Tutorial Key Facts
Supported Operating System Windows 7 ,Vista
File System Type: NTFS
Last Update 2014/07/07
Author Nihad Hassan
The snapshots created by VSS (restore points) are taken at specific time intervals, usually after installing/uninstalling new software or performing a system update, it is difficult to predict the other cases when the VSS create a snapshot, however there are some conditions for this to happen as the system should be idle for at least 10 minutes , and it should be running on AC power (if it is portable) , if the two conditions happened together we can expect to have a system restore point every two days under Windows Vista and between 7 to 8 days under Windows 7. Of course you can still create system restore points manually if you would so .
It is important to note that shadow copy is not an image of the entire drive, VSS operates on the block level (below file system level), VSS is tracking any changes made to all blocks on the volume, when a specific block has data written to it,VSS makes a snapshot and store it in a hidden volume (these snapshot is read only). If a specific block hasn’t changed since the last snapshot, it will not include in the current snapshot (restore point). VSS is incremental (like the incremental backup concept of databases), it will only store the modifications that happen to one file since the last snapshot.
To configure VSS service under Windows 7 we can access it from System >> Properties >> System Protection
Through the “Configure” button we can choose to activate Volume shadow service, manage allocated space and restore points for each listed volume.
This introduction is necessary to understand how VSS works, now we can explore the VSS snapshots potential in hiding data or other malicious software.
We can administer VSS thorough using the VSSadmin utility that comes with both Vista and Win 7 OS, lunch a DOS command and type (VSSadmin) to view command switches, type (VSSadmin list volumes) to list all available NTFS volumes on your system eligible for shadow copies.
The command (VSSadmin list shadowstorage) enable us to see the shadows and disk usage of our system’s volumes, in my case I have only the c: volume with has VSS enabled.
Lists all existing shadow copies of a specified volume with (VSSadmin list shadows /for=c:) , here Iam listing for volume c: only , if we use the command (VSSadmin list shadows) without parameters , it will list all volumes shadows on our PC.
Here Iam showing the last achieved copy of my system snapshots, my c: volume has 6 snapshots (restore points) and this one is the last created one.
Now we are ready to explain how we can hide our data or a malware inside one of our available restore points. Let us create a new folder on our c: volume and name it TestShadow ,I will copy an executable file inside this folder (any kind of files is OK).
I have only one file inside my c:TestShadow folder (mspass.exe), now I want to hide this file in one of my VSS snapshots, so I need to create a new restore point to save my newly created file. Go to Control Panel >> System >> System Protection >> System Protection Tab >> click the “Create”. A new window appears asking you to enter a name for your restore point; I call it “DarknessGateRestorePoint” and click “Create”
Now I run (VSSadmin list shadows) command to check that a new restore point has been created.
As we note from Figure 6, a new restore point created, now I have 7 restore points in my system.
Let us return to our folder c:TestShadow , we need to delete the executable mspass.exe from it .
Now my file mspass.exe has been deleted from my computer, however it is still in my newly created restore point which carry the name (?GLOBALROOTDeviceHarddiskVolumeShadowCopy7), to access mspass.exe inside my restore point, I need to create a symbolic link and save it in a separate folder (RetrievedFiles) in my current working directory as follow:
We use DIR command to see the new symbolic link inside our working directory
We can access to our retrieved volume copy contents either directly through explorer or by accessing it through DOS , inside our volume copy if we browse to TestShadow folder we can see our file mspass.exe inside it.
After confirming that our hidden file is still there inside our newly created restore point, we can delete the symbolic link pointing back to our volume copy and tries to execute the hidden program using WMIC command.
After executing the above command, our hidden file mspass.exe is pop up on the screen confirming that our work was correct!
We note from Figure 9 that we have changed the (?) sign at the beginning of Volume shadow name with a period (.), WMIC require a period to work.
In summary, we found that we can hide data inside system restore points, if these data is executable application we can run it using the WMIC command without creating any symbolic links , most anti-virus software do not scan volume shadow copies for malware and other security threats , it is important to remember that volume shadow copies are limited in space and time , if you store large files inside it , system needs to delete the old restore points to give room for newly created one , however , if your files was small and you are a regular PC user , a restore point may last for at least 5 months under Windows 7 and this is more than enough for a hacker to perform evil actions against your PC.
On The Web:
Wikipedia website <online>. Shadow Copy. Available at: https://en.wikipedia.org/wiki/Shadow_Copy [Accessed 2014/03/26].
Microsoft TechNet <online>. Volume Shadow Copy Service. Available at: http://technet.microsoft.com/en-us/library/ee923636.aspx Accessed 2014/03/26].
What you should know about Volume Shadow Copy/System Restore in Windows 7 & Vista (FAQ) .Available at: http://blog.szynalski.com/2009/11/23/volume-shadow-copy-system-restore/[Accessed 2014/03/27].
Michael Raggo , Chet Hosmer (2013). Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols . Chapter 7. USA. Syngress.