Mounting Shadow Volumes in Linux Ubuntu 12.04
While examining an image of a Windows 7 computer, I struggled to find specific files that I knew at one point resided on the computer. After hours of searching through both the allocated and unallocated area, I found the files in question on the shadow volumes.
The shadow volumes, also known as the Volume Snapshot Service (VSS), is a service that creates point-in-time copies of files. The service is built-in to versions of Windows Vista and 7, and is turned on by default. Even overwritten files can be recovered from shadow volumes, as long as they resided on the volume at the time that the snapshot was created.
In this article we are going to go through the process of creating a shadow volume snapshot. We will then mount that snapshot and examine the snapshot for deleted data. We will be doing it using an examination computer with Ubuntu 12.04 installed on it.
The plan is to recreate the steps that will allow us to create a shadow volume snapshot. The snapshot will contain a specific file that will later be deleted. We will accomplish this in our own controlled environment. We will then mount and analyze our shadow volume snapshot. Because the snapshot was created prior to the file being deleted, the file will be recovered still allocated to the volume.
In order to create our own controlled environment, I began by installing a new Windows 7 Home Premium Operating System on my Laptop.
The installation completed and I logged into the Windows environment. I created a folder on the desktop and named it “Test”
I navigated to “C:\Users\Public\Pictures\Sample Pictures” directory and copied the picture titled “Penguins.jpg.” I then pasted this picture inside of the Test folder on the desktop.
I added the picture to the Test folder at 5:12 pm. Notice that the picture is in the Test folder located on “C:\Users\Carlos\Desktop\Test.”
I then created a snapshot of the volume by navigating to Start, Control Panel, System and Security, System, System Protection, and pressed the button titled “Create.”
I named it “Test1” and pressed the create button one last time. I created this snapshot on January 7th, 2013 at 5:17 pm. When the snapshot was created the Pengiuns.jpg file was allocated to the Test folder on the Desktop
Lastly, I navigated to the Test folder and deleted the picture. I deleted the picture at 5:18 pm. Notice that the Test folder in now empty.
This concludes the controlled environment part of our test. I shut down the computer, removed the hard drive from the computer and made a DD image. I chose to make an image so that we could later go through the process of mounting the image.
Installing the tools:
The tool that we will be using to mount the shadow volume was created by Joachim Metz, and is called libvshadow. Libvshadow can be downloaded from here: http://code.google.com/p/libvshadow/downloads/list. At the time of this writing, the latest version was libvshadow-alpha-20130113.tar.gz. Download the tar.gz file and then extract the files from the tar.gz file into your Downloads folder. After you extract the contents of the tar.gz, you should end up with one folder titled “libvshadow-20130113.” The folder contains the source code for the tool.
Prior to installing the tool, make sure that you have FUSE installed on your system. The tool uses Filesystem in Userspace for mounting. You must satisfy this dependency by installing Fuse from the command line, so let’s do that.
Open a Terminal Window. In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”.
Now type the below command into the terminal, and press enter. Enter your root password, if needed.
sudo apt-get install libfuse-dev
It is now time to install the tool. Use the cd command to navigate to the folder that contains the source code. If your tool in your downloads folder, enter the following into the terminal
Replace “carlos” with the name of the user account you are currently logged on as. After doing so, press enter.
To install from source we are going to have to run four commands: 1) ./configure 2) make 3) sudo make install 4) sudo ldconfig.
This command makes a new Makefile. After pressing enter, you will see some lines running on your terminal. This is good. When you get your cursor back, pay attention to the line that reads “FUSE support”, it must say “libfuse”. If it reads “NO”, then you must go back and make sure that FUSE is installed properly.
“Make,” builds the program. It took about two minutes for me to get my cursor back.
sudo make install
“Make install” as root, again invokes make, make finds the target install in Makefile and files the directions to install the program (credit to: tldp.org/LDP/LG/current/smith.html.)
Lastly “ldconfig” as root to update the library cache.
Now type “vshadowmount” and press enter. If you get the usage options prompt. Congrats, you have installed the tool correctly
It is now time to begin the examination. I added the DD to the root of a usb drive and inserted the drive to a usb port on my examination computer. External media gets mounted under the media directory.
Type the following into the terminal to determine how your external media was mounted.
Notice that my external media was mounted under the “media” folder as 1E71BBB44FC42448.
Now we need to navigate to the DD on the external media. We will again use the CD command to change directory into the external media. Type the following into the terminal.
Replace “1E71BBB44FC42448” with the with the directory name assigned to your external media. After doing so, press enter.
Type “ls -l” and press enter. LS is the list files command. The flag -l uses a long listing format.
Notice that we are in the root of my external media and yes, I have a DD image of the drive. The image is titled Windows7_VSS_Test.dd.
Before we move on to the next step, we need to determine the starting sector of the volume inside of the image. To do that, we will use the sleuthkit tool mmls. Mmls is a tool that can display the partition layout of a volume system (partition tables). Type the following into the terminal and press enter.
Replace “Windows7_VSS_Test.dd” with the name of your image. After doing so, press enter. These are my results.
Notice that the volume inside of my DD starts at sector 206848. Libvshadow needs the offset to the volume specified in bytes not sectors. Now you must take the starting sector offset, in this instance 206848, and multiply it by 512 bytes. From this we obtain 105906176. We now have the information that we need for libvshadow. But before we move on, we need to designate a location where we can temporarily mount the shadow volume snapshot. To do that, we need to create a mount directory. To keep things simple, let’s create a directory called vssvolume in the root of the mnt folder. Type the below command into the terminal and press enter. Type your root password (if needed).
sudo mkdir /mnt/vssvolume
Again, if you got your cursor back, then everything went well. The vssvolume directory was created at /mnt/vssvolume and your current directory is still /media/1E71BBB44FC42448/
We now get to use libvshadow. To determine if the image contains any shadow volumes type the following into the terminal.
sudo vshadowinfo -o 105906176 Windows7_VSS_Test.dd
Vshadowinfo is the command to determine if the image has shadow volumes. The -o flag specifies the decimal offset to the volume in the image, Windows7_VSS_Test.dd is my image. Sudo gives vshadowinfo superuser privileges for the operation. Press enter and type your root password (if needed).
Notice that the image does contain one shadow volume. If your image contains more that one, you will see all of them here, one after the other. According to vshadowinfo the shadow volume was created on Jan 07, 2013 22:17:34.253264700 UTC, which is 5:17PM Eastern. This information coincides with the time that I created the snapshot.
To mount that shadow volume, type the following into the terminal.
sudo vshadowmount -o 105906176 Windows7_VSS_Test.dd /mnt/vssvolume/
Vshadowmount is the command to mount the shadow volume. The -o flag specifies the decimal offset to the volume in the image, Windows7_VSS_Test.dd is my image. Mnt/vssvolume is the mount point. Sudo gives vshadowmount superuser privileges for the operation. Press enter and type your root password (if needed).
These are my results.
Your shadow volume is now mounted under /mnt/vssvolume as vss1. Type “sudo ls -l /mnt/vssvolume” and press enter.
From here you can image, carve and/or use the sleuthkit against the vss1 shadow volume. To access the directory structure of the shadow volume we need to mount it using the mount command. But before we do that, we need to designate a location where we can temporarily mount the shadow volume as a file system. To keep things simple, let’s create a directory called vss1logical in the root of the mnt folder. Type the below command into the terminal and press enter. Type your root password (if needed).
sudo mkdir /mnt/vss1logical
Again, if you got your cursor back, then everything went well. The vss1logical directory was created at /mnt/vss1logical and your current directory is still /media/1E71BBB44FC42448/
To mount that shadow volume as a file system, type the following into the terminal.
sudo mount -o ro /mnt/vssvolume/vss1 /mnt/vss1logical/
Mount is the command to mount a file system. The -o flag specifies the options for mounting. In this instance we opted to mount it as a “ro” read-only file system. /Mnt/vssvolume/vss1 is the shadow volume, and /mnt/vss1logical/ is the mount point. Press enter, and type your root password (if needed).
Your shadow volume is now mounted as a file system under /mnt/vss1logical/. Change directory (cd) into the vss1logical directory and run ls -l.
Your shadow volume is now in a read-only mode available for any action that you deem necessary. You can continue in the terminal or navigate the directory structure through Nautilus. I opened Nautilus and navigated to /mnt/vss1logical/Users/Carlos/Desktop/Test/ to see what I could discover. Inside of the folder I found the Penguins.jpg picture still allocated to the shadow volume.
To prove that the Penguins.jpg file is currently deleted under the normal volume in the image, I quickly mounted the volume under /mnt/currentlogical. Using Nautilus I navigated to /mnt/currentlogical/Users/Carlos/Desktop/Test/. Notice that the Penguins.jpg picture is not in the folder.
And there you have it.
This is a free, powerfull, and “relatively” straight-forward process to mount and examine each and all of the shadow volumes contained in your image.
If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you. Please post your comments or email the author of this article at firstname.lastname@example.org.