Daily Blog #354: Determining the number of active shadow volumes copies from an unmounted image

Determining the number of active shadow volumes copies from an unmounted image

Hello Reader,
        Sometimes you just need to know before you go through the process of load all of the you ant to know if there are any volume shadow copies and from what dates. When searching for more information one event log entries related to VSS I found a paper written up by some Champlain students:

http://www.champlain.edu/Documents/LCDI/archive/Volume-shadow-Report_Redux.pdf

Which made reference to the following path:
\System Volume Information\SPP\OnlineMetadataCache

I loaded up FTK Imager and quickly inspected two systems I have to see what I would find there. The first system has Volume Shadow Copies turned on and within the directory I found a file that began with a GUID that matched the Shadow GUID returned by VSS admin and a modification date that matched the date that the shadow copy was made. This was very handy as I can now have a quick way to validate if the shadow copies my forensic tools are exposing to me are valid without having to rely on VSSAdmin.

The second system was more interesting to me. When I first started using the system I turned off volume shadow copies, I hated that it would create a snapshot every time I installed software, and VSSAdmin shows there are no active shadow files. What I found in the OnlineMetadataCache directory surprised me. Contained within it where the original volume shadow metadata catalogs from when my system did have VSCs turned on, turning off the VSC functionality never removed them.

So take aways:
1. If you want to know the last VSC made before VSCs were turned off, check the OnlineMetadataCache directory.

2. If you want to validate that the VSCs you see in your forensic tool line up with what the OS is storing, check the OnlineMetadataCache directory.

3. If you want to validate what caused a VSC to be deleted, look for deleted files in the OnlineMetadataCache directory (both in the MFT and Journals) and then look for Event 33 to see if the deletion was done by the system or by the user.

Post a Comment