Volume shadow copies (VSCs) have become an important part of the forensic examination of a Windows machine, as they can provide details about user activity that was not possible in the past. Being able to see how the system has changed over a period of time can be critical in many examinations, and VSCs can provide just that (and more). The forensic aspects of VSCs, as well as their functionality, have been covered in detail in many other locations, so I’m not going to go over those facts in this post. If you’re interested in some references though, check Harlan Carvey’s new book (or his blog posts here and here), Troy Larson’s presentation slides, Microsoft documentation, the QCC whitepaper, Lee Whitfield’s blog post, or Corey Harrell’s recent blog posts.
Corey Harrell’s series about VSCs provide a great way to access and examine VSCs through the use of batch scripts. By adding a loop to the batch script, Corey displayed the ability to create symbolic links to all shadow copies (or only certain ones) on a disk quickly and efficiently. He also covered the use of adding programs like robocopy, RegRipper, and diff (available in UnxUtils for Windows, as noted by Corey) to batch files in order to target specific data or generate a specific report (such as the difference between shadow copies). The series covered many other aspects and ideas in examining VSCs, so it’s best that you read the entire thing instead of taking my word for it.
After reading Corey’s series, I decided to explore the option of adding a GUI front-end to his batch scripts. Although the scripts make it easy to access and rip data from VSCs, I was intrigued as to what a GUI might look like on top of those scripts. So I decided to take a crack at writing one. What I’ve come up with so far is a functioning GUI application that allows a user to enumerate VSCs, create and remove symbolic links to VSCs, and run a few specific RegRipper commands against them. I’ve also built in a log pane and a results pane so that you can immediately see the results of what you’ve just done.
Since this app is just running batch scripts in the background, there’s a folder called “batch” that must be stored in the same directory as the VSC Toolset executable. As you might have guessed, this is where the batch scripts will be stored. Each file in this directory with the .bat extension will be listed in the drop down box beside “Command” in the GUI. The idea is that a user will be able to write their own batch file with a command to be carried out on a single volume shadow copy, store it in the “batch” folder, and the GUI app (I gave it the name “VSC Toolset”) will take care of the rest. That is, VSC Toolset will list the batch file in the command drop down box and provide a means of inputting the parameters. This command can then be executed against any number of linked VSCs, which are listed in the “Linked Shadows” check box list.With the current version, there is a limitation of only one additional input parameter, although I plan to expand this. For example, VSC Toolset always passes the VSC number to the batch file as the first parameter. In some cases, this may be the only parameter we need (such as ripping data from the entire SOFTWARE hive using RegRipper). However, in many cases additional parameters will be needed. To account for this, VSC Toolset has a text box labeled “2nd Parameter” to hold another parameter to be passed to the batch file. An example of passing a second parameter would be ripping a user’s NTUSER.DAT file using the VSC number and the user name. To do this using VSC Toolset, you would simply select “RegRipper-ntuser” from the command drop down box and type the username of the NTUSER.DAT hive that you would like to rip. From there, you can execute this command on any number of the linked shadow copies.
UPDATE: I’ve added an additional text box to the GUI to hold a third parameter to be passed to the batch file if needed.
There’s also a logging pane (the bottom of the two text panes) that keeps track of the batch files that have been executed, along with a timestamp. This can be saved using the button below the pane, but it’s currently not saved by default. The results pane (the upper pane) displays the results of the commands or batch files that were executed. The check box below this pane controls whether all results are saved or not. The default is to save all results to individual text files, but this can easily be changed. If the results are being saved, they are saved to the “output” folder that VSC Toolset creates within the working directory. The results are saved according to the batch file that created them and named by the shadow copy from which the information was gathered. If a case name is specified using the text box in the VSC Toolset GUI, the results are divided by case name first, then batch file, etc.. Other than output directory organization, the case name value serves no purpose.