Messing with Forensic Analysts: Modifying VSS Snapshots

BSidesLV 2017

Presented by: James Clawson
Date: Wednesday July 26, 2017
Time: 15:30 - 15:55
Location: Proving Ground

Windows' VSS snapshots are great. The VSS service quielty runs in the background, periodically making snapshots of just about everything on the disk.
What happens if you accidentally delete a file? No worries. Pull a (somewhat old) copy out of a snapshot!
But what happens if you intentionally delete a file? And write over it 35 times? Well, you can also pull a copy out of a snapshot.
Snapshots are a treasure trove of information that people thought was gone. Forensic analysts use the data from them with little concern of tampering because there are no tools available to modify the contents of a snapshot. So, I decided to tamper with them. The snapshots, not the analysts.

This talk covers the basics of how VSS snapshots work and their on-disk format from the perspective of a malicious actor. A modified version of libvshadow, an open source VSS library, is presented which adds write support to VSS snapshots. The challenges and limitations experienced when modifying old snapshots are discussed, as well as a demonstration of the tool.

James Clawson

I'm James Clawson and I like messing stuff up. I make things every once in a while too. I enjoy forensics, I love fuzzing, and I consider malware to be art. When not busy driving drunk on the information super highway, I sometimes visit the zoo.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats