CH7: Windows Shadow Copy (VSS) Forensics

Chapter Overview

In previous chapters, we examined the file system as it exists now. We looked at current files, current registry hives, and current user activity. But what if the evidence you need—the incriminating spreadsheet, the malware executable, or the browser history—was deleted three days ago?

Enter the Volume Shadow Copy Service (VSS). Often referred to simply as "Shadow Copies" or "Previous Versions," this technology acts as a built-in time machine for the Windows operating system. For a forensic examiner, VSS is often the difference between a "dead end" and a "solved case." It allows us to mount and explore the state of a computer system at specific points in the past, recovering deleted data and viewing files as they existed before a suspect tried to cover their tracks.

Learning Objectives

By the end of this chapter, you will be able to:

Explain the architectural components of the Volume Shadow Copy Service (VSS), including Providers, Writers, and Requestors.
Differentiate between full backups and the "Copy-on-Write" differential method used by VSS.
Locate and access Shadow Copies on a live system using native Windows tools and command-line utilities.
Analyze Shadow Copies within a forensic image to recover deleted files and compare file versions over time.
Evaluate how insider threats and malware (specifically ransomware) utilize VSS for malicious purposes, such as credential theft or inhibiting system recovery.

7.1 Introduction: The Forensic Time Machine

The Volume Shadow Copy Service (VSS) was originally introduced in Windows XP and Server 2003 to solve a specific IT problem: How do you backup a file that is currently open?

In older operating systems, if a user had a Word document open, the backup software could not copy it because the file was "locked" by the application. VSS solved this by creating a block-level "snapshot" of the volume. This snapshot allows the backup software to read a frozen, consistent state of the data, even while the user continues to type in the document.

Forensic Significance: While intended for backups and "System Restore" points, VSS inadvertently creates historical snapshots of the entire drive.

Did the user delete a file? It might still exist in the Shadow Copy from yesterday.
Did the user overwrite a log file? The old version is likely in the Shadow Copy.
Did malware infect the system? You can compare the current system to a Shadow Copy from last week to see exactly what files changed.

7.2 How VSS Works: The Architecture

To understand how to analyze VSS, you must understand how it stores data. It does not make a full duplicate of the hard drive every day (that would fill up the disk instantly). Instead, it uses a Differential method known as Copy-on-Write (COW).

The Components

VSS interacts with three key players:

Requestor: The software that asks for a snapshot (e.g., Windows Backup, System Restore, or a Forensic Tool).
Writer: The component (often part of an application like SQL Server or Exchange) that ensures data is consistent before the freeze.
Provider: The interface that actually creates the shadow copy (usually the default Windows software provider).

The "Copy-on-Write" Mechanism

When a Shadow Copy is created, VSS doesn't copy any data immediately. It just marks the current state.

Step 1: VSS creates a snapshot (indexes the drive).
Step 2: The user opens Report.docx and makes changes.
Step 3: Before the new data is written to the disk, Windows copies the old data blocks (the original version of Report.docx) to a special storage area called the Diff Area (Snapshot Storage).
Step 4: The new data is written to the live file system.

The Result: The "Live" drive has the new file. The "Shadow Copy" is a virtual view that combines the unchanged data on the disk with the old data blocks saved in the Diff Area.

Physical Location: These "Diff Area" files are stored in the root of the drive in a hidden, system-protected folder named: C:\System Volume Information\

Warning

Never attempt to browse System Volume Information on a live suspect machine using Windows Explorer. You can corrupt the restore points or alter timestamps. Always access it via forensic tools or command line.

7.3 What Data Can Be Found?

Shadow copies are comprehensive. They are not just backups of documents; they are snapshots of the volume. This means they capture:

The Registry

VSS captures the NTUSER.DAT, SAM, SYSTEM, and SOFTWARE hives.

Use Case: If a suspect creates a user account, performs a malicious action, and then deletes the user account, the "Live" registry will show no trace of that user. However, a Shadow Copy created during the user's existence will contain that user's profile and activities.

Browser History

Web browsers store history in database files (locked when the browser is open). VSS captures these databases.

Use Case: A suspect clears their browser history (wiping the places.sqlite or History file). By mounting a Shadow Copy from two days ago, you can recover the browsing history as it existed before the wipe.

Deleted Files

If a file is deleted from the live system, the blocks of data are marked as free. However, if a Shadow Copy exists that points to those blocks, the data is preserved.

Use Case: Recovering "shredded" or securely deleted files that cannot be carved from unallocated space.

7.4 Insider Threats: The Dark Side of VSS

While VSS is a defender's tool, savvy insider threats and attackers utilize it for two primary malicious purposes: Credential Theft and Anti-Forensics.

Malicious Credential Extraction

The most sensitive files on Windows (SAM, SYSTEM, and Active Directory's ntds.dit) are exclusively locked by the kernel. You cannot copy/paste them.

The Attack: An attacker with administrative privileges can use the built-in VSS command line tool (vssadmin) to create a shadow copy of the C: drive.
The Exfiltration: Once the shadow copy is created, the attacker can copy the SAM and SYSTEM hives from the shadow copy (where they are not locked) to a USB drive.
The Result: They can now crack the passwords offline using tools like Hashcat or John the Ripper. Alternatively, if they are moving laterally, they may use the extracted hashes directly in a "Pass-the-Hash" attack.

Ransomware and Anti-Forensics

Modern ransomware (like Ryuk, Conti, or LockBit) knows that VSS is the victim's best hope for recovery.

The Attack: Before encrypting the files, the ransomware executes a command to destroy all existing shadow copies.
The Command: vssadmin delete shadows /all /quiet
Forensic Artifact: If you find evidence that this command was executed (check PowerShell history or Prefetch), it is a definitive indicator of ransomware or a sophisticated data wiper.

7.5 VSS Forensics: Acquisition and Analysis

How do we actually look at this data? We generally do not analyze VSS on a live machine unless strictly necessary (Incident Response). Usually, we analyze it from a disk image.

Identifying Shadow Copies

On a live system (or mounted image), you can list available snapshots using the command line: vssadmin list shadows

This will display the Shadow Copy ID, the Creation Time, and the Original Volume.

Note: Windows 10 and 11 do not rely on a strict timer. Instead, snapshots are triggered by events such as Windows Updates, driver installations, or manual System Restore points. It is also important to note that on Windows 10/11 Home editions, System Protection is often disabled by default. Therefore, the absence of shadow copies on a Home edition machine is a normal finding and not necessarily indicative of anti-forensics.

Linking and Mounting (The "Symbolic Link" Trick)

To browse a shadow copy like a normal folder on a live system, you can create a symbolic link (SymLink).

List Shadows: vssadmin list shadows
Copy the Path: Copy the Shadow Copy Volume Name (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1).
Link it: mklink /d C:\Analysis_MountPoint \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

Now, if you open C:\Analysis_MountPoint in Explorer, you are looking at the C: drive exactly as it looked on the date of that snapshot.

Forensic Tools (The Professional Approach)

Manual linking is risky. Professional tools automate this.

Arsenal Image Mounter: This is widely considered the gold standard. It allows you to mount a forensic disk image (E01) and exposes all Shadow Copies as separate, accessible drives (e.g., Live is E:, Shadow 1 is F:, Shadow 2 is G:).
Autopsy / The Sleuth Kit: When you add a data source, Autopsy attempts to detect VSS. It allows you to browse shadow copies in the directory tree alongside the active file system.
VShadowInfo: A command-line tool part of the libvshadow library (developed by Joachim Metz) used to list shadow copies in a disk image.

Differential Analysis

The most powerful technique is Differential Analysis.

Method: You verify the hash of a file (e.g., Confidential_Memo.docx) in the Live system and compare it to the hash of the same file in Shadow Copy 1, Shadow Copy 2, etc.
Outcome: You can build a version history:
- Monday (Shadow 1): File created.
- Wednesday (Shadow 2): Financial data added.
- Friday (Live): Financial data deleted.
This proves intent to alter records.

7.6 Hands-On Simulated VSS Practice

Try this simulated activity to practice working with Volume Shadow Copy Service before heading into your TryHackMe lab assignment for this week.

7.7 Chapter Summary

The Volume Shadow Copy Service is a critical component of modern Windows Forensics. It provides a historical record of the file system, allowing examiners to recover deleted files, view past registry configurations, and reconstruct user activities that have been "wiped" from the live system.

We learned that VSS uses a "Copy-on-Write" mechanism to store changes in the System Volume Information folder. We also explored the dual nature of VSS: it is a tool for recovery, but also a target for attackers who wish to steal locked credentials or destroy backup points to enforce ransom demands. Mastering tools like vssadmin and understanding how to mount these snapshots from forensic images is essential for deep-dive analysis.