Examining Shadow Volumes Through an E01-Based VM With X-Ways Forensics

Now that we created a VMware VM from an E01, I should explain how we get to the shadow volumes.  The procedure is different from the one that we used with a single or segmented dd image.  With an E01, we began by mounting the E01 as a physical disk with the tool of our choice.  As a refresher, here’s a screenshot.

Note that I have a single E01, but a segmented one works as well.  Also remember that, if you have a segmented dd and don’t want to go to the trouble to create a vmdk descriptor as I outlined, you can mount the segmented dd image as a physical disk just like an E01.

Because we began with a physical disk, we can’t add it to our SEAT workstation as we did a VMware virtual disk, if we’re after shadow volumes.  Doing so would be the same as if we just mounted an image in our host workstation; we can access the volume, but not the shadow volumes.  However, don’t forget the VHD approach.

First, we have to mount our E01 as we did when we created the VM. An important point to remember is the physical drive number of your original VM.  VMware will not budge if the number changes, unless you edit the vmdk file.  To change the disk number, edit the string PhysicalDrive#, where # is the drive number.  Set it to the original and then open VMware so that it can enumerate the drives in your system.  The next step is to take an extra snapshot, and I’ll assume that we’re starting with our original, ready-to-go VM.

We’re going to approach this task by booting our VM and working in the live system.  Before we begin, remember what I said a long time ago about ensuring the integrity of your shadow volumes, with respect to numbers.  Before you launch a VM, note the number and dates of shadow volumes by studying the System Volume Information folder in the image within your exam tool:

I have 19 shadow volumes, and the first was created on December 31, 2011.  When we boot an image, we have a dynamic system.  Depending on drive size, timing, events, etc., the system will create new restore points, which may overwrite the earliest shadow volume(s).  We can deal with that, but you have to bear this in mind.  That’s why I created an extra snapshot.

Before we boot, we should prepare a thumb drive with the essential exam tools, e.g., X-Ways Forensics (XWF) and Maresware’s VSS.  Put anything on it that you want.  There aren’t however, many full-fledged Windows forensics tools that can be run from a thumb drive, and it’s best to avoid installing things in the VM.  I find it handy to place a shortcut to XWF in the root of my thumb.  Once you copy XWF to your thumb, run it in your host and set your options.

If it’s not clear in the screenshot, my XWF application is in the X-Ways Forensics folder, which is in the root of my thumb.  I used relative (..\) paths to direct the yellow-highlighted locations to the configuration folders, which also are in the root.  Also check the box to always run XWF as administrator.  Your thumb is now completely portable among different VMs.

Next, boot your VM and log on to the desktop.  If you succeed, you followed the instructions quite well!  First, I connect my dongles and my exam thumb to the VM.  If you find that you go back and forth to XWF between host and guess, another dongle is great!  XWF will let you assign a specific dongle to the host and guest, respectively.

In the screenshot, the Voyager GT is my exam thumb.  Just follow the arrow and click connect.  Do the same for your dongle(s).  Now, we can navigate to our exam thumb.

The first thing that I do is check my shadow volumes.  Enjoy the movie!

Remember to press Ctrl-Shift-Enter after typing cmd.  You must run vssadmin as Administrator.  We can see that we have all of our shadow volumes (there’s a time zone difference).

We’re now set to examine shadow volumes just as we did before.  Run Dan Mares’ VSS and map all or any of the shadow volumes.  Dan has made VSS quite intuitive.  Before  you go forth and mount all shadow volumes, I’ll offer a suggestion.  Start with only the first (earliest), and maybe the second.  You’ll find that navigating your VM will be a lot easier if you install VMware Tools in the VM.  Doing so, however, will create a restore point and risk deleting one or more shadow volumes.

Of course, you always can go forth, install VMware Tools right away, and re-check your shadow volumes.  After all, snapshots are your friend.  If you work in your VM long enough, new restore points will be created regardless of whether you install anything.  If you just want to do a quick check of the earliest shadow volume, or have just a very focused exam in mind, tune in next time for a quick tip on shadow volume “instant gratification”!

Leave a Reply

Your email address will not be published. Required fields are marked *