We’ve built our SEAT VM and added our target image to it as a virtual disk. The first thing that I do is verify that all of the shadow volumes are present. My first post presented a screen shot from the image file (MyImage) and depicted the shadow volumes. We can compare the shadow volumes from the image file with those in our VM. The following video presents the steps we use to enumerate the shadow volumes with the native vssadmin command run from our administrative command prompt.
The screen populates quite quickly, but the point is that we can identify the number of shadow volumes and their respective creation dates. To make it easy to copy, here’s the syntax: vssadmin list shadows /for=[your target volume letter followed by a colon]. Note, too, that your beginning shadow volume number will be different from mine and does not necessarily start with the number one. Another trick is to re-run the command and export the output to a text file, by adding a space at the end followed by >[path to your text file] [name of text file]. Creating a text file is handy for documenting your findings and for copying the shadow volume names, which we’ll do later.
Now we can mount any or all of our shadow volumes for examination. We’re going to use VSS, which is a free, command line tool written by Dan Mares, who is a creative, long-time forensic software developer and examiner. Dan also has developed free tools that are adjuncts to X-Ways Forensics and which help users customize certain reports. You can pick up a copy of VSS at http://www.dmares.com/pub/nt_32/vss.exe. Be sure to check for updates, as Dan is great about implementing suggestions. You’ll also want to check out his other tools. http://www.maresware.com/. Thanks, Dan!
There are a few of ways in which we can use VSS. We can mount one shadow volume; multiple shadow volumes that are numbered consecutively; or multiple, non-consecutive shadow volumes. The following screenshot displays the syntax.
We already have a list of shadow volumes produced by vssadmin. It’s now a matter of selecting the correct volume to provide to VSS. Let’s go back to an abbreviated view of vssadmin’s output.
The screenshot identifies one shadow volume. It may not be terribly clear, but the shadow volume path is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5. We’ll feed that path to VSS and mount the shadow volume. We need only choose an unused volume letter, and we’ll pick H:
After executing the command, VSS will prompt us to hit <Return> one more time and then present what the screenshot depicts. It includes the root directory listing. Our shadow volume (#5) now is mounted as Volume H: You can repeat that process and mount any, or as many, shadow volumes as remaining drive letters permit.
Hint: to repeat the process, use your up-arrow and simply replace the volume letter and shadow volume number (#), i.e., ShadowCopy[#]. There is no need to copy/paste the entire path repeatedly.
Next, we’ll mount a range of shadow volumes. First, let’s look at the syntax, which is provided in VSS’ on-screen help.
We can start with a given shadow volume and mount every shadow volume that follows, up to our choice of the last shadow volume number. In our case, there are 19 shadow volumes and the first is #5. (I haven’t researched the question of why shadow volume numbers often start at a number greater than #1, but it doesn’t appear that it’s because there were X previous ones. Windows authority Troy Larson probably knows!) Before we go forth, I want to point out that you should study the dates of the shadow volumes in relation to your case. Several restore points can be created on the same day, perhaps within hours of one another. You’ll cut your exam and VM overhead if you exercise some judgment in picking the shadow volumes to mount and examine.
For demonstration purposes, let’s mount them all. I’ll start with no shadow volumes mounted and enter, vss h: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5 23 AUTO. Note that AUTO is upper case. The first shadow volume is #5, and the last is #23. Watch:
Actually, it was coincidental that I happened to have 19 shadow volumes and 19 open, consecutive drive letters To unmap any or all of our shadow volumes, we proceed as in the following screenshot. I’ll unmap them all.
Following the VSS command, you enter every volume letter, followed by a colon, which you want to unmap. If unmapping seems to hang, just refresh your screen in Explorer with F5.
That’s it for this post. Next time, I’ll demonstrate one or two exam approaches with X-Ways Forensics. In the meantime, if you get bored, you’re all set to examine your shadow volumes with any tools that you wish to install in your SEAT workstation.