As a follow-on to my previous post, I wanted to provide a concise summary or overview of the processes for accessing VSCs.
First, a couple of important factors regarding this exercise:
The goal of this exercise was to identify and validate processes for accessing VSCs within acquired images, using free and open source tools on a Windows analysis system.
The source image file was from Digital Corpora’s Lone Wolf scenario (downloaded .e0x files, also converted to raw/dd). Note that when using mmls.exe to view the partition table, the partition type is “gpt”, not “dos”. This is part of the reason I wanted to use this image, to see if the tools used have any issues with different partition types. The other reason for using this image is that it is (relatively) easily accessible by almost anyone, and anything I did can be validated using the image.
Processes
.e0x
Arsenal Image Mounter (Mount through libewf)
|__ ShadowExplorer (v0.9)
raw/dd #1
Arsenal Image Mounter (Mount raw image)
|__ vssadmin
|__ vss (X:)
|__ FTK Imager (add X:\ as logical drive evidence item)
raw/dd #2
mmls
|vshadowinfo/vshadowmount (requires Dokan 0.7.4)
| access individual VSCs via FTK Imager (Image File)
raw/dd #3
Convert to *.e0x format, use *.e0x process (above)
I’ve been able to repeatedly replicate raw/dd processes #1 and #2 on several other images to which I have access.
Article Link: http://windowsir.blogspot.com/2018/09/accessing-volume-shadows-re-revisited.html