Messing with Forensic Analysts - Modifying VSS Snapshots
Offered By: BSidesLV via YouTube
Course Description
Overview
Explore the intricacies of Volume Shadow Copy Service (VSS) snapshots and learn techniques to manipulate them in this 25-minute conference talk from BSidesLV 2017. Delve into the basics of VSS, its importance in forensic analysis, and the on-disk format including NTFS headers and data block lists. Discover methods for writing data to snapshots, understanding block descriptors, and modifying timestamps. Gain insights on detecting snapshot modifications and the challenges involved in uncovering such alterations. Conclude with a live demonstration and a Q&A session to enhance your understanding of VSS snapshot manipulation and its implications for forensic analysts.
Syllabus
Introduction
What is VSS
Basics of VSS
Why should you care
Examples
Documentation
On Disk Format
NTFS Header
What is in a Store
Data Block List
Example Snapshot
Writing Data to a Snapshot
Block Descriptors
The Really Good Stuff
Demo
How to tell if a snapshot has been modified
Hardest way to find out
Modify timestamps
Questions
Taught by
BSidesLV
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network