Preserve VSS Shadow Copies and Encryption Timing Artifacts

PreservationP190 min

IR AnalystSwitch roles in the top navigation to see different perspectives.

Capture and preserve Volume Shadow Copies, encryption timing data, and ransomware-specific artifacts before remediation actions or system rebuilds destroy this critical evidence.

Actions

1.Enumerate all Volume Shadow Copies on affected systems using vssadmin list shadows -- these may contain pre-encryption versions of files and provide the encryption start timestamp
2.Export VSS snapshots to external storage before any remediation: use mklink /d to mount shadows, then robocopy critical directories from the shadow mount point
3.Capture the ransomware encryption timeline by analyzing $MFT timestamps: compare LastModified (encryption time) against Created (original file creation) to determine encryption start/end and propagation speed
4.Preserve ransom note files, ransomware binary, encrypted file samples (5-10 files of varying types), and any attacker communication channels (Tor URLs, email addresses, chat portals)
5.Collect Windows Event Logs from the encryption period: Security (logon events), System (service installations), PowerShell (script execution), and Task Scheduler (persistence)
6.Capture memory dumps from systems that are still running -- ransomware encryption keys are frequently recoverable from RAM and may enable decryption without paying ransom

Queries

// PowerShell -- Enumerate and preserve VSS snapshots
vssadmin list shadows
# Mount the most recent pre-encryption snapshot:
$shadow = (Get-WmiObject Win32_ShadowCopy | Sort-Object InstallDate -Descending | Select-Object -First 1).DeviceObject
cmd /c mklink /d C:\VSS_Mount "$shadow\"
# Copy critical files from the snapshot:
robocopy C:\VSS_Mount\Users C:\Evidence\PreEncryption_Users /E /COPY:DAT /R:0 /W:0

// PowerShell -- Encryption timeline from MFT
# Using MFTECmd (Eric Zimmerman):
.\MFTECmd.exe -f "C:\Evidence\$MFT" --csv C:\Evidence\MFT_Output
# Then analyze timestamps in the CSV to identify the encryption wavefront:
# Sort by LastModified to see the encryption progression across directories

// PowerShell -- Capture memory dump
# Using DumpIt or WinPMEM:
.\DumpIt.exe /OUTPUT C:\Evidence\memdump_$(hostname).raw /QUIET
# Or using WinPMEM:
.\winpmem_mini_x64.exe C:\Evidence\memdump_$(hostname).raw

Notes

VSS Shadow Copies are deleted by many ransomware variants early in the attack chain -- check immediately as they may not exist
Memory dumps should be the highest priority: encryption keys in RAM enable free decryption. Do NOT reboot systems before capturing memory
Chain of custody documentation is essential for any evidence that may be used in legal proceedings or insurance claims

Where to Go Next

VSS and memory preserved, proceed to collect EDR telemetry

Collect EDR telemetry

EDR Collection

Encryption scope needs analysis

Analyze encryption scope

Encryption Scope

Evidence preserved, update chain of custody

Document chain of custody

Chain of Custody

Related Artifacts

$MFT (Master File Table)

\\.\C:\$MFT

Full Memory Dump

Acquired via live capture (RAM)

Volume Shadow Copies (VSS)

System Volume Information (accessed via vssadmin or mklink)

Suggested Acquisition

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical