All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Recover Data in Backups in System Volume Information Folder
PostPosted: April 19th, 2017, 9:30 
Offline
User avatar

Joined: April 3rd, 2011, 0:19
Posts: 2003
Location: Providence, RI
So I've got a sort of odd case here. OS was over installed wiping out a lot of the file structure. The primary users folder is completely missing, so I'm mostly just finding a million lost folders and raw files. I notice however that the bulk of the data found on the drive is in the "system volume information" folder which contains about 800Gb of backup files. Some of the backup files are from just a few days prior to the over install.

Has anyone had any success in extracting data from these backup files? Any tips you're willing to share? This is the first time I've ever had a reason to attempt this.

_________________
Data Medics - Hard Drive, SSD, and RAID Data Recovery Service Company


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 11:50 
Offline

Joined: January 17th, 2010, 9:48
Posts: 60
Location: Stoke-on-Trent England
When you say backup files are you looking at shadow copy's and restore points? Also what version of OS was the system running?

_________________
DataWreck Data Recovery Services
www.DataWreck.co.uk


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 16:00 
Offline
User avatar

Joined: October 21st, 2014, 1:39
Posts: 131
Location: Ellijay, GA
This might help.
Mount the image or drive. I have only used an imaged drive but assume you can do it with a mounted image. I have done this in Windows 7, I only assume it works in 8 and 10. I have never tried it with just the system volume info folder, just a full image or the original HDD.
From an elevated cmd run "VSSAdmin list shadows". You will get a long list of each shadow copy. You can differentiate your machines shadow copies from the other by the Originating Machine field. You probably want to pick the highest number copy.
Example:
Code:
Contents of shadow copy set ID: {89b10c23-8458-490c-9b6c-35c49ef2739f}
   Contained 1 shadow copies at creation time: 12/6/2015 10:54:55 AM
      Shadow Copy ID: {5e965b64-38f9-4649-8979-70600b7e3d6e}
         Original Volume: (L:)\\?\Volume{e8a2defb-1f2f-11e7-af2f-005056c00008}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy42
         Originating Machine: HP-PC
         Service Machine: HP-PC
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

Now run mklink so you'll have a symbolic link to the files at C:\test1 (or your preferred location)
example (add a trailing backslash):
Code:
mklink /d c:\test1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy41\

Tip: For windows you remove a symbolic link by deleting it. Mklink is not used for removal.

_________________
Blizzard Data Recovery


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 16:51 
Offline
User avatar

Joined: April 3rd, 2011, 0:19
Posts: 2003
Location: Providence, RI
Blizzard, YOU ARE THE MAN!!!

That's exactly the sort of tip I was hoping someone would drop. I'm not totally sure it'll work or not either. But, the fact that there's 800Gb in that folder and only about 250Gb outside it makes me think it may contain full image backups. I guess I've just never had to delve this deeply into volume shadow copy backups.

_________________
Data Medics - Hard Drive, SSD, and RAID Data Recovery Service Company


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 16:58 
Offline
User avatar

Joined: October 21st, 2014, 1:39
Posts: 131
Location: Ellijay, GA
I hope it gets you what you need. I only wish R-Studio could access the sym link so you wouldn't have to change permissions on the user's folders. If you are using an image it shouldn't matter though, it's just a pain. If you run in to a snag PM me on your forum.

_________________
Blizzard Data Recovery


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 19:21 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
http://www.forensicexplorer.com/shadow-copy.php
http://journeyintoir.blogspot.com.au/20 ... opies.html

I think it was Harlan Carvey that wrote a tool to really get into VSS's


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: February 12th, 2024, 6:41 
Offline

Joined: February 11th, 2024, 15:10
Posts: 3
Location: Ukraine
Hi, how do extract files from foreign folder System Volume Information ?
Is it possible?


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: February 12th, 2024, 10:04 
Offline

Joined: February 22nd, 2023, 13:49
Posts: 65
Location: Eastern Europe
Adminny wrote:
Hi, how do extract files from foreign folder System Volume Information ?

You need to assign yourself access rights to this folder. :)
By default, there are rights only for the system.


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: February 12th, 2024, 12:19 
Offline

Joined: February 11th, 2024, 15:10
Posts: 3
Location: Ukraine
SWM wrote:
Adminny wrote:
Hi, how do extract files from foreign folder System Volume Information ?

You need to assign yourself access rights to this folder. :)
By default, there are rights only for the system.


I'm already have full access.
So I have folder with files:
Code:
<DIR>          Chkdsk
             0 MountPointManagerRemoteDatabase
<DIR>          SPP
    16 777 216 Syscache.hve
       262 144 Syscache.hve.LOG1
             0 Syscache.hve.LOG2
        20 480 tracking.log
<DIR>          Windows Backup
<DIR>          WindowsImageBackup
4 656 984 064 {0691bc91-b8f7-11ed-a2af-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}
   838 860 800 {1fa7217b-4997-11ee-a298-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}
        65 536 {3808876b-c176-4e48-b7ae-04046e6cc752}
1 906 429 952 {591acf2d-b35a-11ec-b853-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}
2 247 938 048 {691e49e5-3e8c-11ee-bd27-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}
6 293 544 960 {d68e05ee-381a-11ee-a86a-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}


All vss utilities work only with System Volume Information Folder related to current OS.
ShadowExplorer, ShadowCopyView, VSC Toolset, Z-VSScopy.
But they don't work with any folder I specify.
For example D:\Test\System Volume Information


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: February 14th, 2024, 13:55 
Offline
User avatar

Joined: March 15th, 2017, 10:25
Posts: 65
Location: Berlin
Did you do full File System Analyze via PC3K?

Normally it sort the data of those copys in a seperate virtual drive after scan?!


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: February 15th, 2024, 10:21 
Offline

Joined: February 11th, 2024, 15:10
Posts: 3
Location: Ukraine
crashpcberlin wrote:
Did you do full File System Analyze via PC3K?

Normally it sort the data of those copys in a seperate virtual drive after scan?!


Just copied that folder.
There are no damaged files.
Need to extract data.
Image


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 75 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group