“You can get anything back from a computer, can’t you?  Even the deleted stuff!”

I get that that a lot, and tend to respond, “Pretty much.”  My lawyer side wants to add, “but it depends.”  Like most in computer forensics, I tend to downplay the challenges and uncertainties of data recovery, not so much to promote forensic examination as to discourage data destruction.  Until a forensic examiner processes the evidence, it’s hard to say whether we can recover particular deleted data; but dollars-to-diamonds, a forensic exam will shed light on the parties and issues.

Lately, the likelihood of recovering deleted files on late-model Windows systems has gone way, way up, even if the data’s been thoroughly flushed from the Recycle Bin.  Microsoft has been gradually integrating a feature called Volume Snapshot Service (a/k/a Volume Shadow Copy Service) into Windows since version XP; but until the advent of Windows 7, you couldn’t truly say the implementation was so refined and entrenched as to permit the recovery of anything a user deletes from a remarkable cache of data called Volume Shadow Copies.

Volume shadow copies are old news to my digital forensics colleagues, but I suspect they are largely unknown to the e-discovery community.  Though a boon to forensics, volume shadow copies may prove a headache in e-discovery because their contents represent reasonably accessible ESI; that is, much more potentially probative evidence that you can’t simply ignore. So, for heaven’s sake, don’t tell anybody. 😉

I recently returned from presenting my Computer Forensics Jeopardy program at the HTCIA’s annual meeting and training conference in Palm Springs, CA.  The HTCIA is the High Technology Crime Investigation Association, boasting the largest membership of computer forensic examiners.  The training options offered are always pretty good, but the best reason to attend is the exchange of information that occurs in the bars, lounges and pool areas.  The chance to let your hair down with colleagues and share new ways to get to the digital evidence is invaluable.  If I come away with a nugget or two, it’s worth the time and travel.

This year some of my best nuggets came from Brandon Fannon and Scott Moulton. Scott was my instructor when I traveled to Atlanta several years ago to study extreme data recovery techniques like hard drive head replacements and platter swaps.  Scott is a pioneer in making mere mortals privy to the deepest, darkest secrets of data resurrection.

Sitting around a fire pit on a beautiful desert night afforded me the chance to pick their brains on preferred approaches to processing volume shadow copies in forensic exams.  Accessing shadow copy data is easy on a live machine–the user can roll back in a few clicks using the Previous Versions feature–but it’s harder for an examiner working from a static image of the drive.  This is an introductory treatment of the topic, so I’ll leave discussion of those emerging techniques to a later post.

What you need to know now is that much of what you might believe about file deletion, wiping and even encryption goes out the window when a system runs any version of Windows 7 or Vista Business, Enterprise or Ultimate editions. Volume Shadow Copies keep everything, and Windows keeps up to 64 volume shadow copies, each made at (roughly) one week intervals for Windows 7 or daily for Windows Vista.  These aren’t just system restore points: volume shadow copies hold user work product, too.  The frequency of shadow copy creation varies based upon multiple factors, including whether the machine is running on A/C power, CPU demand, user activity, volume of data needing to be replicated and changes to system files.  So, the 64 “weekly” shadow volumes could represent anywhere from two weeks to two years of indelible data.

How indelible?  Consider this: most applications that seek to permanently delete data at the file level do it by deleting the file then overwriting its storage clusters, which still hold the file but which have been tagged as unallocated clusters as a consequence of the deletion.  These are called “unallocated clusters,” because they are no longer allocated to storage of a file within the Windows file system and are available for reuse.  But, the Volume Shadow Copy Service (VSS) monitors both the contents of unallocated clusters and any subsequent efforts to overwrite them. Before unallocated clusters are overwritten, VSS swoops in and rescues the contents of those clusters like Spiderman saving Mary Jane.

These rescued clusters (a/k/a “blocks”) are stored in the next created volume shadow copy on a space available basis.  Thus, each volume shadow copy holds only the changes made between shadow volume creation; that is, it records only differences in the volumes on a block basis in much the same way that incremental backup tapes record only changes between backups, not entire volumes.  When a user accesses a previous version of a deleted or altered file, the operating systems instantly assembles all the differential blocks needed to turn back the clock.  It’s all just three clicks away:

  1. Right click on file or folder for context menu;
  2. Left click to choose “Restore Previous Versions;”
  3. Left click to choose the date of the volume.

It’s an amazing performance…and a daunting one for those seeking to make data disappear.

From the standpoint of e-discovery, responsive data that’s just three mouse clicks away is likely to be deemed fair game for identification, preservation and production. Previous versions of files in shadow volumes are as easy to access as any other file.  There’s no substantial burden or collection cost for the user to access such data.  But, as easy as it is, I expect few (if any) of the EDD collection tools or protocols have been configured to identify, grab or search the previous versions in volume shadow copies.  It’s just not a part of vendor work flows yet.

Ask your e-discovery service provider about it, and pray they reply, “Don’t fret about that.  We haven’t run into any Vista or Win 7 machines in your cases, but we’ll come up with something before we do.”  What’s the hurry, after all?  Win7 and Vista only run nearly half of all computers in the world!

If your vendor or expert says, “volume shady whatzit?” avoid eye contact, back away slowly, then run like hell!

Doubtlessly, there will be situations where identification, collection and search of previous versions of responsive documents in VSS is excessive in scope and disproportionate to the case; but, there are plenty of instances where deleted documents or prior versions are relevant and material–where these volume shadow copy versions are the smoking guns.  Right now, only forensic examiners acknowledge them, and not universally.  The question we in e-discovery face as we increasingly process machines running operating systems with the volume shadow snapshot service is this: Can we risk pretending that evidence that’s instantly available on three mouse clicks is not reasonably accessible?  

If I know about VSS, and now you know about VSS, how long until the other side gets wise?