Messing with Forensic Analysts: Modifying VSS Snapshots

Presented at BSidesLV 2017, July 26, 2017, 3:30 p.m. (25 minutes).

Windows' VSS snapshots are great. The VSS service quielty runs in the background, periodically making snapshots of just about everything on the disk. What happens if you accidentally delete a file? No worries. Pull a (somewhat old) copy out of a snapshot! But what happens if you intentionally delete a file? And write over it 35 times? Well, you can also pull a copy out of a snapshot. Snapshots are a treasure trove of information that people thought was gone. Forensic analysts use the data from them with little concern of tampering because there are no tools available to modify the contents of a snapshot. So, I decided to tamper with them. The snapshots, not the analysts. This talk covers the basics of how VSS snapshots work and their on-disk format from the perspective of a malicious actor. A modified version of libvshadow, an open source VSS library, is presented which adds write support to VSS snapshots. The challenges and limitations experienced when modifying old snapshots are discussed, as well as a demonstration of the tool.

Presenters:

  • James Clawson
    I'm James Clawson and I like messing stuff up. I make things every once in a while too. I enjoy forensics, I love fuzzing, and I consider malware to be art. When not busy driving drunk on the information super highway, I sometimes visit the zoo.

Links:

Similar Presentations: