Most people in the DF field know or know of Jimmy Weg.  His blog was one of the most popular in the community, but like anyone, Jimmy has retired and will be retiring his blog.  

However, he has offered the blog to be used by anyone until the domain expires.  I know that one DF association (IACIS) will be archiving the blog for its members and Jimmy graciously has allowed me to archive it as well for anyone to use as reference.

Over the next weeks or so, I will be adding each of Jimmy's posts onto my blog, with Jimmy as the author.  You will be able to find all his blog posts on my blog, but under the JustAskWeg category (http://brettshavers.cc/index.php/brettsblog/categories/justaskweg).  Some of the posts are old, as in 2 years which can be old in the tech world, but the information from those posts, especially those concerning virtualization should be relevant for more years to come.  Jimmy's blog is one of those blogs that are valuable to many folks working in the DF field, and it is my pleasure to host his blog while it is still useful. Thanks to Jimmy!

About Jimmy Weg

Every now and then, I get email from readers who have difficulties, and some areas come up more often.  I also learn a few things as time goes by, and I gain some valuable pointers from colleagues who share my interests.  Therefore, I want to update or amend a few procedures as well as review some of the more basic steps that folks may overlook.

1. Building and booting EUFI/GPT systems and remembering the registry edit 

A little while back, I posted on building VMs from UEFI/GPT systems, found most often in Windows 8.  Since then, I’ve seen more of these outfits arrive in my shop, as the use of Windows 8 and large disk grows.  If you document your target system before an exam, which requires accessing the setup in most cases, you’re sure to recognize that the setup doesn’t resemble the BIOS of old.  There’s a sample screenshot in the above post.  Even if you dive straight away into your exam, you’ll find a clue when you study the partitioning of your target image file:

X-Ways Forensics users will receive the answer to the clue without having to guess.  The GPT partitioning style with the four partitions, including the MS reserved partition, mean that you have a UEFI system.  The FAT32 partition likely holds your EFI boot data:

The first reminder is that we usually must edit the registry and at least one user’s password to boot into Windows 8.  Since the beginning of my blog, I described how to build your VM by selecting the option for a SCSI disk in VMware.

That option required an edit to the registry to enable the LSI SCSI service to start on boot:

After mounting our VM, we loaded the target’s System hive into our own registry.  We navigated to the proper control set’s Services key and then to the LSI_SCSI subkey.  There, we edited the Start value’s data to 0x00, as above.

Well, what happens if you find a System hive that looks like this: 

As you can see, there is no LSI_SCSI key.  If you find this to be the case, you have a couple of choices.  You can start over and select the LSI Logic SAS option as in the Virtual Machine Wizard screenshot above that displays the controller types.  Then, edit the registry by setting the first LSI_SAS controller’s Start value data to 0x00.  A quicker alternative is  to edit the mounted registry hive and your VMX file by replacing the highlighted line the next screenshot with the one that follows.  Of course, if you examine the target registry in your forensic tools you can determine the configuration before you even consider building a VM.

Replace the above parameter with this one:

Please don’t forget to insert the firmware = “efi” parameter that I described in earlier posts!  If you edit the VMX and your VM hangs, reboot into the Boot Manager, which you usually can access by pressing F2 a few times during the boot process.  There, just select the virtual VMware Virtual SCSI disk and hit Enter.

 2. Password removal

Back here, I described the Windows 8 feature that allows users to log on to their systems with MS Account credentials.  This feature allows both local and online logon.  The required password strength makes a hash attack a little more difficult.  However, the most important thing to remember is that, to gain access to the system, a password is required.  You cannot “blank” the password using tools like the Linux-based boot CD or NTPwedit.  You must change the password.  Although some tools ostensibly allow you to change the password, I’ve found that they fail in that regard.  I still know of only one tool (commercial, but cheap) that works: Reset Windows Password (RWP), which is available at http://www.passcape.com/reset_windows_password and produced by Passcape Software.  I described its use and a UEFI workaround process here.

The workaround arose from the need to edit the password on a UEFI/GPT MS Account system with a tool on a bootable ISO/CD.  In hindsight, I should have suggested a quicker approach, which I will describe here.  As seen in one of the above screenshots, we edited our VMX file to enable the EFI firmware.  Passcape’s RWP is not yet available for use on a bootable UEFI, USB device.  So, if you use RWP or any tool on a bootable ISO, you need to re-edit your VMX as follows:

Once you re-edit the VMX file, you can boot to a non-EFI medium.  Just remember to change it back to EFI thereafter, or you system will not boot to Windows (“operating system not found” message).  I’ll add that RWP also allows you to invoke regedit and several other utilities directly from within the application.

3.  Shadow Volumes and Russian Dolls

This is another topic that folks bring up occasionally.  If we mount a shadow volume directly from an image or from an image that we boot in VMware, we’ll find that the shadow volume, itself, contains a System Volume Information (SVI) folder that contains shadow volumes.  Let’s say that we mount a shadow volume that was created on October 1, 2014, and was the earliest shadow volume in our target system.  When we look in the SVI folder of that mounted shadow volume, we may find a shadow volume that was created on September 1, 2014.  Now, it seems logical to assume that we can mount the latter shadow volume and go back in time even further, perhaps to the date when the system first was used.  We can’t.  I’ve tried a few approaches, including running vssadmin against the mapped shadow volume and attempting to boot the mapped shadow volume.  Neither method worked.  I wasn’t able to boot a shadow volume, even by reconstructing a physical disk with that volume.  I also ran this theory by one of the world’s leading Windows forensics experts, Troy Larson, who, not surprisingly, thought about this concept long before I did.  In short, Troy suspected that the shadow volume files and other data within a mounted shadow volume were incomplete and could not be reliably processed by the system.  Remember that shadow volumes really are “difference” files that depend on one another, and inconsistencies in any of them can affect their functionality.

NOTE: I’d like to direct readers to the comment posted by Joachim Metz.  He’s done a great job of documenting shadow volumes and provided a link to a paper that he published.  His comment and paper may provide  the precise answer.

For those who want to play around with UEFI, VMware has preview edition available that affords some undocumented (buggy) enhancements, so be careful if you give it a shot.  That’s all for now.

Arsenal Image Mounter (AIM) is a new image-mounting tool from Arsenal Recon.  Not only is it free, but the folks at Arsenal have been gracious in lending support.  AIM employs a special SCSI driver that lets us mount image files of various types so that Windows Disk Manager can see our mounted image (a pseudo disk, as I like to call it) as an actual disk. This innovation allows us to access shadow volumes in a completely new way and avoid converting images to, for example, VHD files.  AIM also can mount our image as write protected or as writable.  I won’t go into more depth on AIM’s features, as you can visit the web site to learn more and acquire a copy.

Heretofore, Windows would not enumerate shadow volumes on images mounted with the most popular tools, e.g., FTK Imager, Mount Image Pro, etc.  A notable exception is a Windows virtual disk file (VHD), which is not used to an appreciable extent, if at all, as the target of a disk image file in computer forensics.  I’ve explained before how to work with these virtual disks with respect to the Window 7 variety (VHD).  Windows 8 brings a new format, which is the VHDX file, which I’ll mention again later.  For now, suffice it to say that there no longer is a need to convert a dd image to a VHD if your goal is access shadow volumes on your host system.  As I’ve demonstrated in my VHD post, the conversion required the addition of data to the end of your dd image.  While that made an easily reversible change to an original image file, some folks were not comfortable doing so and chose to create a spare dd file.

Let’s take a closer look at AIM and how it can help us get to shadow volumes very handily.  I’m going to work with a dd image of a Windows 7 system, though there is no difference with an E01.  In the following screenshot, I’ve opened AIM and navigated to my image file (001).

Next, we’ll see the window that AIM presents after I select the image.  I’m going to maintain the default options, which the screenshot depicts.  Typically, we don’t have to ask AIM to fake (cache) a disk signature, which AIM allows because Windows won’t mount a disk if it does not have a signature.  I’ve seen only one case in which a disk signature was absent, and it concerned a VHD file created by Windows 7’s system image feature.  Note than AIM handles 4KB (and other) sectors.

After I click OK, AIM presents the mounted disk as Drive 10 in my system (above and in next screenshot), which we then can find in Explorer as well as in Disk Manager.  Note that Disk Manager reports the pseudo disk as it does every other disk, but indicates that it is read only.  In case you haven’t looked or noticed it before, mount an image with another tool and compare Disk Manager’s findings with an AIM-mounted image.

Next, let’s access shadow volumes without using virtual machines or any other steps outside of our host system (mine is Windows 8).  As you’ve seen in one of the screenshots, our mounted image’s system volume was mapped to Drive M. The next demo is a video, which presents how we can enumerate the shadow volumes on Drive M.

Again, you can try that with another image mounter to see the distinction.  Now, we’ll map one of the shadow volumes with Dan Mares’s VSS, which is a tool that I’ve mentioned frequently in my blog. The basics of VSS can be found here, among other posts.  You can pick up VSS free at http://www.maresware.com/.  The next video demonstrates VSS.

At this point, we can work with Drive P as we can with any logical volume.  We can open the volume in most forensics tools or image the logical volume if we wish.  Remember, too, that an alternative to mapping a shadow volume to a drive letter is to create a symbolic link to the volume.  The next screenshot shows how this is done.  We’ll create a link to Shadow Volume 13 in the aaa directory.  Remember to add the trailing backslash in the syntax, after the ShadowCopy number.

While I’m talking about Symlinks, it’s important to note that Windows uses them in various places on our systems.  For example, \Users\All Users is a SymLink to \Program Data on the active system partition.  If, for example, we open Users\All Users on our mapped shadow volume (P) and open Program Data on our host system, we can see that their contents are the same:

This will happen whether you map the shadow volume to a drive letter or create a SymLink.  Needless to say, this can lead to some misinterpretations during an exam.  However, if you open the mapped shadow volume in a forensic tool, at least with X-Ways Forensics, the SymLink issue will be ignored.

Now, let’s return to VHDX files briefly.  At this time, a number of forensic tools can’t access that file format.  If you encounter one, it likely will be a system image backup on a Win 8 image.  To give most tools access to your VHDX file, mount the Win 8 image file in a Win 8 host with AIM.  The next video follows the process:

Note that this works when you mount your VHDX-host image with AIM.  It likely will not work with other imagers that don’t allow Disk Manager to have access to the mounted image.  While you can copy the VHDX from your image to a Win 8 host, it’s unnecessary if you have AIM.  Another option is to create a VM from your Win 8 image, mount the VHDX therein, and access the mounted VHDX file with X-Ways Forensics from a thumb drive.  When you’re done, right-click the mounted VHDX in Disk Manager and opt to detach the disk.  Bear in mind that Win 7 will not mount a VHDX file.

1. Dave Reid

   February 3, 2015 at 9:38 am

   Hi Jimmy,

   I have a multi-part E01 file and no matter what way i try to mount it with AIM, raw or multi-part raw, I get a virtual drive of 4GB in size. This coincidentally is the size of the E0 segments. The E0 files were created with compression and i wonder if this is the issue.

   dave

   Reply

   • jimmyweg

     February 3, 2015 at 9:48 am

     It’s not the compression. If you’re using AIM, can you not just get to the shadow volumes in your host system without a VM? Does the disk appear in Windows Disk Manager?

     Reply

     • Dave Reid

       February 3, 2015 at 10:19 am

       Jimmy,

       Think we are cross wires somewhere. I cannot get AIM to recognize any disk image with an E0 format. I have now tried several and the resultant disk offered as mounted is only the size of the first E0 file either 2GB or 4GB dependent on how the original image was taken. When I check the mounted drive in disk management the disk is unallocated and uninitialized and is specified at the same 2GB or 4GB size. I’m not sure i get your comment about VM’s as I am not running one. The article above seemed to be about accessing an image without any mention of VM’s.

       Sorry if I’m being a bit dense.

       Dave

       Reply

       • Dave Reid

         February 3, 2015 at 11:19 am

         Jimmy,

         Said it was a bad day. I have now found the additional libewf libraries to get the mount to work properly and disk management now functioning. For anyone else having the same mounting problem the link you need is

         https://github.com/ArsenalRecon/Arsenal-Image-Mounter/archive/master.zip

         Simply extract out the mount ewf folder to the same location as the AIM tool and you are away.

         Cheers.

         Dave.

         Reply

2. Thierry_Fr

   July 7, 2014 at 1:09 pm

   Thanks Mr Weg for your very interesting posts and work.
   Thanks to you, I discover two great tools to work with VSS. Strangely, when I mounted the VSS with “vss.exe” it didn’t appear in explorer or X-ways like a new hard drive. I Tried with a volume image, i’ll try with a real disk image to see if that makes a difference.

   Reply

   • jimmyweg

     July 7, 2014 at 2:10 pm

     Thanks for writing. The mounted shadow volume will appear in Explorer and in X-Ways as a volume and not as a disk. You simply can add the mounted volume to XWF.

     Reply

     • Thierry_Fr

       July 8, 2014 at 11:54 am

       Thanks for your quick answer. In fact the VSS doesn’t appear at all. I will make a few more tests and make a return.

       Reply

       • jimmyweg

         July 8, 2014 at 2:27 pm

         If you’re running VSS correctly, it will identify the volume letter that it assigned to the SV. Hence, the SV will have mounted and be visible in Explorer/XWF. I’m guessing that you’re not actually mounting the SV.

         Reply

3. MC

   June 25, 2014 at 10:01 am

   Thanks for the post Jimmy! I was looking forward to trying this out. However, I didn’t get very far…

   I am able to use AIM to mount my E01 image (although the volumes appear as “Removable Drives” for some reason). But, when I try to list the shadow copies with vss, I get a message stating “No items found that satisfy the query” and no shadow volumes are listed. I can see from the image file that the volume contains shadow copies. I’ve tried it with 3 different image files now, all with the same results.

   Does this have anything to do with a permissions issue in Windows 7?

   I’m sure that I’m doing something wrong, but I’m kind of stuck here…

   Thanks

   Reply

   • jimmyweg

     June 25, 2014 at 10:54 am

     Thanks for writing, Meghan. I think it’s a permissions issue. Are you running vssadmin as Admin? You should. I’m not sure what you mean by the mounted image appearing as a removable drive. It should show up in Disk Manager as a physical disk with volumes.

     Reply

     • MC

       June 25, 2014 at 11:33 am

       Jimmy,
       Thanks for the quick reply. I am running vssadmin as Administrator. The volumes are mapped in Disk Management. For what it’s worth, when I use the command to “List Volumes,” it only shows me my local volumes (not the newly mounted volumes). But, I can’t even list the shadow volumes for my local drives either.

       Thanks

       Reply

       • jimmyweg

         June 25, 2014 at 12:25 pm

         Just to be sure we’re on the same page, the syntax is “vssadmin list shadows \for=:” where “x” if the logical volume that contains the target SVs. Are you sure that the SVs on your target are existing files, and not previously existing files that your forensic tool reports (but Windows would not)?

         Reply

         • MC

           June 25, 2014 at 12:54 pm

           Using the syntax vssadmin list shadows /for=. The SVs on the target are existing files, although there are some previously existing files as well. I also ran my 3 images through IEF and it recovered data from the SVs.

         • jimmyweg

           June 25, 2014 at 2:53 pm

           Well, I’m not sure what’s up at this point. Can you enumerate SVs on your own system with vssadmin? If there are none (system protection off), turn on system protection, create one, and run a test. The “No items found that satisfy the query” usually means none exist or maybe no permission.

         • MC

           June 26, 2014 at 9:29 am

           Thanks Jimmy. Getting closer. I was able to create one on my system and subsequently see it using vssadmin. But for some reason, I can’t see any from my mounted images. I also don’t see any when I choose the option to ‘Restore previous versions’ from the right-click menu in Windows, even though I see there are shadow copies. Not sure what’s going on…

         • jimmyweg

           June 26, 2014 at 3:32 pm

           Are you logged on as Admin to your host machine? I know that you are running vssadmin as Admin. If you have a VM of a Win 7 system (SEAT), add the mounted disk to that VM as a physical disk (there’s instructions on the blog). Then run vssadmin in the VM, targeting the added disk’s volume. It’s also possible that your SV structure is corrupt. Have you tried other mounted image files? If the issue arises in more than the one image, I think that the issue has to be with your system.

4. Preston Farley

   June 8, 2014 at 8:19 pm

   Jimmy,

   Thanks for the great post and for all you’ve given to the community over the years. I’ve been lurking your posts and attempting to learn from them for a long time now. BTW, the hyperlink for AIM is printed properly in your article, but it is missing a colon when you click on it, in case that was not intentional.

   Thanks again for all that you do.
   ~bina computationem pro justitia

   Reply

   • jimmyweg

     June 10, 2014 at 1:32 pm

     Thanks for your kind words, Preston. The link should have worked as it was, but I fixed it now with a TinyUrl.

     Reply

5. Luigi Ranzato

   June 4, 2014 at 5:37 am

   Hi Jimmy,
   thanks for the post, very usefull for me;
   Yesterday I tried the extraction operations, but not all goes right.

   In particular:
   1) Mounting with arsenal imager was OK;
   2) Automounting with vss.exe was OK;
   3) but, when I used FTK imager for ramdisk extraction, it has been stopped by “windows defender” while trying extraction a probable malware.

   So, FTK imager has been stopped by “windows defender” and I assume that for a total extraction, I nedd to use a VM without any protections

   Reply

   • jimmyweg

     June 4, 2014 at 8:35 am

     Thanks for writing, Luigi. I’ve disabled Windows Defender, and I think that you should do so. I don’t think it’s necessary for what you’re doing. Maybe you can write an exception for FTKI in Defender. I know that my antivirus doesn’t affect this operation.

     Reply