A Quicker Way to the Shadow Volumes and Dealing with Win 8 VHDXs

Arsenal Image Mounter (AIM) is a new image-mounting tool from Arsenal Recon.  Not only is it free, but the folks at Arsenal have been gracious in lending support.  AIM employs a special SCSI driver that lets us mount image files of various types so that Windows Disk Manager can see our mounted image (a pseudo disk, as I like to call it) as an actual disk. This innovation allows us to access shadow volumes in a completely new way and avoid converting images to, for example, VHD files.  AIM also can mount our image as write protected or as writable.  I won’t go into more depth on AIM’s features, as you can visit the web site to learn more and acquire a copy.

Heretofore, Windows would not enumerate shadow volumes on images mounted with the most popular tools, e.g., FTK Imager, Mount Image Pro, etc.  A notable exception is a Windows virtual disk file (VHD), which is not used to an appreciable extent, if at all, as the target of a disk image file in computer forensics.  I’ve explained before how to work with these virtual disks with respect to the Window 7 variety (VHD).  Windows 8 brings a new format, which is the VHDX file, which I’ll mention again later.  For now, suffice it to say that there no longer is a need to convert a dd image to a VHD if your goal is access shadow volumes on your host system.  As I’ve demonstrated in my VHD post, the conversion required the addition of data to the end of your dd image.  While that made an easily reversible change to an original image file, some folks were not comfortable doing so and chose to create a spare dd file.

Let’s take a closer look at AIM and how it can help us get to shadow volumes very handily.  I’m going to work with a dd image of a Windows 7 system, though there is no difference with an E01.  In the following screenshot, I’ve opened AIM and navigated to my image file (001).

AIM1

Next, we’ll see the window that AIM presents after I select the image.  I’m going to maintain the default options, which the screenshot depicts.  Typically, we don’t have to ask AIM to fake (cache) a disk signature, which AIM allows because Windows won’t mount a disk if it does not have a signature.  I’ve seen only one case in which a disk signature was absent, and it concerned a VHD file created by Windows 7’s system image feature.  Note than AIM handles 4KB (and other) sectors.

aim optionsAIM2a

After I click OK, AIM presents the mounted disk as Drive 10 in my system (above and in next screenshot), which we then can find in Explorer as well as in Disk Manager.  Note that Disk Manager reports the pseudo disk as it does every other disk, but indicates that it is read only.  In case you haven’t looked or noticed it before, mount an image with another tool and compare Disk Manager’s findings with an AIM-mounted image.

AIM3

Next, let’s access shadow volumes without using virtual machines or any other steps outside of our host system (mine is Windows 8).  As you’ve seen in one of the screenshots, our mounted image’s system volume was mapped to Drive M. The next demo is a video, which presents how we can enumerate the shadow volumes on Drive M.

 

Again, you can try that with another image mounter to see the distinction.  Now, we’ll map one of the shadow volumes with Dan Mares’s VSS, which is a tool that I’ve mentioned frequently in my blog. The basics of VSS can be found here, among other posts.  You can pick up VSS free at http://www.maresware.com/.  The next video demonstrates VSS.

▶

At this point, we can work with Drive P as we can with any logical volume.  We can open the volume in most forensics tools or image the logical volume if we wish.  Remember, too, that an alternative to mapping a shadow volume to a drive letter is to create a symbolic link to the volume.  The next screenshot shows how this is done.  We’ll create a link to Shadow Volume 13 in the aaa directory.  Remember to add the trailing backslash in the syntax, after the ShadowCopy number.

mklink

While I’m talking about Symlinks, it’s important to note that Windows uses them in various places on our systems.  For example, \Users\All Users is a SymLink to \Program Data on the active system partition.  If, for example, we open Users\All Users on our mapped shadow volume (P) and open Program Data on our host system, we can see that their contents are the same:

symlinks

This will happen whether you map the shadow volume to a drive letter or create a SymLink.  Needless to say, this can lead to some misinterpretations during an exam.  However, if you open the mapped shadow volume in a forensic tool, at least with X-Ways Forensics, the SymLink issue will be ignored.

Now, let’s return to VHDX files briefly.  At this time, a number of forensic tools can’t access that file format.  If you encounter one, it likely will be a system image backup on a Win 8 image.  To give most tools access to your VHDX file, mount the Win 8 image file in a Win 8 host with AIM.  The next video follows the process:

▶

Note that this works when you mount your VHDX-host image with AIM.  It likely will not work with other imagers that don’t allow Disk Manager to have access to the mounted image.  While you can copy the VHDX from your image to a Win 8 host, it’s unnecessary if you have AIM.  Another option is to create a VM from your Win 8 image, mount the VHDX therein, and access the mounted VHDX file with X-Ways Forensics from a thumb drive.  When you’re done, right-click the mounted VHDX in Disk Manager and opt to detach the disk.  Bear in mind that Win 7 will not mount a VHDX file.

  1. Dave Reid

    February 3, 2015 at 9:38 am

    Hi Jimmy,

    I have a multi-part E01 file and no matter what way i try to mount it with AIM, raw or multi-part raw, I get a virtual drive of 4GB in size. This coincidentally is the size of the E0 segments. The E0 files were created with compression and i wonder if this is the issue.

    dave

    Reply

    • jimmyweg

      February 3, 2015 at 9:48 am

      It’s not the compression. If you’re using AIM, can you not just get to the shadow volumes in your host system without a VM? Does the disk appear in Windows Disk Manager?

      Reply

      • Dave Reid

        February 3, 2015 at 10:19 am

        Jimmy,

        Think we are cross wires somewhere. I cannot get AIM to recognize any disk image with an E0 format. I have now tried several and the resultant disk offered as mounted is only the size of the first E0 file either 2GB or 4GB dependent on how the original image was taken. When I check the mounted drive in disk management the disk is unallocated and uninitialized and is specified at the same 2GB or 4GB size. I’m not sure i get your comment about VM’s as I am not running one. The article above seemed to be about accessing an image without any mention of VM’s.

        Sorry if I’m being a bit dense.

        Dave

        Reply

  2. Thierry_Fr

    July 7, 2014 at 1:09 pm

    Thanks Mr Weg for your very interesting posts and work.
    Thanks to you, I discover two great tools to work with VSS. Strangely, when I mounted the VSS with “vss.exe” it didn’t appear in explorer or X-ways like a new hard drive. I Tried with a volume image, i’ll try with a real disk image to see if that makes a difference.

    Reply

    • jimmyweg

      July 7, 2014 at 2:10 pm

      Thanks for writing. The mounted shadow volume will appear in Explorer and in X-Ways as a volume and not as a disk. You simply can add the mounted volume to XWF.

      Reply

      • Thierry_Fr

        July 8, 2014 at 11:54 am

        Thanks for your quick answer. In fact the VSS doesn’t appear at all. I will make a few more tests and make a return.

        Reply

        • jimmyweg

          July 8, 2014 at 2:27 pm

          If you’re running VSS correctly, it will identify the volume letter that it assigned to the SV. Hence, the SV will have mounted and be visible in Explorer/XWF. I’m guessing that you’re not actually mounting the SV.

          Reply

  3. MC

    June 25, 2014 at 10:01 am

    Thanks for the post Jimmy! I was looking forward to trying this out. However, I didn’t get very far…

    I am able to use AIM to mount my E01 image (although the volumes appear as “Removable Drives” for some reason). But, when I try to list the shadow copies with vss, I get a message stating “No items found that satisfy the query” and no shadow volumes are listed. I can see from the image file that the volume contains shadow copies. I’ve tried it with 3 different image files now, all with the same results.

    Does this have anything to do with a permissions issue in Windows 7?

    I’m sure that I’m doing something wrong, but I’m kind of stuck here…

    Thanks

    Reply

    • jimmyweg

      June 25, 2014 at 10:54 am

      Thanks for writing, Meghan. I think it’s a permissions issue. Are you running vssadmin as Admin? You should. I’m not sure what you mean by the mounted image appearing as a removable drive. It should show up in Disk Manager as a physical disk with volumes.

      Reply

      • MC

        June 25, 2014 at 11:33 am

        Jimmy,
        Thanks for the quick reply. I am running vssadmin as Administrator. The volumes are mapped in Disk Management. For what it’s worth, when I use the command to “List Volumes,” it only shows me my local volumes (not the newly mounted volumes). But, I can’t even list the shadow volumes for my local drives either.

        Thanks

        Reply

        • jimmyweg

          June 25, 2014 at 12:25 pm

          Just to be sure we’re on the same page, the syntax is “vssadmin list shadows \for=:” where “x” if the logical volume that contains the target SVs. Are you sure that the SVs on your target are existing files, and not previously existing files that your forensic tool reports (but Windows would not)?

          Reply

          • MC

            June 25, 2014 at 12:54 pm

            Using the syntax vssadmin list shadows /for=. The SVs on the target are existing files, although there are some previously existing files as well. I also ran my 3 images through IEF and it recovered data from the SVs.

          • jimmyweg

            June 25, 2014 at 2:53 pm

            Well, I’m not sure what’s up at this point. Can you enumerate SVs on your own system with vssadmin? If there are none (system protection off), turn on system protection, create one, and run a test. The “No items found that satisfy the query” usually means none exist or maybe no permission.

          • MC

            June 26, 2014 at 9:29 am

            Thanks Jimmy. Getting closer. I was able to create one on my system and subsequently see it using vssadmin. But for some reason, I can’t see any from my mounted images. I also don’t see any when I choose the option to ‘Restore previous versions’ from the right-click menu in Windows, even though I see there are shadow copies. Not sure what’s going on…

          • jimmyweg

            June 26, 2014 at 3:32 pm

            Are you logged on as Admin to your host machine? I know that you are running vssadmin as Admin. If you have a VM of a Win 7 system (SEAT), add the mounted disk to that VM as a physical disk (there’s instructions on the blog). Then run vssadmin in the VM, targeting the added disk’s volume. It’s also possible that your SV structure is corrupt. Have you tried other mounted image files? If the issue arises in more than the one image, I think that the issue has to be with your system.

  4. Preston Farley

    June 8, 2014 at 8:19 pm

    Jimmy,

    Thanks for the great post and for all you’ve given to the community over the years. I’ve been lurking your posts and attempting to learn from them for a long time now. BTW, the hyperlink for AIM is printed properly in your article, but it is missing a colon when you click on it, in case that was not intentional.

    Thanks again for all that you do.
    ~bina computationem pro justitia

    Reply

    • jimmyweg

      June 10, 2014 at 1:32 pm

      Thanks for your kind words, Preston. The link should have worked as it was, but I fixed it now with a TinyUrl.

      Reply

  5. Luigi Ranzato

    June 4, 2014 at 5:37 am

    Hi Jimmy,
    thanks for the post, very usefull for me;
    Yesterday I tried the extraction operations, but not all goes right.

    In particular:
    1) Mounting with arsenal imager was OK;
    2) Automounting with vss.exe was OK;
    3) but, when I used FTK imager for ramdisk extraction, it has been stopped by “windows defender” while trying extraction a probable malware.

    So, FTK imager has been stopped by “windows defender” and I assume that for a total extraction, I nedd to use a VM without any protections

    Reply

    • jimmyweg

      June 4, 2014 at 8:35 am

      Thanks for writing, Luigi. I’ve disabled Windows Defender, and I think that you should do so. I don’t think it’s necessary for what you’re doing. Maybe you can write an exception for FTKI in Defender. I know that my antivirus doesn’t affect this operation.

      Reply

418 Hits