The Windows Volume Shadow Copy Service (VSS) allows for backups of files, even protected system files, to be made while the operating system is running. Windows uses VSS to make periodic differential backups of the blocks of data on NTFS volumes. These backups are called volume shadow copies and are stored in the System Volume Information folder at the root of the volume. Analyzing these backups allows forensic tools to provide snapshots of what the system (including user data) looked like at various points in time, allowing for recovery of deleted or overwritten files, snapshots of the registry and log files from previous points in time, and comparisons of how files may have changed over time. On a live system, the vssadmin command can be used to list the available volume shadow copies.
Open‐source tools can also be used to access volume shadow copy data from an imaged drive. One popular project for this purpose is libvshadow, located at https://github.com/libyal/libvshadow. libvshadow is also included in the SIFT forensics workstation. Once installed, libvshadow provides two command‐line tools to access volume shadow copy data. The vshadowinfo utility shows the volume shadow copies present, and vshadowmount allows you to mount a specific volume shadow copy for further analysis.
If you encounter the below error:
vshadowmount: command not found
you may try installing the below package as per your choice of distribution.
Distribution | Command |
---|---|
Debian | apt-get install libvshadow-utils |
Ubuntu | apt-get install libvshadow-utils |
Kali Linux | apt-get install libvshadow-utils |
Raspbian | apt-get install libvshadow-utils |