Reconstruct the World from Vanished Shadow: Recovering Deleted VSS Snapshots

Black Hat USA 2018

Presented by: Minoru Kobayashi, Hiroshi Suzuki
Date: Thursday August 09, 2018
Time: 09:45 - 10:35
Location: Tradewinds EF

Volume Shadow Copy Service (VSS) is a backup feature for recent Windows OSes. You can create storage snapshots by using VSS. If users refer to snapshots, they can recover its contents. VSS is one of the most important things to restore deleted files such as files created by attackers (e.g. attack tools) in the computer forensic task.

However, in recent years, ransomware deletes the snapshots before encrypting files. When the snapshots are deleted, there is no way to access them officially. But, if we can recover the deleted snapshots, we can recover the files which were managed by the snapshots and which must have been lost.

Roughly speaking, VSS manages two kinds of data. One is called "Catalog" and another is called "Store." These files are located in the "System Volume Information" folder. The meta information of VSS snapshots are stored in catalog file, such as creation date and time, offsets to Store data, and so on. The differential data between the current NTFS volume and the snapshot is stored in store files. Store files are created every snapshots creation.

If snapshots are deleted, catalog and store files are deleted. Furthermore, the content of catalog file is destroyed. On the other hand, store data is almost intact. It means that we can access deleted snapshots if we could carve store files and reconstruct the catalog file from recovered store files.

Although Windows can't access deleted snapshots data, our new tools named vss_carver and extended vshadowmount command are able to handle this.

We will cover the details of the implementation and we will also give you several demonstrations with the new tools.

Minoru Kobayashi

Minoru Kobayashi has over 15 years experience in the information security field. He works for Internet Initiative Japan Inc. as a forensic investigator and a CSIRT member of the company. His primary research themes are related to digital forensics tools such as libvshadow, attacking tools such as Mimikatz, and Windows features such as VSS. He is also interested in incident response, network security, malware analysis, and so on. He has been a speaker and a trainer at Mauritius 2016 FIRST TC, Osaka 2018 FIRST TC, and several information security events/conferences. He also holds CISSP certification.

Hiroshi Suzuki

Hiroshi Suzuki is a malware analyst, a forensic investigator and an incident responder, working for a Japanese ISP company, Internet Initiative Japan Inc. He is a member of IIJ-SECT that is a private CSIRT on his company. His main jobs include analyzing malware and vulnerabilities, observing malware activities, threat intelligence for cyber espionage groups, digital forensics, and incident response for his company and his customers. Especially, he is interested in targeted attacks and those RATs or those attack tools, such as PlugX, Mimikatz and so on. He has over 12 years dedicated to those areas. He is a speaker and a hands-on trainer for international conferences such as Black Hat and FIRST.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats