← All cases
AF-004 · Structural
Volume Shadow Copy Complete Deletion
✓ Validated vss event-logs Windows 10
Contributed by @ioi-framework · 2025-01-01 · View IoI rule →
Dependent artifacts $MFT $UsnJrnl
Sample JSON-LD MFT snippet USN snippet
Reproducibility bundle Zenodo DOI ↗

Summary

This case models an anti-forensic tactic where Volume Shadow Copies (VSCs) are deleted to eliminate system restore points that could reveal prior system states. The detection identifies when VSS infrastructure files exist in the System Volume Information folder, but the corresponding GUID directories (which contain actual shadow copy data) have been deleted. USN Journal entries confirm the deletion activity.

Scenario Steps

1. Set Up — Launched Windows 10 Pro x64 VM with System Protection and VSS configured. Used wmic shadowcopy call create Volume="C:\" to generate a restore point.

2. Tampering — Deleted all shadow copies with: vssadmin delete shadows /all /quiet

3. Evidence Collection — Extracted $MFT and $UsnJrnl:$J from the NTFS volume.

Ground Truth Criteria

  • $MFT shows VSS infrastructure files exist (tracking.log, IndexerVolumeGuid, _OnDiskSnapshotProp) in System Volume Information
  • $MFT shows GUID directories are missing (no {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} folders)
  • $UsnJrnl shows GUID directory deletions with indicators: FileDelete, FileDeleteClose, DataTruncation

Inconsistency Summary

VSS infrastructure files exist in System Volume Information, indicating VSS was configured. However, the GUID directories that contain actual shadow copy data are missing from MFT. USN Journal confirms these GUID directories were deleted — the attacker deleted recovery points while leaving infrastructure traces behind.

Detection Logic

-- Step 1: Find VSS infrastructure files in MFT
FIND mft_vss WHERE mft_vss.ParentPath CONTAINS 'System Volume Information'
  AND mft_vss.FileName IN ('tracking.log', 'IndexerVolumeGuid', '_OnDiskSnapshotProp')
  RETURN FileName AS vss_infrastructure

-- Step 2: Check if GUID directories exist in MFT
FIND mft_guid WHERE mft_guid.ParentPath CONTAINS 'System Volume Information'
  AND mft_guid.FileName MATCHES GUID pattern
  AND mft_guid.isDirectory = true
  RETURN FileName AS guid_directory

-- Step 3: Find USN evidence of GUID deletion
FIND usn_entries WHERE usn_entries.FileName MATCHES GUID pattern
  AND usn_entries.updateReasons CONTAINS ('FileDelete' OR 'FileDeleteClose' OR 'DataTruncation')
  RETURN FileName AS deleted_guid, updateReasons

-- Detection Rule
IF vss_infrastructure EXISTS IN mft_vss
  AND guid_directory NOT EXISTS IN mft_guid
  AND deleted_guid EXISTS IN usn_entries
THEN FLAG 'AF-004: Volume Shadow Copy Purge Detected'