Top Ad unit 728 × 90

Latest News

random

Daily Blog #354: Determining the number of active shadow volumes copies from an unmounted image

Hello Reader,
        Sometimes you just need to know before you go through the process of load all of the you ant to know if there are any volume shadow copies and from what dates. When searching for more information one event log entries related to VSS I found a paper written up by some Champlain students:

http://www.champlain.edu/Documents/LCDI/archive/Volume-shadow-Report_Redux.pdf

Which made reference to the following path:
\System Volume Information\SPP\OnlineMetadataCache

I loaded up FTK Imager and quickly inspected two systems I have to see what I would find there. The first system has Volume Shadow Copies turned on and within the directory I found a file that began with a GUID that matched the Shadow GUID returned by VSS admin and a modification date that matched the date that the shadow copy was made. This was very handy as I can now have a quick way to validate if the shadow copies my forensic tools are exposing to me are valid without having to rely on VSSAdmin.

The second system was more interesting to me. When I first started using the system I turned off volume shadow copies, I hated that it would create a snapshot every time I installed software, and VSSAdmin shows there are no active shadow files. What I found in the OnlineMetadataCache directory surprised me. Contained within it where the original volume shadow metadata catalogs from when my system did have VSCs turned on, turning off the VSC functionality never removed them.

So take aways:
1. If you want to know the last VSC made before VSCs were turned off, check the OnlineMetadataCache directory
2. If you want to validate that the VSCs you see in your forensic tool line up with what the OS is storing, check the OnlineMetadataCache directory
3. If you want to validate what caused a VSC to be deleted, look for deleted files in the OnlineMetadataCache directory (both in the MFT and Journals) and then look for Event 33 to see if the deletion was done by the system or by the user.
Daily Blog #354: Determining the number of active shadow volumes copies from an unmounted image Reviewed by David Cowen on June 12, 2014 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.