BSidesLV 2017 has ended
Back To Schedule
Wednesday, July 26 • 15:30 - 15:55
Messing with Forensic Analysts: Modifying VSS Snapshots

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Windows' VSS snapshots are great. The VSS service quielty runs in the background, periodically making snapshots of just about everything on the disk.
What happens if you accidentally delete a file? No worries. Pull a (somewhat old) copy out of a snapshot!
But what happens if you intentionally delete a file? And write over it 35 times? Well, you can also pull a copy out of a snapshot.
Snapshots are a treasure trove of information that people thought was gone. Forensic analysts use the data from them with little concern of tampering because there are no tools available to modify the contents of a snapshot. So, I decided to tamper with them. The snapshots, not the analysts.

This talk covers the basics of how VSS snapshots work and their on-disk format from the perspective of a malicious actor. A modified version of libvshadow, an open source VSS library, is presented which adds write support to VSS snapshots. The challenges and limitations experienced when modifying old snapshots are discussed, as well as a demonstration of the tool.


James Clawson

I'm James Clawson and I like messing stuff up. I make things every once in a while too. I enjoy forensics, I love fuzzing, and I consider malware to be art. When not busy driving drunk on the information super highway, I sometimes visit the zoo.

Wednesday July 26, 2017 15:30 - 15:55 PDT
Proving Ground (Florentine G) 255 E Flamingo Rd, Las Vegas, NV 89169