TL;DR
Why Should I Care? Volume Shadow Copies contain a point-in-time snapshot of a system. Therefore, they are a valuable resource offering an opportunity at recovering impacted or deleted files.
What Should I Consider? Ensuring Volume Shadow Copies are enabled within your environment.
Introduction
The Volume Shadow Copy Service (VSS) offers an opportunity to recover files. It creates a point-in-time snapshot of a volume that can be used for the restoration of files and data to a previous state. The VSS feature when enabled performs copies on a set schedule and at certain trigger points such as installing software.
The Value of the VSS
Ensuring the VSS is enabled across all devices within an environment offers great value, especially for cyber security. In certain scenarios dependent on the ransomware variant, having the VSS enabled may even allow an organisation to recover from a ransomware attack. Noting this is rare with most ransomware variants today either deleting volume copies or encrypting the complete virtual disk for servers. Beyond reverting systems to a point-in-time the VSS can contain valuable historical information for forensics post an intrusion. The VSS is definitely valuable during investigations although, is not always guaranteed to be enabled or contain useful information.
The VSS and KAPE
Completing an investigation where a Threat Actor has removed tooling or artefacts can be a challenge. While best practice is to obtain a full disk image during an incident response engagement, sometimes that is not practical. For example, dealing with a large drive where time of recovery pressures are high. KAPE can be used to simplify the mounting, inspection and collection of files within Volume Shadow Copies. All that is required to search all available Volume Copies when executing KAPE via the command line is including the —vss switch.
To collect files that may be present within a Volume Shadow Copy we can use a custom target file by specifying the target folder path. Replace the path value in the KAPE target file with the desired target path then save it as VSSTargetFolder.tkape. Then execute the command string replacing values as required including the —vss switch.
Example KAPE Target File
Description: VSS CollectionAuthor: Invalid userVersion: 1.0Id: 603dcd95-b38a-483f-9dbd-725a36e2ce1eRecreateDirectories: trueTargets: - Name: VSSTargetFolder Category: FileSystem Path: <Path to Directory of Interest> Recursive: trueExample KAPE Execution Command
.\kape.exe --tsource C: --tdest C:\Temp --target VSSTargetFolder.tkape --vssMonitoring
Monitoring for unexpected Volume Shadow Copy deletions can be a solid indicator of ransomware. Additionally, a technique used by Threat Actors to obtain the NTDS.dit (Active Directory Database) can be to leverage a volume shadow copy. Therefore, also monitoring for suspicious volume shadow copy mounting can be an indicator of OS credential dumping. I highly recommend checking out Atomic Red Team to test your detections against the MITRE ATT&CK framework.
Resources
- KAPE Documentation: https://ericzimmerman.github.io/KapeDocs/#!Pages%5C3.-Using-KAPE.md
- 13 Cubed Episode: The Volume Shadow Knows: https://www.youtube.com/watch?v=qYTVRjb7KrI
- Red Canary: It’s all fun and games until ransomware deletes the shadow copies: https://redcanary.com/blog/its-all-fun-and-games-until-ransomware-deletes-the-shadow-copies/
- Atomic Red Team: T1490 - Inhibit System Recovery: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md