A Little Help with Volume Shadow Copies

********** 02/06/12 Update **********

I changed the script since I made this post. For more info refer to the post Ripping VSCs – Practitioner Method

**********                         **********

This post is about a batch script I wrote to help automate accessing Volume Shadow Copies (VSCs). I'm not going to discuss the forensic value of VSCs or different ways to access them since I couldn't add to what is already out there. For this type of information check out Harlan's Assessing Volume Shadow Copies post including the links he provides (one link is to Troy Larson's presentation slides), Lee Whitfield's Into the Shadows write-up, or the QCCIS whitepaper on recovering data from Volume Shadow Copies (this paper is the source of the for loops in my batch file). The information I can add is discussing a problem I was facing and how I addressed it. Recently, I've been working with VSCs on different volumes in different systems. When accessing the VSCs I found myself doing the same thing over and over again which was:

* Using the vssadmin list shadows command to list the VSCs for a specific volume. At times I'd redirect the command's output to a text file for documentation purposes.

* Changing the for loop with the mklink command to reflect the VSCs I wanted hard links created for.

* Running the for loop with the mklink command to create the hard links.

* Examining the data of interest in the VSCs.

* Changing the for loop with the rd command to reflect the hard links I wanted to delete.

* Running the for loop with the rd command to delete the hard links.

Going through the above process worked fine. However, I wanted a faster way to access the VSCs without always having to make changes to a saved command or batch file. I'd rather just run one script that allowed me to specify what action to take and what VSCs to create links for. So I read a few articles on batch files and this is the solution I came up with to meet my need. I thought a few screenshots would help show the functionality of the script before I posted the code.


Menu appears when batch file is executed



List VSCs selection shows the option to save output to a text file



List VSCs selection prompts for volume to list the VSCs for



List VSCs selection showing that the C volume doesn't have any VSCs



Create links selection prompts for the range of VSCs to create hard links for



Remove links selection prompts for the range of hard links to delete

 As the screenshots show, the batch file made things a lot easier and I no longer have to keep changing saved commands or simple batch files. Now I just run a script and specify a few parameters so I can focus on the data I'm after in the VSCs. The text below is the batch file I'm talking about. To create a batch file for yourself, copy the text into a text file and save the file with a .bat extension. It can be run from anywhere on the forensic workstation that's being used to examine the VSCs. Enjoy ...

@echo off
REM Author: Corey Harrell (Journey into IR)
REM The batch file can be executed from anywhere on a computer by double-clicking on it or calling it from the command line
REM The only change required is the name and location of the hard links being created. The script uses C:\vsc so this can be changed for your environment
REM Script starts here ...
REM The goto statement below makes the script process the menu function.
goto :menu
:menu
     REM The menu function allows you to select one of the following: list all of the VSCs for a drive, create hard links to VSCs, or remove hard links pointing to VSCs
     echo Press 1 to list the Volume Shadow Copies on a drive
     echo Press 2 to create hard links to Volume Shadow Copies on a drive
     echo Press 3 to remove hard links to Volume Shadow Copies
     echo Press 4 to exit
     set /p selection= Enter your selection:
     cls
     REM The if statements below makes the script process a specific function based on the selection made.
     if %selection% == 1 goto :listvsc
     if %selection% == 2 goto :makelink
     if %selection% == 3 goto :removelink
     REM Selection 4 is to exit the script and this will result in the goto below being called
     goto :EOF
:listvsc
     REM The listsvc function list the Volume Shadow Copies for the selected drive
     setlocal
     REM The line below lets you save a text file listing the VSCs injunction with the VSCs being displayed on the screen. This is helpful if the listing of VSCs has to be documented.
     set /p output=Do you want the output to be saved as a text file [y/n]
     cls
     echo Enter the letter of the drive to list the Volume Shadow Copies for (do not include the colon)
     set /p drive=Enter the drive letter:
     cls
     REM The if statement below will create a text file listing the VSCs if this option was slected. The output file is created in the same folder where the batch file is executed from.
      if %output%== y (vssadmin list shadows /for=%drive%: > list-vscs.txt)
     vssadmin list shadows /for=%drive%:
     echo The Volume Shadow Copies for the %drive% drive have been listed
     pause
     endlocal
     cls
     REM The goto statement below makes the script loop back to the menu
     goto :menu
:makelink
     REM makelink function creates hard links to the VSCs lists for the selected drive
     echo Configuring what Volume Shadow Copies to create hard links for
     REM The next part of the script sets the variables for the start and end parameters in the for loop.
     setlocal
     REM The vssadmin list shadows command provides the VSC numbers. The start parameter is the first VSC to create a link to while the end parameter is the last VSC to create a link to.
     set /p start=Enter the VSC number to start with:
     set /p end=Enter the VSC number to stop at:
     cls
     REM The script uses c:\vsc for the location and name of the hard links. The location (c:) and name (vsc) of the hard links can be changed to whatever you choose
     for /l %%f in (%start%,1,%end%) do mklink /j c:\vsc%%f \\?\GLOBALROOT\Device\HardDiskVolumeShadowCopy%%f\
     echo Hard links created for VSC %start% to %end%
     pause
     cls
     endlocal
     REM The goto statement below makes the script loop back to the menu
     goto :menu
:removelink
     REM removelink function removes the hard links to VSCs that were created on the computer
     echo Configuring the hard links to remove.
     REM The next part of the script sets the variables for the start and end parameters in the for loop.
     setlocal
     REM The start and stop parameters are for the numbers in the names of the hard links
     set /p start=Enter the number in the name of the hard link to start at:
     set /p end=Enter the number in the name of the hard link to stop at:
     cls
     REM The location and name of the hard links below must be changed to match what was used in the makelink function
     for /l %%f in (%start%,1,%end%) do rd c:\vsc%%f
     echo Hard links removed for link %start% to %end%
     pause
     cls
     endlocal
     REM The goto statement below makes the script loop back to the menu
     goto :menu