Volume Shadow Information (VSI) file

MH370 DECODED
Jump to navigation Jump to search


The term Volume Shadow Information (VSI) file was used in a RMP Forensic Report and quoted in the Safety Investigation Report in the context of data recovered from Captain Shah's Flight Simulator.

This article explains that the term is not consistent with Microsoft terminology, and suggests that the forensic investigator may have meant the System Volume Information folder which contains files created by the Volume Shadow Copy Service. These terms are explained so that the reader can better understand where the recovered data came from and how it got there.


Relevance to MH370

Captain Shah was the Pilot-in-Command of Malaysia Airlines flight MH370. A week after MH370 went missing the Royal Malaysia Police (RMP) seized Captain Shah's personal Flight Simulator. A forensic investigation discovered two data points located in the southern Indian Ocean. The following statement was made in the Safety Investigation Report based on information provided by the RMP:-

It was also discovered that there were seven ‘manually programmed’ waypoint coordinates ..., that when connected together, will create a flight path from KLIA to an area south of the Indian Ocean through the Andaman Sea. These coordinates were stored in the Volume Shadow Information (VSI) file dated 03 February 2014. The function of this file was to save information when a computer is left idle for more than 15 minutes. Hence, the RMP Forensic Report could not determine if the waypoints came from one or more files.
(Emphasis added.)

What is a Volume Shadow Information (VSI) file?

Firstly, there is a slight language problem. Microsoft documentation[1] follows a strict style guide and the term Volume Shadow Information (VSI) file is not consistent with Microsoft terminology[2]. It can be assumed that the author meant the System Volume Information folder.

Microsoft introduced a program called the Volume Shadow Copy Service in Windows XP and it has been part of Windows operating systems ever since. This service makes the System Restore Point files so that system changes can be wound back and restored to a previous version. But it also creates the backups which enable a user to recover a previous version of a file. For example, if you open Windows Explorer and right-click on a folder or file, one of the menu options available is Restore previous versions. However, if you have ever needed to use it you may have discovered that a previous version does not exist, or if it does, it is not as recent as you would have hoped for. This is because it is not a file backup system. It is a process that saves changes to files in data blocks. And it only happens when triggered by specific events or as commanded by the Task Scheduler.

To summarise, the System Volume Information folder stores System Restore Point files, and files or the parts of files which have changed - called Shadow Copies.

Where are the System Volume Information folders?

By default, the System Volume Information folder is hidden. There is one on every Volume, so we need to know what a Volume is...

All storage devices such a hard disk drive, solid state drive and USB or 'thumb' drive is a physical device. These drives can be partitioned to create smaller logical drives. For example, the operating system is generally installed on a C: Drive, but if the storage capacity of that physical drive is large the user or system administrator may prefer to separate the operating system from other data and can create a partition for a D: Drive to hold documents and other data files. Each logical storage unit is called a Volume, so in this example, both the C: Drive and the D: Drive are Volumes. Therefore, each logical partitioned drive, C: and D: etc., will have its' own System Volume Information folder.

What is a Volume Shadow Copy?

The Shadow Copy is a hidden copy of the files on a Volume. It co-exists with the 'live' copy. It is created by momentarily 'freezing' any read or write activity for the Volume so that a copy can be made and then is said to 'thaw'. It can happen so quickly the user does not notice any interruption.

The System Volume Information folder contains a collection of Volume Shadow Copy files which are different versions that can be identified by date and time - like System Restore Points. However, if the Shadow Copy was a complete copy of the Volume for each version the System Volume Information folder would be huge. Instead, each Shadow Copy records the changes since the previous version. And to save storage space it does not save a copy of each changed file - it saves a copy of the data which is changed, called blocks.

How often is a Shadow Copy made?

It varies. The default period for Windows 7 is often quoted as 7 days. This is based on Microsoft documentation which says that System Restore in Windows 7 creates a scheduled restore point only if no other restore points have been created in the last 7 days[3]. However, the Volume Shadow Copy Service does more than create the system restore points.

The Restore previous versions feature (described above) relies on a 'snapshot' or 'point-in-time' backup of the data. However, not all changes are captured because the Volume Shadow Copy Service may not create the snapshot until certain conditions are met. These could be defined by Idle Conditions (defined below), or Power Conditions or Network Conditions which are not relevant here.

The Task Scheduler service will check if the computer is in an idle state every 15 minutes. A computer is considered to be in an idle state when a screen saver is running. If a screen saver is not running, then the computer is considered to be in an idle state if there is 0% CPU usage and 0% disk input or output for 90% of the past fifteen minutes and if there is no keyboard or mouse input during this period of time. Once the Task Scheduler service detects that the computer is in an idle state, the service only waits for user input to mark the end of the idle state.[4]

So, the statement that The function of this file was to save information when a computer is left idle for more than 15 minutes from the Safety Investigation Report is correct.

What does the statement the RMP Forensic Report could not determine if the waypoints came from one or more files mean?

It's a curious statement but must have been stated for a reason - to qualify the validity of the recovered data. To save space and reduce the size of the System Volume Information folder, older Shadow Copy files are deleted and may be over-written. Also, because the Shadow Copy files are not complete file backups, a file might be reassembled using the data blocks stored in different Shadow Copy files. So if data is assembled with blocks from different Shadow Copy files to create a file fragment can we be sure that the file fragment is part of one original file or have we just assembled pieces of several files to make it look like it came from the same file? If fragments of deleted or over-written Shadow Copy files are used to recover a data file and all you have is a fragment, could you go to Court with it? Would the evidence obtained be sufficiently reliable?

In the case of data recovered from Captain Shah's flight simulator some data points were incomplete. But the two data points located in the southern Indian Ocean each have sufficient parameters and values to provide usable information.

Why is all this Shadow Copy information significant?

Based on the quoted extract from the Safety Investigation Report we know that data points recovered from Captain Shah's flight simulator included two that were located in the southern Indian Ocean, although these were a long way from where flight MH370 is believed to have ended.

The data was recovered from a System Volume Information folder and the files would have been 'snapshots' of *.FLT files from the Microsoft Flight Simulator application created by the Volume Shadow Copy Service. If the original 'live' files were deleted, or removed when the software was uninstalled, the Shadow Copy files would still remain in the System Volume Information folder until they were old enough to be discarded and possibly over-written.

The Forensic Investigators did find 'live' or 'current' *.FLT files, but none with relevant data. The seven relevant files were all Shadow Copies. The original files, most likely *.FLT files created by the Microsoft Flight Simulator application, had been removed or deleted. The Media tried to make this seem more significant than it is, as though deleting files was an intentional action. However, that mis-represents the situation.

Summary

In this article the term Volume Shadow Information (VSI) file originally used in an RMP Forensic Report and repeated in the Safety Investigation Report is most likely a reference to a System Volume Information folder, using terminology consistent with Microsoft's online Volume Shadow Copy Service Portal. Using information from the Portal and related Microsoft articles other terms such as Volume Shadow Copy Service and Volume Shadow Copy are explained and simplified so that the context in the Safety Investigation Report can be better understood.

As the data recovered from Captain Shah's flight simulator was in a System Volume Information folder it is relevant to know that the Volume Shadow Copy Service does not work like a backup utility that would copy complete files. Instead it works at a smaller 'block' level, enabling a user to retrieve a previous version of a file by recording only the changed data.

Throughout this website the recovered data has been referred to as 'Data Points', and the term 'Shadow Copy' has been used to describe the source, location and file type of the recovered data.



Notes and References
  1. Microsoft Volume Shadow Copy Service Portal at https://docs.microsoft.com/en-us/windows/desktop/VSS/volume-shadow-copy-service-portal
  2. A search for the terms VSI or 'Volume Shadow Information' on Microsoft's website returned no results, as illustrated by the screen capture below:-

    Search result for VSI on Microsoft website

  3. Microsoft Restore Points at https://docs.microsoft.com/en-us/windows/desktop/sr/restore-points
  4. Microsoft Task Conditions at https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc721902(v=ws.11)


Further Reading

Microsoft
Volume Shadow Copy Service Portal
https://docs.microsoft.com/en-us/windows/desktop/VSS/volume-shadow-copy-service-portal
How Volume Shadow Copy Service Works
https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service
Vssadmin
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin
The VSS Model
https://docs.microsoft.com/en-us/windows/desktop/VSS/the-vss-model
Volume Shadow Copy Glossary
https://docs.microsoft.com/en-us/windows/desktop/VSS/volume-shadow-copy-glossary


The Leahy Center for Digital Investigation

The following articles were developed during a project which evaluates the Windows Volume Shadow Copy service and asks 'How can this service be used to gather artifacts of a potential evidentiary value'?
The articles are also referenced from the Forensics Wiki at http://www.forensicswiki.org/wiki/Windows_Shadow_Volumes

Volume Shadow Copy Part 1
https://lcdiblog.champlain.edu/2014/01/23/volume-shadow-copy-blog-1/
Volume Shadow Copy Part 2
https://lcdiblog.champlain.edu/2014/02/05/volume-shadow-copy-part-2/
Volume Shadow Copy Part 3
https://lcdiblog.champlain.edu/2014/02/26/volume-shadow-copy-part-3/
Volume Shadow Copy Part 4
https://lcdiblog.champlain.edu/2014/03/26/volume-shadow-copy-part-4/