Friday, March 16, 2012

VSC Toolset: A GUI Tool for Shadow Copies

Volume shadow copies (VSCs) have become an important part of the forensic examination of a Windows machine, as they can provide details about user activity that was not possible in the past.  Being able to see how the system has changed over a period of time can be critical in many examinations, and VSCs can provide just that (and more).  The forensic aspects of VSCs, as well as their functionality, have been covered in detail in many other locations, so I'm not going to go over those facts in this post.  If you're interested in some references though, check Harlan Carvey's new book (or his blog posts here and here), Troy Larson's presentation slides, Microsoft documentation, the QCC whitepaper, Lee Whitfield's blog post, or Corey Harrell's recent blog posts.

Corey Harrell's series about VSCs provide a great way to access and examine VSCs through the use of batch scripts.  By adding a loop to the batch script, Corey displayed the ability to create symbolic links to all shadow copies (or only certain ones) on a disk quickly and efficiently. He also covered the use of adding programs like robocopy, RegRipper, and diff (available in UnxUtils for Windows, as noted by Corey) to batch files in order to target specific data or generate a specific report (such as the difference between shadow copies).  The series covered many other aspects and ideas in examining VSCs, so it's best that you read the entire thing instead of taking my word for it.

After reading Corey's series, I decided to explore the option of adding a GUI front-end to his batch scripts.  Although the scripts make it easy to access and rip data from VSCs, I was intrigued as to what a GUI might look like on top of those scripts.  So I decided to take a crack at writing one.  What I've come up with so far is a functioning GUI application that allows a user to enumerate VSCs, create and remove symbolic links to VSCs, and run a few specific RegRipper commands against them.  I've also built in a log pane and a results pane so that you can immediately see the results of what you've just done.     

Since this app is just running batch scripts in the background, there's a folder called "batch" that must be stored in the same directory as the VSC Toolset executable.  As you might have guessed, this is where the batch scripts will be stored.  Each file in this directory with the .bat extension will be listed in the drop down box beside  "Command" in the GUI.  The idea is that a user will be able to write their own batch file with a command to be carried out on a single volume shadow copy, store it in the "batch" folder, and the GUI app (I gave it the name "VSC Toolset") will take care of the rest.  That is, VSC Toolset will list the batch file in the command drop down box and provide a means of inputting the parameters.  This command can then be executed against any number of linked VSCs, which are listed in the "Linked Shadows" check box list.

With the current version, there is a limitation of only one additional input parameter, although I plan to expand this.  For example, VSC Toolset always passes the VSC number to the batch file as the first parameter. In some cases, this may be the only parameter we need (such as ripping data from the entire SOFTWARE hive using RegRipper).  However, in many cases additional parameters will be needed.  To account for this, VSC Toolset has a text box labeled "2nd Parameter" to hold another parameter to be passed to the batch file.  An example of passing a second parameter would be ripping a user's NTUSER.DAT file using the VSC number and the user name.  To do this using VSC Toolset, you would simply select "RegRipper-ntuser" from the command drop down box and type the username of the NTUSER.DAT hive that you would like to rip.  From there, you can execute this command on any number of the linked shadow copies.

UPDATE: I've added an additional text box to the GUI to hold a third parameter to be passed to the batch file if needed.

There's also a logging pane (the bottom of the two text panes) that keeps track of the batch files that have been executed, along with a timestamp.  This can be saved using the button below the pane, but it's currently not saved by default.  The results pane (the upper pane) displays the results of the commands or batch files that were executed. The check box below this pane controls whether all results are saved or not.  The default is to save all results to individual text files, but this can easily be changed.  If the results are being saved, they are saved to the "output" folder that VSC Toolset creates within the working directory. The results are saved according to the batch file that created them and named by the shadow copy from which the information was gathered.  If a case name is specified using the text box in the VSC Toolset GUI, the results are divided by case name first, then batch file, etc..  Other than output directory organization, the case name value serves no purpose.

To get VSC Toolset up and running, you'll need to download the executable here.  After extracting the contents of the zip file, you should see the VSC Toolset executable, a "batch" folder with a few batch files in it, and an empty "regripper" folder.  You'll need to copy Harlan's RegRipper files to this directory where rip.exe is directly inside the "regripper" folder (make sure it's not two folders deep or VSC Toolset will not see it).  From there, you should be able to run VSC Toolset to access and run batch files against your volume shadow copies.

This app is still in its infancy and will certainly require more testing and development, but it's readily available for creating symbolic links to many shadow copies at once, running a few commands against the shadow copies, and keeping track of what you're doing.  While I can make no guarantees about this app, I've found it to be useful in the handful of scenarios I've tested it with (no actual cases though).  Feel free to download it and give it a try.  Any feedback on improvements, bugs, or whether you even found it to be useful would be appreciated.

10 comments:

  1. Very cool, Jason! Thanks for taking the time to write this...

    ReplyDelete
    Replies
    1. Thanks Harlan! I hope this makes it even easier when examiners need to work with VSCs, especially if they aren't as comfortable at the command line or just prefer a GUI.

      Delete
  2. Hi Jason,
    It seems very interesting and full of potential for all of us. I tested it on my french version of Windows 7... I have the logs on the right part of the screen of the vssadmin but no shadows appeared in the left part of the screen (and there are some... ). How do you analyze the log of VSS ?

    Here is the output of the french version (sorry about that)

    Of course i ran it as an administrator.

    Kind regards

    Jean-Philippe NOAT

    vssadmin 1.1 - Outil ligne de commande d'administration du service
    de clich‚ instantan‚ de volume
    (C) Copyright 2001-2005 Microsoft Corp.

    Contenu du jeu de clich‚s instantan‚s nø : {bc2414d3-9090-480c-a1fd-a9b1a05785bb}
    Contenait 1 clich‚s instantan‚s … la date de cr‚ation : 11/11/2011 03:00:57
    ID du clich‚ instantan‚ : {8b980b70-c0ca-4b78-8ea2-c4f733014409}
    Volume original : (?)\\?\Volume{7a83391b-5ed4-11e1-a5de-005056c00008}\
    Volume de clich‚ instantan‚ : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy25
    Ordinateur d'origine : PC-de-Dimitre
    Ordinateur de service : PC-de-Dimitre
    Fournisseur : 'Microsoft Software Shadow Copy provider 1.0'
    Type : ClientAccessibleWriters
    Attributs : Persistent, Accessible par client, Pas de lib‚ration automatique, Diff‚rentielle, R‚cup‚ration automatique

    ReplyDelete
    Replies
    1. Jean-Philippe,

      Thanks for trying this out and thanks for the feedback. I believe I've identified the problem (simply due to the difference in language in the line listing the shadow copy name). I'm not where I can fix this right now, but I'll make the appropriate changes later today and let you know when the new version is ready for download.

      Delete
  3. Thanks Jason, that sounds great. I also think it has something to do with my w7 version. Thanks for answering so quickly. Kind regards. I'll evaluate you tool on real cases and i'll give you feedback i promise.

    Kind regards

    ReplyDelete
    Replies
    1. Jean-Philippe,

      I've updated the tool to where it should (hopefully) work for you. Let me know if you run into any more issues.

      Delete
    2. Works perfectly well now, great work Jason

      Delete
  4. Very good tool! I was searching something like that and before i played with vssadmin and hobocopy sometime, but GUI sounds and works like a charm!

    Thank you!Excellent tool!

    ReplyDelete
    Replies
    1. Thanks Dony, I'm glad you've found some use in it. I'm always interested in hearing about suggestions for improvement or bugs that you come across, so feel free to reach out if you find some.

      Delete
  5. Thank you for this great tool! I have however come across a small problem that you or someone here might know the answer to: I am working on an image where the interesting data I am looking for is found inside a shadow copy file that is deleted. It seems that none of the file is overwritten, so I am able to fully extract the Shadow copy file. I do however not know how to let this or any other tools read this file, as it does not reside inside "System Volume Information". Any suggestions?

    ReplyDelete