForensicFocus this morning about this…directed them to your blog post, as well as mine, here:
    http://windowsir.blogspot.com/2011/01/accessing-volume-shadow-copies.html

  2. randomaccess says:

    I’m not sure if its covered anywhere, but I had a minor problem using vhdtool so just in case I thought i’d post.

    I was getting an error trying to convert a raw DD image to vhd using vhdtool /convert
    Deselecting the “Read Only” flag on the image seemed to allow the process to complete.

    • jimmyweg says:

      I start with an image that is not set to RO, and the process always completes. As VHD alters the file, it must be RW. Perhaps your imager sets the attribute to RO.

    • H. Carvey says:

      Having the RO flag set prevents writing to the image file…

      • jimmyweg says:

        Thanks, Harlan. When I mounted my VHD file with Disk Management, I chose the read-only option. If I removed the footer data thereafter, the image hashed to the original.

  3. H. Carvey says:

    Great stuff, Jimmy, thanks for sharing. I’d covered this starting on page 54 of “Windows Forensic Analysis Toolkit 3/e”, and I’m glad to see others, particularly someone as well-respected and highly thought of in the industry such as yourself also talking about this…it’s extremely useful information.

Leave a Reply

Your email address will not be published. Required fields are marked *