Winsides.comWhat is Volume Shadow Copy on Windows 11? by Vigneshwaran #VolumeShadowCopy #VolumeShadowCopyService
https://winsides.com/what-is-volume-shadow-copy-on-windows-11/
13reak 
Tags: #knowledgedrop #dfir #digitalforensics #volumeshadowcopy
Topic:
Needed to extract a pagefile.sys from a Windows volume shadow copy image. By default it is locked and even accessing it inside a mounted image is blocked in Windows. Booting Linux helped.
Partition Table:
(example output, not real output)
$ mmls ./windows.img
DOS Partition Table
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ----- 0000000000 0000001024 0000001024 Unallocated
002: 000 0000001024 0000002048 0000001024 EFI system partition
003: 001 0000002048 0000004096 0000002048 Microsoft reserved partition
004: 002 0000004096 0000106496 0000102400 Basic data partition
005: 003 0000106496 0000208896 0000102400 Basic data partition
Assuming partition 005 is VSS, then the offset is: <start> * <sector-size> = 106496 * 512 = 54525952
Mounting VSS:
Use offset calculated before:
$ sudo vshadowmount -o 54525952 ./windows.img /mnt
Mounting Fuse:
If you want to e.g. access VSS snapshot 3, mount it read-only:
$ sudo mount -o ro /mnt/vss3 ./tmp
Now you can extract the pagefile.sys from ./tmp/pagefile.sys
Remark: pagefile.sys cannot be analyzed with volatility. strings and yara works.
References:
[1] https://andreafortuna.org/2018/10/01/accessing-volume-shadow-copies-within-a-forensic-image/
[2] https://andreafortuna.org/2019/04/17/how-to-extract-forensic-artifacts-from-pagefile-sys/
Accessing Volume Shadow Copies within a forensic image
There are commercial tools that provides access to the Volume Shadow Copies within a forensic image, but how can access this source of data using only free tools? Here three method that i use, enjoy! Using a VMWare VM Using raw2vmdk create a VMWare virtual disk (.vmdk) file from the image, for example: java -jar raw2vmdk.jar ./disk.img ./disk.vmdk Add the .vmdk file as an additional hard drive to a VMWare virtual machine and boot the VM. List the available VSCs in the .vmdk disk mounted on the VM (for example on drive F:) using the command: vssadmin list shadows /for=f: Use the mklink command to mount the VSC. Using Libvshadow This method requires the installation of Dokany, an FS Wrapper like FUSE working on Windows. Download libvshadow source and build it (or download this compiled version) Install Dokany Run mmls (from sleuthkit) to get the sector offset to the partition of interest mmls -i raw -t dos z:\disk.img Run vshadowmount, passing byte offsets that can be calculated with [sector offset] x 512 = [byte offset]: vshadowmount -o [byte offset] -X allow_other z:\disk.img x: Access X:\ volume using FTK Imager. Using Arsenal Image Mounter and VSS Arsenal Image Mounter is a tool that allows mounts the contents of disk images as complete disks in Microsoft Windows. Download Arsenal Image Mounter, and use it to mount the image file with "Read Only" option: aim_cli /mount:removable /readonly /filename=disk.img List identifiers of VSCs (for example, on drive F:\): vssadmin list shadows /for=f: Copy the ID for one of the VSCs and use it with vss command: vss x: Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy44 Finally open FTK Imager and add the X:\ volume as a logical drive evidence item. References and further readings Volume Shadow Copies in forensic analysis Vssadmin documentation from Microsoft Mklink documentation from Microsoft raw2vmdk repository on GitHub Dokany repository on GitHub Libvshadow repository on GitHub Sleuthkit's mmls FTK Imager Lite Arsenal Image Mounter