vshadow-rs
Inspect, list and extract files from Windows Volume Shadow Copy snapshots inside forensic disk images. No Windows APIs. No FUSE. No C dependencies. Cross-platform.
Part of the We Investigate Anything project. Full documentation: vshadow-rs article | Used by masstin for forensic image analysis.
Why?
Attackers clear Windows event logs. Volume Shadow Copies preserve the old data. But accessing it is painful:
| Tool | Problem |
|---|---|
| vshadowmount | Requires FUSE, Linux only, can't read E01 |
| EVTXECmd --vss | Requires Windows VSS COM API, live systems only |
vshadow-rs reads the on-disk VSS format directly from any forensic image. One binary, any platform.
Quick Start
$ vshadow-info info -f HRServer_Disk0.e01
vshadow-info v0.1.1
Inspecting: HRServer_Disk0.e01
Format: E01 (Expert Witness Format)
Image size: 50.00 GB
Found 1 NTFS partition(s)
=== Partition 1 ===
Offset: 0x1f500000 (0.49 GB into disk)
VSS detected: YES (signature found at partition offset 0x1E00)
Snapshots: 1
Store 0:
GUID: 4479c1da-99b9-11e8-b7f4-acd82990ee82
Created: 2018-08-07 23:07:58 UTC
Sequence: 1
Changed blocks: 9593 (149.9 MB modified since snapshot)
CLI Commands
info — Detect VSS stores
Auto-detects NTFS partitions (GPT + MBR), checks each one for VSS, reports store count, creation date, and how much data changed since the snapshot.
list — Browse files
# Live volume
# VSS store (the snapshot — see what was there BEFORE the attacker cleared logs)
extract — Recover files
# Recover event logs from VSS (deleted from live but preserved in snapshot)
# Extract from live volume for comparison
Forensic Workflow
# 1. Inspect image for shadow copies
# 2. Compare Security.evtx between live and snapshot
# (cleared logs = much smaller file on live volume)
# 3. Recover the pre-deletion event logs
# 4. Generate lateral movement timeline with masstin
# 5. Visualize in Memgraph
Library Usage
use VssVolume;
let mut reader = /* any Read+Seek: File, BufReader, ewf::EwfReader */;
let vss = new?;
println!;
for i in 0..vss.store_count
Comparison
| Feature | vshadowmount | vshadowinfo | vshadow-info |
|---|---|---|---|
| List VSS stores | - | Yes | Yes |
| Show creation dates | - | Yes | Yes |
| Show delta size (changed blocks) | - | - | Yes |
| Mount as FUSE filesystem | Yes | - | - |
| List files inside VSS | via mount | - | Yes |
| Extract files from VSS | via mount | - | Yes |
| Browse live volume | - | - | Yes |
| Read E01 directly | - | - | Yes |
| Auto-detect GPT/MBR | - | - | Yes |
| Cross-platform | Linux | Linux/Mac/Win | All |
Supported Formats
| Format | Support |
|---|---|
| E01 (Expert Witness Format) | Built-in via ewf crate |
| Raw / dd / 001 | Native |
| Partition images | Direct (offset = 0) |
Windows versions: Vista through Windows 11, Server 2008 through 2022 (VSS v1 and v2).
How VSS Works
VSS is a copy-on-write mechanism at the block level (16 KiB blocks):
- Snapshot taken → catalog records store metadata (GUID, timestamp)
- Block modified on live volume → old data copied to store area first
- Reconstruction → changed blocks read from store, unchanged blocks read from live volume
The delta (changed blocks) tells you how much the disk changed since the snapshot. A small delta means the snapshot is very close to the current state. A large delta means significant changes occurred — possibly including log clearing.
Documentation
| Topic | Link |
|---|---|
| vshadow-rs full guide | weinvestigateanything.com — vshadow-rs |
| masstin (lateral movement analysis) | weinvestigateanything.com — masstin |
| Security.evtx forensic artifacts | weinvestigateanything.com — Security.evtx |
| Neo4j graph visualization | weinvestigateanything.com — Neo4j |
| Memgraph visualization | weinvestigateanything.com — Memgraph |
License
GNU Affero General Public License v3.0 — see LICENSE for details.
Credits
VSS format specification: libvshadow documentation by Joachim Metz.