Table of Contents

Volume Shadow Copy (VSC)

When enabled, every time a file is updated, previous versions are listed under properties. These previous versions are intractable and are able to be opened and restored. This includes even when a file is permanently deleted.

This is similar to MAC's time machine.

Vista +: Volume Shadow Copy
Windows 8+ File History (no Volume Shadow Copy)

In order to activate this:

System Properties > System Protection > Configure > Turn on protection and allocate the space  

Restore points are also available here.

System restores are based on VSC, and they do not completely copy every file or the system. They only copy the new changes or differences within the file. If the VSC is lost, the updates to the file is also lost.

Out of the box, only MacOS has a similar tool called TimeMachine, but Linux does not have a similar volume level backup.

These backups for the volume are stored System Volume Information, but file history is stored on a different drive.

Uses & Implementation

This utilizes previous versions functionality, and this can create system restore points.

This can also create backup API for taking 'Snapshots' of files/folders/disk

Used by Windows Backup, Hyper-V, Virtual Server, Active Directory, SQL Server, and many other services

This only is for NTFS volumes with Volume ShadowCopy Services. It is included for Windows 2003 +, but it is not enabled by default on Windows 2008 (R2)

Locations of Backups/Restore Points

VSC: C:\System Volume Information

Forensic Importance

- Source data for Restore Points and the restore previous version features
- Provide a snapshot of a volume at a particular time
- Show how the files may have been altered or modified
- Get access to older copies of the windows registry hives
- Retain data that has been subsequently wiped, deleted, or encrypted

This, however, does not take a complete image of the system and they are not file level backups

Basic Technical Details

Copy-on-write Illustration

File Format

Header: Contains VSS Identifier and Catalogue Offset
Catalogue: Contains Shadow copy GUIDS, creation times, store offsets, etc.
Data Stores: Contains details of shadow copy providers, host machine info, volume bitmaps and the associated data

To browse:

Properties > Previous Version >> Open

To list:

vssadmin
vssadmin list shadows /for=c:\
set shadow=\\?\GLOBALROOT\Device\Harddiskvolumeshadowcopyxx for /R %shadow%\ %i in (*) do echo %i
for /R %shadow%\ %i in (*) do echo %i>>"C:\shadow.txt"

This is an easy way to compare the files between the two directories.

Questions

1. Will the VSC record the edits if I saved the edits and then delete the file 30 seconds later, or would it only record the deletion? What is the saving time frame, or does it record every single edit?