Volume Shadow Copies (VSS)

windowsFilesystem & TimelineDisk Image

Location

System Volume Information (accessed via vssadmin or mklink)

Description

Point-in-time volume snapshots created by Windows Volume Shadow Copy Service for System Restore, backup, and application use. Contains complete copies of files and registry hives as they existed at snapshot creation time.

Forensic Value

VSS snapshots are forensic gold because they preserve the state of files and registry hives from before the attack. Comparing pre-attack and post-attack registry hives reveals exactly what persistence the attacker added. Deleted malware samples may still exist in older shadow copies. Ransomware variants attempt to delete VSS (vssadmin delete shadows) but if this fails, encrypted files can potentially be recovered from snapshots.

Tools Required

vssadminvshadowinfo/vshadowmount (libvshadow)Arsenal Image MounterKAPE

Used in Procedures

Identify Alternative Evidence When Primary Logs Are Missing

collect

Preserve VSS Shadow Copies and Encryption Timing Artifacts

preserve

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical