Windows' VSS snapshots are great. The VSS service quielty runs in the
background, periodically making snapshots of just about everything on the
disk.
What happens if you accidentally delete a file? No worries. Pull a (somewhat
old) copy out of a snapshot!
But what happens if you intentionally delete a file? And write over it 35
times? Well, you can also pull a copy out of a snapshot.
Snapshots are a treasure trove of information that people thought was gone.
Forensic analysts use the data from them with little concern of tampering
because there are no tools available to modify the contents of a snapshot. So,
I decided to tamper with them. The snapshots, not the analysts.
This talk covers the basics of how VSS snapshots work and their on-disk format from the perspective of a malicious actor. A modified version of libvshadow, an open source VSS library, is presented which adds write support to VSS snapshots. The challenges and limitations experienced when modifying old snapshots are discussed, as well as a demonstration of the tool.
I'm James Clawson and I like messing stuff up. I make things every once in a while too. I enjoy forensics, I love fuzzing, and I consider malware to be art. When not busy driving drunk on the information super highway, I sometimes visit the zoo.