Volume Shadow Copies (VSS)

The Volume Shadow Copy Service (VSS), also known as Volume Snapshot Service, is a technology included in Microsoft Windows that allows for the creation of point-in-time backup copies, or snapshots, of computer files or volumes, even while they are in use. Its primary system purposes are to facilitate the Windows System Restore feature and the "Previous Versions" functionality, which allows users to recover earlier versions of files and folders.

From a DFIR perspective, Volume Shadow Copies are a forensic treasure trove. Each snapshot is a preserved, historical image of the volume at a specific moment in time. This allows analysts to effectively "travel back in time" to examine the state of the file system before evidence was altered or deleted on the live system.

Location and Structure

VSS snapshots are not simple file copies; they are managed at the block level. The data for these snapshots is stored in a hidden, protected system folder at the root of the volume.

  • Location: C:\System Volume Information

When a snapshot is created (either automatically by the system before an installation, on a schedule, or manually by a user), VSS essentially freezes the state of the volume. As files are modified on the live system, VSS uses a "copy-on-write" mechanism: before a disk block is overwritten with new data, the original data from that block is copied into the VSS storage area. This ensures that the snapshot remains a consistent and accurate representation of the volume at the time it was taken.

Stored Data and Forensic Access

A VSS snapshot contains a historical version of the entire volume, including:

  • Files and Directories: Files that existed when the snapshot was taken but have since been deleted from the live file system may still be fully intact and recoverable from an older shadow copy.

  • NTFS Metadata: Older versions of critical NTFS metadata files, including the $MFT, $UsnJrnl, and $LogFile.

  • Registry Hives: Snapshots contain copies of all registry hives (SYSTEM, SOFTWARE, SAM, NTUSER.DAT, etc.) as they existed at that point in time.

  • Event Logs: Historical .evtx files can be extracted and analyzed.

  • Other Forensic Artifacts: Any file-based artifact, such as Prefetch files, browser databases, or Amcache, can be recovered from a shadow copy.

Accessing VSS requires specialized tools. The built-in vssadmin list shadows command can enumerate existing snapshots. GUI tools like ShadowExplorer provide a user-friendly interface to browse the contents of a snapshot as if it were a regular drive. Advanced forensic command-line tools, such as many in the Eric Zimmerman suite (MFTECmd, RECmd, PECmd, etc.), often include a --vss switch that automatically processes all available shadow copies, integrating historical data directly into their analysis.

Forensic Value

VSS analysis is critical for uncovering evidence that has been subjected to anti-forensic techniques on the live system.

  • Recovering Deleted Evidence: It is one of the most powerful methods for recovering deleted files, scripts, logs, or cheat executables. If a file was deleted after the most recent snapshot was created, it will likely still exist within that snapshot.

  • Detecting Tampering and Clearing: By comparing an artifact from a shadow copy with its version on the live system, an analyst can definitively prove tampering. For example, if the live NTUSER.DAT hive has its UserAssist keys cleared, but a NTUSER.DAT from a snapshot taken two hours prior shows them fully populated, this is conclusive evidence of registry clearing.

  • Extending the Timeline: VSS allows an investigation to extend beyond the data available on the live system. Older $MFT or $UsnJrnl files can provide a much longer history of file system activity.

  • Bypassing Live System Locks: Files that are locked by the operating system (like registry hives) can often be freely copied and analyzed from a mounted shadow copy.

The effectiveness of VSS depends on whether it is enabled on the volume (it usually is for the system drive by default) and the frequency and retention of snapshots, which Windows manages automatically.

Reflection points (SS Contest)

For a ScreenSharer, VSS is the ultimate tool for defeating evidence clearing. It's the "undo" button for a cheater's anti-forensic actions.

  • The Time Machine: VSS allows an SSer to see the player's system as it was before they tried to hide anything. If a player deletes their entire Prefetch folder just before the SS, a snapshot from an hour ago will likely contain all the incriminating .pf files.

  • Conclusive Proof of Clearing: Comparing a live artifact to its VSS version is irrefutable. Finding a cleared BAM key on the live system but a populated one in a VSS snapshot is a "case closed" scenario for evidence tampering.

  • Recovering the Deleted Cheat: This is a primary use case. If a player shift-deletes their cheat, and a recent VSS is available, the SSer can simply browse the snapshot, navigate to the cheat's original location, and recover the executable file itself.

  • A High-Value, Simple Check: While deep VSS analysis is complex, a quick check with a tool like ShadowExplorer is simple. Finding that a player manually deleted all their System Restore points (vssadmin delete shadows /all) just before the SS is, in itself, an extremely suspicious act of destroying potential evidence.

PreviousRecycle Bin ($Recycle.bin)NextIndex Attributes ($INDX / $i30)

Last updated