Messing with Forensic Analysts - Modifying VSS Snapshots

Explore the intricacies of Volume Shadow Copy Service (VSS) snapshots and learn techniques to manipulate them in this 25-minute conference talk from BSidesLV 2017. Delve into the basics of VSS, its importance in forensic analysis, and the on-disk format including NTFS headers and data block lists. Discover methods for writing data to snapshots, understanding block descriptors, and modifying timestamps. Gain insights on detecting snapshot modifications and the challenges involved in uncovering such alterations. Conclude with a live demonstration and a Q&A session to enhance your understanding of VSS snapshot manipulation and its implications for forensic analysts.

Introduction
What is VSS
Basics of VSS
Why should you care
Examples
Documentation
On Disk Format
NTFS Header
What is in a Store
Data Block List
Example Snapshot
Writing Data to a Snapshot
Block Descriptors
The Really Good Stuff
Demo
How to tell if a snapshot has been modified
Hardest way to find out
Modify timestamps
Questions