Shadow Copies

Volume Shadow Copy Service (VSS) is a component of Microsoft Windows that allows the creation of backup copies or snapshots of computer files or volumes, even while the files are in use. It is particularly important for backup and disaster recovery purposes. VSS can create shadow copies on a scheduled basis or in response to specific events.

Key Insights:

• Location and Management: VSS snapshots are managed by the Volume Shadow Copy Service and are not directly accessible as regular files. They are stored in the "System Volume Information" folder on the volume that is being backed up.

• Critical Information: VSS can store multiple shadow copies of a volume, with Windows capable of maintaining a default maximum of 64 snapshots per volume. The configuration can be altered by administrators, affecting the retention and creation schedule of shadow copies.

Overview:

VSS operates by creating point-in-time snapshots of file system volumes. These snapshots capture the state of the volume at a specific moment, allowing users or applications to view or restore previous versions of files without interrupting current operations.

The service is crucial for systems where data integrity and availability are paramount, such as databases and file servers. VSS snapshots are used by backup software to ensure consistent backups of files that are open or in use, without needing to shut down applications or lock files.

Interaction with Malware and Attacks:

Attackers may target VSS for several reasons:

• Deletion of Snapshots: Malware, especially ransomware, often attempts to delete VSS snapshots to prevent users from restoring encrypted or modified files without paying the ransom.

• Data Theft: Attackers may explore VSS snapshots to recover files or data that have been deleted from the active file system but remain available in a snapshot.

Practical Use Case:

A cybersecurity incident response team might investigate the deletion of VSS snapshots to determine if it was part of a ransomware attack. Using tools like CrowdStrike Falcon, they can examine processes that have attempted to modify or delete VSS snapshots, analyzing process behavior, reputation, and origin to differentiate between legitimate system activities and malicious actions.

Manual Examination:

To manually examine VSS snapshots and investigate potential deletion or tampering:

1. List Current Shadow Copies: Use the command vssadmin list shadows in Command Prompt to list all current VSS snapshots.

2. Check for Recent Deletions: Review the Application Event Log for events with IDs 14 (shadow copy creation) and 15 (shadow copy deletion) to identify recent snapshot changes.

3. Investigate Process Activity: Utilize tools like CrowdStrike Falcon or Windows Event Viewer to investigate suspicious processes that may have interacted with VSS. This involves checking process details, reputation scores, and behavior for indications of malicious activity.

Commands for Investigation:

• To check current shadow copies:

  Copy

  vssadmin list shadows

• To find deleted shadow copies using PowerShell:

  Copy

  Get-WmiObject -Namespace "root\cimv2" -Class Win32_ShadowCopy | Select-Object -Property DeviceObject, InstallDate | Sort-Object -Property InstallDate -Descending

Open Source Tools:

• PowerShell: Built-in commands like Get-WmiObject and Get-WinEvent can be used to query shadow copies and event logs for forensic analysis.

• Sysinternals Suite: Tools such as Process Explorer can help identify and investigate processes that might be interacting with VSS in an unauthorized manner.

Security Considerations:

• Access Control: Ensure that only users within the "Backup Operators" group have access to manipulate shadow copies. This can be verified using PowerShell or the net localgroup command.

• Monitoring and Alerts: Implement monitoring for VSS-related events, especially the creation and deletion of shadow copies, to detect and respond to potential ransomware activities quickly.

References:

• Microsoft Volume Shadow Copy Service