Volume Shadow Copy Service (VSS) is a backup feature for recent Windows OSes. You can create storage snapshots by using VSS. If users refer to snapshots, they can recover its contents. VSS is one of the most important things to restore deleted files such as files created by attackers (e.g. attack tools) in the computer forensic task.
However, in recent years, ransomware deletes the snapshots before encrypting files. When the snapshots are deleted, there is no way to access them officially. But, if we can recover the deleted snapshots, we can recover the files which were managed by the snapshots and which must have been lost.
Roughly speaking, VSS manages two kinds of data. One is called "Catalog" and another is called "Store." These files are located in the "System Volume Information" folder. The meta information of VSS snapshots are stored in catalog file, such as creation date and time, offsets to Store data, and so on. The differential data between the current NTFS volume and the snapshot is stored in store files. Store files are created every snapshots creation.
If snapshots are deleted, catalog and store files are deleted. Furthermore, the content of catalog file is destroyed. On the other hand, store data is almost intact. It means that we can access deleted snapshots if we could carve store files and reconstruct the catalog file from recovered store files.
Although Windows can't access deleted snapshots data, our new tools named vss_carver and extended vshadowmount command are able to handle this.
We will cover the details of the implementation and we will also give you several demonstrations with the new tools.