Renzik Can Now See His Shadow!
For my 30th plugin I wanted to do something special. Also since this will be the 12th plugin I have submitted to the OSDFCon Autopsy Plugin competition this year and that should be something special as well. What I decided to do was to create a plugin that would parse the Volume Shadow of an image, extract the changed files and then load them as a new data source and create an extracted view content of each volume shadow. The data that is extracted in each Volume Shadow is the data that had changed not the whole volume.
Below will be screen shots of what the plugin looks like and what the output looks like.
The above screen shot shows what the ingest module looks like. At this point there are no options to pick. In the future there maybe options to pick if users think it would be better to break the process/extract step into 2 separate process’s instead of 1 process.
In the above screenshot you can see what the data source view of the Volume Shadow looks like. After the Volume Shadow has been extracted it will then be added into a local file data source. The local file data source will have the following naming scheme <Volume Shadow Number> — <Volume Identifier> — <Volume Create Date>. As you can see the metadata for all the files does not exist, this is what happens when you add local files. You should now be able to run other plugins against this data source.
The above screen shot shows the extracted content of for each Volume Shadow. The format of the extracted content name is the same as the Volume Shadow data source so that you can match them up. Here is where you will find the metadata data for each file that was extracted.
This is what the plugin output looks like. Now lets talk about the back end and what happens there.
The plugin calls an external program that uses the DFVFS (Digital Forensic Virtual File System) framework to get the Volume Shadow data. For each Volume Shadow that is found it will export all the metadata for each file. It will then store this in a SQLite database. After it has extracted all the Volume Shadows it will then compare the metadata between each file and then only show the files that were changed, I did it this way because of speed, by comparing the metadata vs the hash of the file I do not have to extract each file and then hash it to see if there is a change. Once all the changes have been identified the files are then extracted to the ModuleOutput\vss directory in the Autopsy case directory. Each Volume Shadow will have its own directory along with the SQLite database and a file listing any Volume Shadow files that could not be extracted named bad_files.log.
Once the external program has completed then each Volume Shadow directory will be added back into Autopsy as a new data source. Once each data source has been added an extracted content view will be created named the same as the data source. The extracted content will have all the metadata associated with each file in the Volume Shadow that has been identified as being changed.
One thing to note is that this plugin may run for awhile. Depending on the size of the Volume Shadow, number of Volume Shadows and the size of the volume will determine how long the plugin will run. Also if you are running Autopsy in single user mode which uses SQLite you may want to change the journal mode from default to wal, this will increase the speed of data being added to the database. If you want to make this change then open the SQLite database and execute the following command “Pragma journal_mode=wal;”.
Well that is it. You can find the module here. If you have any issues or suggestions please leave a comment. All comments are encouraged and welcomed.
