Under Review
over 1 year ago

Process that writes on Shadow Copy space

Any idea for creating a query in order to extract a list of processes that write on Shadow copy space during a specified interval of time? Thank you

  • You can modify the time setting from a hardcoded 1 day back from now us using a Begin and End date variable. 

    You can also narrow this down with a GROUP BY Process_Pathname so that each process is only shown once.

  • So we have a few things we can do.

    If you just want to list the contents of the Shadow copy location. (C:\System Volume Information)

    SELECT * FROM File WHERE path LIKE 'C:\System Volume Information\%%'

    If interested in any process that has been interacting with the shadow copy location 

    SELECT 
       datetime(sfj.time,'unixepoch') Date_Time,
       (SELECT spj.pathname FROM sophos_process_Journal spj WHERE spj.sophosPID = sfj.sophosPID ) Process_Pathname,
       sfj.subject,
       CASE sfj.eventType
          WHEN 0 THEN 'created'
          WHEN 1 THEN 'renamed'
          WHEN 2 THEN 'deleted'
          WHEN 3 THEN 'modified'
          WHEN 4 THEN 'hardLinkCreated'
          WHEN 5 THEN 'timestampsModified'
          WHEN 6 THEN 'permissionsModified'
          WHEN 7 THEN 'ownershipModified'
          WHEN 8 THEN 'accessed'
          WHEN 9 THEN 'binaryFileMapped'
          ELSE 'UNKNOWN: ' || CAST (sfj.eventType AS TEXT)
       END EventType,
       sfj.pathname File_Pathname,
       sfj.filesize
    FROM sophos_file_journal sfj 
    WHERE sfj.pathname LIKE 'C:\System Volume Information\%%' AND
       sfj.time > strftime('%s','now','-1 days')
       
    

    If just looking for processes that have been writing to the location...

    SELECT 
       datetime(sfj.time,'unixepoch') Date_Time,
       (SELECT spj.pathname FROM sophos_process_Journal spj WHERE spj.sophosPID = sfj.sophosPID ) Process_Pathname,
       sfj.subject,
       CASE sfj.eventType
          WHEN 0 THEN 'created'
          WHEN 1 THEN 'renamed'
          WHEN 2 THEN 'deleted'
          WHEN 3 THEN 'modified'
          WHEN 4 THEN 'hardLinkCreated'
          WHEN 5 THEN 'timestampsModified'
          WHEN 6 THEN 'permissionsModified'
          WHEN 7 THEN 'ownershipModified'
          WHEN 8 THEN 'accessed'
          WHEN 9 THEN 'binaryFileMapped'
          ELSE 'UNKNOWN: ' || CAST (sfj.eventType AS TEXT)
       END EventType,
       sfj.pathname File_Pathname,
       sfj.filesize
    FROM sophos_file_journal sfj 
    WHERE sfj.pathname LIKE 'C:\System Volume Information\%%' AND
       sfj.time > strftime('%s','now','-1 days') AND
       sfj.subject IN ('FileBinaryChanges', 'FileDataChanges', 'FileOtherChanges')