Volume Shadow Copies (VSS)
Location
System Volume Information (accessed via vssadmin or mklink)Description
Point-in-time volume snapshots created by Windows Volume Shadow Copy Service for System Restore, backup, and application use. Contains complete copies of files and registry hives as they existed at snapshot creation time.
Forensic Value
VSS snapshots are forensic gold because they preserve the state of files and registry hives from before the attack. Comparing pre-attack and post-attack registry hives reveals exactly what persistence the attacker added. Deleted malware samples may still exist in older shadow copies. Ransomware variants attempt to delete VSS (vssadmin delete shadows) but if this fails, encrypted files can potentially be recovered from snapshots.
Tools Required
Collection Commands
vssadmin
vssadmin list shadows
cmd
mklink /d C:\vss_mount \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
vshadowmount
vshadowmount <image_file> /mnt/vss/
KAPE
kape.exe --tsource C: --tdest C:\output --target VSSFiles --vss
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
MITRE ATT&CK Techniques
Used in Procedures
Determine Encryption Scope and Affected Systems
analyze
Identify Alternative Evidence When Primary Logs Are Missing
collect
Document Chain of Custody for All Collected Evidence
preserve
Rebuild Compromised Systems from Known-Good Images
recover
Validate Backup Integrity Before Restoration
recover
Preserve VSS Shadow Copies and Encryption Timing Artifacts
preserve
Review Ransomware Resilience and Backup Isolation Failures
post-incident