Task 9.5: Recovering Previous Versions of Files
Very often, when a system has been compromised, or when you find unacceptable use of a system, the attacker attempts to cover their tracks by deleting the incriminating evidence, either content within a file or the file itself. It is possible to recover this deleted content using a tool that was introduced with Windows Server 2003 and XP. It is called Volume Shadow Copy (the backup portion) and Previous Versions (the recovery portion).
Volume Shadow Copy (VSC) is available only on Server 2008, Server 2008 R2, and Server 2003. Server 2008 servers, R2 servers, Server 2003 servers, and all Microsoft clients (including NT 4, 9x, ME, Windows 2000, XP, Windows Vista, and Windows 7) can recover previous versions of the files from servers. By default, at scheduled times each day, the server takes a VSC snapshot of all content on the partition configured with VSC enabled. It records the changes to each file since the last VSC. This does, of course, occupy hard drive space—300 MB minimum—and can occupy as much hard drive space as you allow it to use. Server 2003 has the Shadow Copy Client (also called Previous Versions Client or Time Warp Client) already installed and available.
After you install the Shadow Copy Client software, any Microsoft client can review up to 64 previous versions to recover any copy the server has available. The add-on Shadow Copy Client software can be downloaded from http://technet.microsoft.com/en-us/windowsserver/bb405951.aspx.
This recovery can be used by clients to recover modified or deleted files, and can be used by administrators to recover evidence that has been deleted in an attempt to cover the tracks of an attacker. This should not be used for disaster recovery, even though it may help in some disaster recovery situations. Since the shadow copy often resides on the same disk as the content, if the disk fails both copies will be lost.
Scenario
You are the administrator of a Microsoft network. You need to configure your environment to be able to recover deleted content and files for investigative purposes as part of your CERT program.
Scope of Task
Duration
This task should take 45 minutes.
Setup
You will first configure VSC on a Server 2003 system. You will then manipulate files on a share point to create multiple previous versions. Then you will download and install the Shadow Copy Client on an XP system and perform selected content and file recovery procedures to confirm the validity of the shadow copies.
Caveat
Allowing clients to utilize the Shadow Copy Client is definitely a double-edged sword, at best. While it may allow a client to recover their own deleted content, if they recover the content incorrectly, they can easily overwrite the most recent copy of the content, resulting in lost data. Any time this type of error occurs, somehow the blame falls squarely on the shoulders of the administrator; it’s going to be your fault that the client lost their new data.
If you’re diligently backing up content, you may be able to recover their lost data, or you may even be able to pick their new data out of the Previous Versions Client. But frankly, don’t you have better things to do? In a real corporate environment, you might want to keep the recovery capability in the hands of the administrators, and not install or train the client on previous versions.
Procedure
First you will configure and enable the VSC feature on a Server 2003 system. Next you will create and manipulate content by adding and deleting content and files to create differing previous versions.
You will then download and install the Shadow Copy Client on an XP system. Once that is accomplished, you will perform multiple recovery procedures to validate the recovery processes for future use.
Equipment Used
For this task, you must have:
- Windows Server 2003 system (or a Windows Server 2008 system)
- Windows XP Professional system (or a Windows Vista or Windows 7 system)
- Administrator access
- Internet access
Details
Configuring and Enabling the Volume Shadow Copy Feature on Server 2003
1. Log on to the Windows Server 2003 system as the Administrator.
2. Launch Windows Explorer. In the left pane, expand the view sufficiently to select the root of the C: drive.
3. In Explorer, in the left pane, select the root of the C: drive. In the right pane, right-click on white space and select New ⇒ Folder. Name the folder STUFF.
4. Share the folder with default permissions.
Review Task 4.8 for instructions on sharing folders, if necessary.
5. In Explorer, in the left pane, right-click on the root of the C: drive and select Properties.
6. In the Properties dialog box for the C: drive, select the Shadow Copies tab.
This option is only available by default on Server 2003. On Server 2008 R2, the right-click menu shows Configure Shadow Copies.
7. Notice that Shadow Copies is not enabled by default. This feature consumes system resources that you may not want to commit. For this task, accept the performance degradation. Click Settings.
If you click Enable first, and later wish to change where you want to store the shadow copies, all existing shadow copies will be deleted for this volume (partition). Always configure your settings first.
8. In the Settings dialog box, you can move the shadow copy content to a different volume, configure a space limit for the shadow copy content, and adjust the automatic shadow copy schedule for this volume. Click the Schedule button.
9. By default, once enabled, the VSC automatically creates copies at 7 a.m. and 12 p.m., Monday through Friday. Select the drop-down list in the top field to view the default schedule.
10. To add one more copy event each day, click the New button in the Schedule dialog box.
11. In the Schedule dialog box, select Weekly from the Schedule Task drop-down list. Adjust the Start Time field to 3 p.m. Configure the Schedule Task Weekly to every week on Monday, Tuesday, Wednesday, Thursday, and Friday.
12. Once you have the proper configuration, select the drop-down list in the top field to view the newly modified schedule of 7 a.m., 12 p.m., and 3 p.m. Monday through Friday.
13. Click OK to close the Schedule dialog box.
14. On the Shadow Copies tab of the C: drive’s Properties dialog box, click the Create Now button to fire off the first shadow copy manually.
15. Once the shadow copy displays in the Shadow Copies Of Selected Volume section, click the Settings button.
16. In the Settings dialog box, click the Details button to view the properties of the first shadow copy.
Notice the first shadow copy consumed 300 MB of disk space.
17. Click OK to close the Details dialog box. Click OK to close the Settings dialog box.
18. You have now successfully configured the C: drive of the Server 2003 system to create Volume Shadow Copies three times daily, Monday through Friday.
19. Leave the C: Drive Properties dialog box open, but move it aside for the moment. You’ll be using it shortly.
Manipulating Content on the C: Drive to Produce Previous Versions
1. On the Windows Server 2003 system, logged in as the Administrator, in the Windows Explorer application, with the STUFF folder selected in the left pane, right-click in the right pane and select New ⇒ Text Document. Name the document GoodStuff1.txt.
2. Repeat step 1 to create the files GoodStuff2.txt and GoodStuff3.txt.
3. In the C: Drive Properties dialog box, on the Shadow Copies tab that you left open earlier, click the Create Now button to create another shadow copy of the C: drive.
4. You’re going to manipulate these files and make multiple shadow copies. To keep track of the contents of each copy, fill in the table presented here as you complete the following steps. Write the time of the shadow copies you’ve created in the My Time from VSC field that matches up the proper Steps and Contents.
Log your times for VSC #1—the Initial VSC—and #2—the VSC created in step 3—in the table provided. Flag this page. You’ll be double-checking content later using this table as a reference.
5. In Explorer, double-click on the file GoodStuff1.txt to open it in the Notepad application. Edit GoodStuff1.txt with the content ABC.
6. In Notepad, select File ⇒ Save to save the new content ABC in the file GoodStuff1.txt.
Leave GoodStuff1.txt open in Notepad.
7. In the C: Drive Properties dialog box, on the Shadow Copies tab, click the Create Now button to create another shadow copy of the C: drive.
Log your VSC time on line 3 in the table provided.
8. Edit GoodStuff1.txt by adding XYZ to the content, resulting in the content ABC XYZ.
9. In Notepad, select File ⇒ Save to save the new content ABC XYZ in the file GoodStuff1.txt.
Leave GoodStuff1.txt open in Notepad.
10. In the C: Drive Properties dialog box, on the Shadow Copies tab, click the Create Now button to create another shadow copy of the C: drive.
Log your VSC time on line 4 in the table provided.
11. Edit GoodStuff1.txt by deleting XYZ and then adding 123 to the content, resulting in the content ABC 123.
12. In Notepad, select File ⇒ Save to save the new content ABC 123 in the file GoodStuff1.txt.
13. You can (finally) close GoodStuff1.txt.
14. In the C: Drive Properties dialog box, on the Shadow Copies tab, click the Create Now button to create another shadow copy of the C: drive.
Log your VSC time on line 5 in the table provided.
15. In Windows Explorer, delete GoodStuff2.txt by right-clicking on the file and selecting Delete.
16. In the C: Drive Properties dialog box, on the Shadow Copies tab, and click the Create Now button to create another shadow copy of the C: drive.
Log your VSC time on line 6 in the table provided.
Testing Previous Versions on Server 2003
1. While logged on to Windows Server 2003 as the Administrator, in Explorer, in the left pane, right-click on the folder STUFF and select Properties.
Notice that the Previous Versions tab does not exist when you’re checking Properties locally.
2. Select Start ⇒ Run. In the Open field, type localhoststuff and click OK to connect to the STUFF share point.
3. An Explorer window will open and should show GoodStuff1.txt and GoodStuff3.txt.
4. Right-click on GoodStuff1.txt and select Properties. Select the Previous Versions tab in the GoodStuff1.txt Properties dialog box.
The Previous Versions feature is available only when you’re connected to content through a share point. You must connect to the share point STUFF from the network. This is not a typical way to access content locally, but is necessary if you must recover local content using Previous Versions.
5. Close the Properties dialog box for GoodStuff1.txt.
Installing Previous Versions on XP
1. Previous Versions is not installed by default on operating systems other than Server 2008 and Server 2003. To run Previous Versions on any other operating system, you must install it on each system you need it on. See the installation instructions for down-level clients at www.microsoft.com/technet/downloads/winsrvr/shadowcopyclient.mspx.
2. While logged on to Windows Server 2003 as the Administrator, in Explorer, in the left pane, expand folders as necessary to select the folder Windowssystem32clients wclientx86. In the right pane, notice but do not execute the file twcli32.msi. There is a newer version that you’ll be installing.
Twcli32.msi is the Time Warp Client for 32-bit OSs’ Microsoft Installer package. The Time Warp Client is also called Previous Versions Client and Shadow Copy Client. While this file works fine, do not use this file to install the Shadow Copy Client on XP. It is always better to download a fresh copy from a trusted source, just in case there is a newer version. You’ll do this in a few moments.
3. Log on to the XP Professional system as the Administrator.
4. Select Start ⇒ Run. Type \server_nameSTUFF in the Open field, where server_name is the name of the Windows Server 2003 that is hosting the STUFF share point. Then click OK.
5. This should open an Explorer window that shows the two remaining files in the STUFF share point: GoodStuff1.txt and GoodStuff3.txt. Right-click on GoodStuff1.txt and select Properties.
6. Notice that the properties page for the content accessed through the network share point does not have a Previous Versions tab. Click OK to close the GoodStuff1.txt Properties dialog box.
7. Launch Internet Explorer. In the address bar, type the URL http://technet.microsoft.com/en-us/windowsserver/bb405951.aspx and click the Go button.
8. On the resulting web page, select to download the Shadow Copy Client for XP.
9. Save the ShadowCopyClient.msi file to your XP desktop.
10. Once the download is complete, close Internet Explorer.
Notice the file size is different compared to the twcli32.msi file.
11. Double-click the file ShadowCopyClient.msi located on your desktop to begin installation of the Previous Versions Client.
12. On the Welcome screen of the wizard, click Next.
13. On the End User License screen, click I Accept, and then click Next.
14. Installation will continue by displaying a progress window.
15. When you are presented with the Successful Installation screen, click Finish to close the Shadow Copy Client Setup Wizard.
16. In the Explorer window that is connected to \server_nameSTUFF (where server_name is the name of the Windows Server 2003 server that is hosting the STUFF share point), right-click on GoodStuff1.txt and select Properties. Now you can select the Previous Versions tab.
17. Select the most recent previous version (VSC 4, Step 10 version from the table you filled in earlier—in the graphic, it is the 12:20 p.m. version) and click the View button. This should open Notepad with a copy of GoodStuff1.txt. The version from Step 10 had the content of ABC XYZ.
The current version of GoodStuff1.txt contains content of ABC 123. There is no VSC 5 or 6, Steps 14 or 16 versions in the Previous Versions list since those versions of GoodStuff1.txt are the current version. If you want the VSC 5, Step 14 (12:26) version that reads ABC 123, open the current GoodStuff1.txt file directly from the share point. View each previous version of GoodStuff1.txt on the list. Confirm its proper content against the table you filled in earlier.
18. After viewing deleted content in the previous-version files, close Notepad with GoodStuff1.txt.
19. In the Explorer window that is connected to \server_nameSTUFF, right-click the white space and select Properties. Select the Previous Versions tab of the STUFF Properties dialog box.
20. Select the VSC 5, Step 14 (12:26 p.m.) version, and then click the View button.
21. The VSC 5, Step 14 (12:26 p.m.) version was recorded prior to deleting the GoodStuff2.txt file. Observe the GoodStuff2.txt file.
22. Close the window showing the VSC 5, Step 14 (12:26 p.m.) version files.
23. On the Previous Versions tab of the STUFF Properties dialog box, with the VSC 5, Step 14 (12:26 p.m.) version highlighted, click the Copy button to recover the STUFF folder that contains the deleted GoodStuff2.txt file.
24. In the Copy Items dialog box, select the C:AA folder. If this folder does not exist, create a new folder and name it AA.
25. Click the Copy button in the Copy Items dialog box.
26. Open a new instance of Explorer. In the left pane, expand folders to select C:AASTUFF. Observe the recovered file GoodStuff2.txt.
Criteria for Completion
You have completed this task when you have configured Volume Shadow Copies on Windows Server 2003; manipulated content on a share point; created multiple shadow copies; downloaded and installed the Shadow Copy Client on an XP system; and examined the previous versions to recover deleted content and deleted files.