Volume Shadow Copies (VSS)
Location
System Volume Information (accessed via vssadmin or mklink)Description
Point-in-time volume snapshots created by Windows Volume Shadow Copy Service for System Restore, backup, and application use. Contains complete copies of files and registry hives as they existed at snapshot creation time.
Forensic Value
VSS snapshots are forensic gold because they preserve the state of files and registry hives from before the attack. Comparing pre-attack and post-attack registry hives reveals exactly what persistence the attacker added. Deleted malware samples may still exist in older shadow copies. Ransomware variants attempt to delete VSS (vssadmin delete shadows) but if this fails, encrypted files can potentially be recovered from snapshots.
Tools Required
Collection Commands
vssadmin
vssadmin list shadows
cmd
mklink /d C:\vss_mount \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
vshadowmount
vshadowmount <image_file> /mnt/vss/
KAPE
kape.exe --tsource C: --tdest C:\output --target VSSFiles --vss
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
MITRE ATT&CK Techniques
Used in Procedures
Determine Encryption Scope and Affected Systems
analyze
Identify Alternative Evidence When Primary Logs Are Missing
collect
Document Chain of Custody for All Collected Evidence
preserve
Rebuild Compromised Systems from Known-Good Images
recover
Validate Backup Integrity Before Restoration
recover
Preserve VSS Shadow Copies and Encryption Timing Artifacts
preserve
Review Ransomware Resilience and Backup Isolation Failures
post-incident
Related Blockers
Evidence Chain of Custody Compromised
Evidence handling has gaps or integrity issues (missing hash verification, broken custody log, unauthorized access to evidence storage, transfers without documented handoffs). Evidence may still be technically useful but legal admissibility is compromised; pivot to secondary preservation and early legal assessment.
Evidence Spans Multiple Jurisdictions with Conflicting Laws
Affected systems or data span multiple countries with differing data-protection, breach-notification, and cross-border transfer laws (GDPR, data-residency rules, PIPL, LGPD, state-level US laws). Acquisition and analysis that is lawful in one jurisdiction may be unlawful in another. Engage legal counsel early and plan in-region processing.
Law Enforcement Requested Investigation Pause
A law-enforcement agency (FBI, Secret Service, Europol, national police cybercrime unit) has requested that the organization pause or slow-walk active investigation, containment, or notification steps while they pursue their own investigation. This creates tension between legal obligations to customers/regulators and cooperation with LEA.
Incident Responder Credentials Compromised
The attacker has compromised credentials belonging to a member of the incident response team or to privileged tooling used for the response (EDR console, SIEM, forensic-evidence storage). This is a worst-case blocker: the adversary may be monitoring the response in real time and can exfiltrate evidence or alter it.