🔍 Volume Shadow Copy Service (VSS) Forensics Exercise

Learn how Windows Volume Shadow Copy works, how to interact with shadow copies from the command line, and how digital forensic examiners leverage VSS to recover evidence.

⏱ 45-60 min 🖥 Interactive Exercise 🔬 Digital Forensics

📖 What is Volume Shadow Copy Service?

The Volume Shadow Copy Service (VSS) is a Windows framework that creates consistent, point-in-time snapshots of data on a volume — even while that data is actively being used. Think of it like taking a photograph of your entire hard drive at a specific moment in time.

🎯 Key Concept: Point-in-Time Snapshots A shadow copy captures the state of every file and folder on a volume at the exact moment the snapshot is created. If a file is later modified, deleted, or encrypted (e.g., by ransomware), the shadow copy still holds the original version.

Why Does VSS Exist?

Microsoft introduced VSS in Windows Server 2003 (and Windows XP) to solve a fundamental problem: how do you back up files that are currently open and being written to?

Before VSS, backup programs would skip locked files or produce corrupted copies. VSS coordinates with applications (called "writers") so that data is in a consistent state when the snapshot is taken. This is critical for databases, email servers, and any application that continuously writes data.

Real-World Analogy

💡 Think of It Like a Security Camera System Imagine a security camera that takes a high-resolution photo of an entire room every hour. If someone steals an item, you can review the photos to see exactly what the room looked like before the theft. VSS does this for your file system — it captures "photos" of your entire drive at scheduled intervals or on demand.

Who Uses VSS?

VSS is leveraged by multiple Windows features and tools that you may already be familiar with:

Feature / ToolHow It Uses VSS
System RestoreCreates restore points using shadow copies to roll back system changes
Windows BackupUses VSS to create consistent backups of open files
Previous VersionsRight-click → "Restore previous versions" reads from shadow copies
File HistoryLeverages VSS infrastructure for file versioning
3rd-Party Backup SoftwareTools like Veeam, Acronis, etc. use VSS for application-consistent backups

🔬 Why VSS Matters in Digital Forensics

For forensic examiners, shadow copies are like finding a time machine on a suspect's hard drive. They provide access to historical versions of files that may have been deliberately deleted or altered.

🕵️ Evidence Recovery Recover files a suspect deleted — if a shadow copy was created before the deletion, the original file still exists within the snapshot.
📊 Timeline Reconstruction Compare multiple shadow copies to build a timeline of when files were created, modified, or deleted on the system.
🦠 Malware Analysis Examine what a system looked like before and after a malware infection to determine exactly what was changed.
🔐 Ransomware Investigations Modern ransomware often tries to delete shadow copies first. Checking if VSS was wiped can reveal attacker behavior.
⚠️ Anti-Forensics Alert Sophisticated attackers know about VSS. One of the first things ransomware and advanced malware does is execute vssadmin delete shadows /all /quiet to destroy all shadow copies. Finding evidence that this command was run (in event logs, prefetch, etc.) is itself a forensic artifact indicating malicious activity.

⚙️ VSS Architecture: How It Works Under the Hood

VSS is not a single program — it's a coordinated framework with multiple components working together.

📨
Requestor
Backup apps, vssadmin, wbadmin, diskshadow
✍️
Writer
SQL Server, Exchange, Registry, NTDS, Hyper-V
⚙️
Provider
System Provider (default) or Hardware/Software (SAN)
💾 Shadow Copy Storage
Method: Copy-on-Write — saves original blocks before overwrite Efficiency: Only changed blocks are stored, not full volume copies Location: System Volume Information (hidden, root of volume)

The Three Components

1. Requestor The application that asks for a shadow copy to be created. This could be Windows Backup, a third-party backup tool, or an administrator running vssadmin. In forensics, we often use diskshadow or specialized tools to mount and examine existing shadow copies.
2. Writer Applications that have data to protect register as VSS "writers." When a snapshot is requested, VSS tells each writer to temporarily pause and flush their data to disk (bringing it to a consistent state). Use vssadmin list writers to see all registered writers.
3. Provider The component that actually creates and manages the shadow copy data. The default Windows "System Provider" uses a copy-on-write differential method — it doesn't duplicate the entire volume but tracks changes by saving original blocks before they're overwritten.

Copy-on-Write: The Key Mechanism

When a shadow copy exists and a block on disk is about to be changed:

  1. Intercept: The system provider intercepts the write operation
  2. Copy Original: The original data block is copied to the shadow copy diff area
  3. Allow Write: The new data is then written to the original location
  4. Result: The shadow copy can reconstruct the volume's state by combining current unchanged blocks with saved original blocks
💡 Forensic Implication Because shadow copies use differential storage, they're space-efficient — but they depend on the live volume data. This means you cannot extract a standalone shadow copy without also having the volume it references. Always acquire the full volume image.

📁 Where VSS Data Lives on Disk

LocationDescription
System Volume Information\Hidden folder at root of each volume — contains VSS diff data, catalog, and metadata
{GUID} filesInside System Volume Information, each shadow copy's differential data is stored in GUID-named files
HKLM\SYSTEM\CurrentControlSet\Services\VSSRegistry keys controlling VSS service configuration
Microsoft-Windows-VHDMP event logsEvent log entries related to shadow copy operations
⚠️ Access Restriction The System Volume Information folder is protected by NTFS ACLs — only the SYSTEM account can access it by default. On a live system you need Administrator privileges; on a forensic image, your tool reads the raw NTFS data directly.

🛠 Essential VSS Command Reference

All commands require an elevated (Administrator) command prompt.

vssadmin — Volume Shadow Copy Admin Tool

CommandPurpose
vssadmin list shadowsList all existing shadow copies on the system
vssadmin list shadows /for=C:List shadow copies for a specific volume
vssadmin list writersShow all registered VSS writer applications
vssadmin list providersShow all registered VSS providers
vssadmin list volumesShow all volumes eligible for shadow copies
vssadmin list shadowstorageShow allocated and used shadow copy space
vssadmin create shadow /for=C:Create a new shadow copy of C: drive
vssadmin delete shadows /for=C: /oldestDelete the oldest shadow copy on C:
vssadmin delete shadows /all /quietDelete ALL shadow copies silently (⚠️ ransomware)
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=10GBSet maximum disk space for shadow storage

diskshadow — Advanced Shadow Copy Tool

CommandPurpose
diskshadowEnter interactive mode
list shadows allList all shadow copies with IDs
expose {ShadowID} Z:Mount a shadow copy as drive Z:
unexpose Z:Unmount an exposed shadow copy

PowerShell

CmdletPurpose
Get-WmiObject Win32_ShadowCopyList all shadow copies with detailed properties
(Get-WmiObject -Class Win32_ShadowCopy -List).Create("C:\\","ClientAccessible")Create a new shadow copy programmatically

Accessing Shadow Copies via Symbolic Links

Step 1: Find the Shadow Copy Device Object vssadmin list shadows Look for output like: Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3 Step 2: Create a symbolic link (note the trailing backslash!) mklink /d C:\ShadowMount \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\ Step 3: Browse the shadow copy dir C:\ShadowMount\Users\suspect\Documents\ Step 4: Clean up when done rmdir C:\ShadowMount
⚠️ Critical: Trailing Backslash When creating the symbolic link, the shadow copy path must end with a backslash (\). Without it, the link will fail silently or produce an error.
💡 Lab Instructions Click a task on the left to highlight it. Type commands in the terminal on the right. Use ↑/↓ arrow keys to cycle through command history. Use cd to navigate directories, dir to list contents, and cd .. to go up. Type help for all commands.
Lab Progress0 / 8 Tasks

🎉 Lab Complete!

Excellent work! Head to Forensic Analysis to learn real-world methodology, then test yourself in Knowledge Check.

📋 Tasks

1

List All Shadow Copies

First step in any exam: determine what shadow copies exist.

Use vssadmin list shadows
2

Filter Shadows for C: Only

Narrow results to show only C: drive shadow copies.

Add /for=C: parameter
3

Check VSS Writers

See which apps are registered as VSS writers on this system.

Use vssadmin list writers
4

Check Storage Usage

How much space is allocated/used for shadow copies?

Use vssadmin list shadowstorage
5

Create a New Shadow Copy

Preserve current state of C: before making changes.

Use vssadmin create shadow /for=C:
6

Mount Shadow Copy

Create a symlink to mount ShadowCopy1 at C:\ShadowMount. Trailing \ required!

mklink /d C:\ShadowMount \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
7

Navigate & Find Evidence

Use cd to navigate into the mounted shadow copy and explore the suspect's Documents folder at C:\ShadowMount\Users\jdoe\Documents. Use dir to list what you find.

Try cd C:\ShadowMount, then cd Users\jdoe\Documents, then dir
8

PowerShell WMI Query

Use PowerShell to query shadow copies via WMI for detailed properties.

Use Get-WmiObject Win32_ShadowCopy
Administrator: CMD — Forensic Workstation
Microsoft Windows [Version 10.0.19045.3803]
(c) Microsoft Corporation. All rights reserved.
═══ VSS Forensic Lab Workstation ═══
Case: 2026-0217 | Evidence Drive: C:
Type 'help' for available commands.
Use ↑/↓ arrows for command history.
C:\Forensics>

🔬 Forensic Analysis with VSS: Practical Methodology

Phase 1: Identification & Preservation

🔎 Determine if Shadow Copies Exist During forensic acquisition, always capture the full volume image. Shadow copy diff data resides in the hidden System Volume Information folder and can only be reconstructed with the complete volume. After imaging, use Arsenal Image Mounter, FTK Imager, or libvshadow to enumerate shadow copies.

Phase 2: Enumeration

Enumerate all available shadow copies and document:

  1. Shadow Copy ID — Unique GUID identifier
  2. Creation Timestamp — When the snapshot was taken
  3. Originating Machine — Which system created it
  4. Provider — How the copy was made
  5. Type — ClientAccessible, DataVolumeRollback, etc.

Phase 3: Differential Analysis

DIFFERENTIAL ANALYSIS WORKFLOW Shadow Copy #1 Shadow Copy #2 Current Volume Jan 15, 2026 Feb 01, 2026 Feb 17, 2026 ────────────── ────────────── ────────────── ├── budget.xlsx ├── budget.xlsx ✏️ ├── budget.xlsx ✏️ ├── secrets.docx ├── secrets.docx │ (deleted!) ├── photo_001.jpg ├── photo_001.jpg ├── photo_001.jpg ├── cleanup.bat │ (deleted!) └── notes.txt └── notes.txt ✏️ └── notes.txt ✏️ FINDINGS: • secrets.docx existed in SC#1 and SC#2 but was deleted • cleanup.bat appeared in SC#2 then deleted — anti-forensic script? • budget.xlsx modified between each snapshot • notes.txt modified — compare content across snapshots

Phase 4: Evidence Extraction

📄 File Recovery Copy recovered files from the mounted shadow copy to your evidence folder. Always hash (MD5/SHA-256) for chain of custody.
📋 Registry Analysis Each shadow copy contains its own Registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT). Compare states across snapshots.

Forensic Tools That Work With VSS

ToolCapability
Arsenal Image MounterMount forensic images with full VSS support
libvshadow / vshadowmountOpen-source Linux tools for accessing VSS in forensic images
X-Ways ForensicsBuilt-in shadow copy support within evidence files
Autopsy + SleuthKitVSS processing with appropriate plugins
Eric Zimmerman's VSCMountSpecialized VSS mounting from forensic images

VSS Event Log Artifacts

📝 Key Event IDs Application log: 8224 (VSS started/stopped), 12289 (creation started), 12291 (creation failed). System log: 36 (volsnap — deleted for space), 7036 (service stopped unexpectedly = possible anti-forensics).

Common Anti-Forensic Techniques

⚠️ What Attackers Do — and How to Detect It 1. vssadmin delete shadows /all /quiet — check Prefetch, ShimCache, AmCache, Event ID 4688.
2. wmic shadowcopy delete — check WMI trace logs, PowerShell script block logging.
3. Disable VSS via registry or sc stop vss — check System event log.
4. vssadmin resize shadowstorage /maxsize=300MB — forces old copies deleted.

✅ Knowledge Check

Select the best answer for each question.