Shadow Forensics

Posted on October 10, 2008. Filed under: Computer Forensics | Tags: , , |

Shadow Copy (also called Volume Snapshot Service or VSS, or Previous Versions in Windows Vista) is a feature introduced with Windows XP with SP1, Windows Server 2003, and available in all releases of Microsoft Windows thereafter, that allows taking manual or automatic backup copies or snapshots of a file or folder on a specific volume at a specific point in time. It is used by NTBackup and the Volume Shadow Copy service to back up files. In Windows Vista, it is used by Windows Vista’s backup utility, System Restore and the Previous Versions feature. Shadow Forensics is effort required to penetrate  

From: Rob Lee http://sansforensics.wordpress.com/

Shadow Forensics is particularly fascinating to learn about over the past two days, thought I would share on the blog at http://forensics.sans.org under the community tab click on “SANS Forensic Blog”.   In addition, this information could make a huge differece on analyzing servers that contain malware where you theorize the malware has been wiped.  In addition, the implications for traditional and cyber crime forensics is extraordinary.  This information needs to be shared.

Why is shadow forensics a big deal?
1.  Bad guy downloads evilware to 2003, Server2008, or Vista system.
2.  Evilware does evil.
3.  Bad guy wipes evilware from machine.
4.  Evilware no longer on machine in free space or recoverable…. or is it?
Volume Shadow Copy will allow you to physically mount via a symbolic link the entire volume as it looked just a few hours or days ago.  Alternatively, you can image (yes image) the entire volume as it looked hours/days ago.  Say you examine the NTFS Volume (250GB in size) looking for Shadow Copy Volumes.  You find 10 of them.  This means that including the original image of the drive, you can also acquire 10 addition FULL images.  Each one from a different point in time.  Thats all we need… MORE data to analyze.
How does this change things?
1.  Responder creates symbolic link to shadow volume or image entire volume as it looked just days ago
2.  Responder recovers evilware and sends to Reverse Engineering team
3.  Another victory.
Read more at http://forensics.sans.org under the community tab and then click on SANS Forensic Blog.

Make a Comment

Make a Comment: ( None so far )

blockquote and a tags work here.

    About

    “The soft and the pliable will defeat the hard and strong.” Lao Tzu

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS
    • Subscribe in Rojo

    Meta

Liked it here?
Why not try sites on the blogroll...