Saturday, 19 January 2013

Volume Shadow Copy to Logical Evidence file (LEF)

Encase (or any other tool) does not offer any direct way of saving contents of a shadow copy to an Encase logical evidence file (L01). However this is easily accomplished by way of a script. If you have encase version 6, this script should do the job for you. Download it here.

This is a generic script that allows files from any folder on your local system to be added recursively (with subfolders) to an LEF. The folder you specify can also be the root of the partition (Eg: D:\) in which case it will add all files and folders of that drive into the LEF. Do remember that this is a logical recurse of files that are visible in explorer, do not expect it to grab streams and other artifacts (Recycle bin, etc..). 

One good use I have found for this is to copy out logical files from Volume Shadow Copies (VSC) inside evidence files.

Accessing VSC from evidence files (E01)

To get access to volume shadow copies stored on evidence, you need to mount your evidence disk into windows using Encase’s Physical Disk Emulator. This will mount the drive in a way that Windows sees it as a full disk device and its Shadow Copies are now visible. To get the exact path and other details of shadow copies, use the command ‘vssadmin list shadows’. You will need to run cmd.exe as Administrator for this.
Using the vssadmin tool to view Shadow Copies visible to Windows

The path highlighted above is the one that you give to the script. Do not forget to put a trailing backslash else the script won’t work. In this case it would be 
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\

No comments:

Post a Comment