Accessing Volume Shadow Copies within a forensic image

There are commercial tools that provides access to the Volume Shadow Copies within a forensic image, but how can access this source of data using only free tools?

Here three method that i use, enjoy!

Using a VMWare VM

  1. Using raw2vmdk create a VMWare virtual disk (.vmdk) file from the image, for example:
    java -jar raw2vmdk.jar ./disk.img ./disk.vmdk
  2. Add the .vmdk file as an additional hard drive to a VMWare virtual machine and boot the VM.
  3. List the available VSCs in the .vmdk disk mounted on the VM (for example on drive F:) using the command:
    vssadmin list shadows /for=f:
  4. Use the mklink command to mount the VSC.

Using Libvshadow

This method requires the installation of Dokany, an FS Wrapper like FUSE working on Windows.

  1. Download libvshadow source and build it (or download this compiled version)
  2. Install Dokany
  3. Run mmls (from sleuthkit) to get the sector offset to the partition of interest
    mmls -i raw -t dos z:\disk.img
  4. Run vshadowmount, passing byte offsets that can be calculated with [sector offset] x 512 = [byte offset]:
    vshadowmount -o [byte offset] -X allow_other z:\disk.img x:
  5. Access X:\ volume using FTK Imager.

Using Arsenal Image Mounter and VSS

Arsenal Image Mounter is a tool that allows mounts the contents of disk images as complete disks in Microsoft Windows.

  1. Download Arsenal Image Mounter, and use it to mount the image file with “Read Only” option:
    aim_cli /mount:removable /readonly /filename=disk.img
  2. List identifiers of VSCs (for example, on drive F:\):
    vssadmin list shadows /for=f:
  3. Copy the ID for one of the VSCs and use it with vss command:
    vss x: Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy44
    
  4. Finally open FTK Imager and add the X:\ volume as a logical drive evidence item.

References and further readings

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.