Monday, November 19, 2007

Vista Volume Shadow Service (VSS) Information - Assistance Request

*Edit 11/20/07 - For clarity, I renamed this blog to Vista VSS information since that is actually the information I am trying to extract, not the System Restore Point information.

Windows Vista introduced several new features, one of which I think will have a huge impact on computer forensics, that being the "Previous Version" feature. The "Previous Version" feature uses the Volume Shadow Service present in Windows 2003, but brings it to a new level by making block level copies of clusters that can contain user files (documents, images, etc).

I have been looking into the new VSS storage method and I think I have found a way to extract some good information about the VSS (step one). Then once I get that figured out, I hope to write an EnScript that might be able to extract the files that have been stored inside the VSS.

This is where I need some assistance from those who have a either running Vista machine with EnCase loaded or image file of a Windows Vista system that can be viewed in EnCase 6. I have written an EnScript to highlight a record of information in the VSS files, but I am not sure yet what the various differences can be based on types of machines, number of drives, etc. So I am asking for assistance by downloading and running the EnScript below and then submitting that back to me so I can compare the various records to see what the differences are.

The EnScript below searches for a record identifier, then bookmarks possible valid records. It also exports the record to a raw file in your default export folder (one file for every valid hit). My Initial research shows one record is present for each VSS file in the "System Volume Information" folder.

The EnScript is not compiled and is readable by anyone, so you can see what it is doing. I have heavily commented each line of code to explain what the EnScript is doing, line-by-line. It is fairly simple. It is looking for a hex value present at the beginning of each record, then reading a value which indicates the length of the record and then bookmarking/exporting that record. The record does not contain anything I consider super-sensitive. The record does contain the name of your machine, the workgroup/domain it belongs to, your machine GUID, some timestamps, the VolumeGUID and the label of the volume.

If you are uncomfortable with sending me this information, thanks for your interest, but stop here.

For those willing to send me this information, please download the EnScript below, preview/load a Windows Vista system in EnCase 6, select all files with GUID names in your "System Volume Information" folder and then run the EnScript.

Once completed, look in your default export folder (C:\Program Files\EnCase6\Export), review the contents to make sure you are comfortable with sending me the contents. Feel free to edit any of the Unicode strings (machine name/domain name, etc) in the exported data with an editor to redact anything you don't wish to share with me, just be careful to preserve the original format of the record. If you are then comfortable nothing sensitive is contained in the files, zip up the exported files and send them to me at lance (at) I will not be sharing any of the submitted files with anyone else. Please indicate when sending information, what version of Vista it is.

Those of you who participate and send me exported data, I will send you beta/final versions of the EnScript as a token of appreciation for your assistance in its development.

Written for Encase v6

Download Here


Anonymous Saturday, 15 March, 2008  

The link is broken.

Lance Mueller Sunday, 16 March, 2008  

Should be fixed, thanks.

Anonymous Tuesday, 17 June, 2008  

im not found encase ver 5

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles