All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Recover Data in Backups in System Volume Information Folder
PostPosted: April 19th, 2017, 9:30 
Offline
User avatar

Joined: April 3rd, 2011, 0:19
Posts: 1554
Location: Providence, RI
So I've got a sort of odd case here. OS was over installed wiping out a lot of the file structure. The primary users folder is completely missing, so I'm mostly just finding a million lost folders and raw files. I notice however that the bulk of the data found on the drive is in the "system volume information" folder which contains about 800Gb of backup files. Some of the backup files are from just a few days prior to the over install.

Has anyone had any success in extracting data from these backup files? Any tips you're willing to share? This is the first time I've ever had a reason to attempt this.

_________________
Hard Drive & RAID Data Recovery Services
https://www.data-medics.com/raid-data-recovery/


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 11:50 
Offline

Joined: January 17th, 2010, 9:48
Posts: 60
Location: Stoke-on-Trent England
When you say backup files are you looking at shadow copy's and restore points? Also what version of OS was the system running?

_________________
DataWreck Data Recovery Services
www.DataWreck.co.uk


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 16:00 
Offline
User avatar

Joined: October 21st, 2014, 1:39
Posts: 42
Location: Ellijay, GA
This might help.
Mount the image or drive. I have only used an imaged drive but assume you can do it with a mounted image. I have done this in Windows 7, I only assume it works in 8 and 10. I have never tried it with just the system volume info folder, just a full image or the original HDD.
From an elevated cmd run "VSSAdmin list shadows". You will get a long list of each shadow copy. You can differentiate your machines shadow copies from the other by the Originating Machine field. You probably want to pick the highest number copy.
Example:
Code:
Contents of shadow copy set ID: {89b10c23-8458-490c-9b6c-35c49ef2739f}
   Contained 1 shadow copies at creation time: 12/6/2015 10:54:55 AM
      Shadow Copy ID: {5e965b64-38f9-4649-8979-70600b7e3d6e}
         Original Volume: (L:)\\?\Volume{e8a2defb-1f2f-11e7-af2f-005056c00008}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy42
         Originating Machine: HP-PC
         Service Machine: HP-PC
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

Now run mklink so you'll have a symbolic link to the files at C:\test1 (or your preferred location)
example (add a trailing backslash):
Code:
mklink /d c:\test1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy41\

Tip: For windows you remove a symbolic link by deleting it. Mklink is not used for removal.

_________________
Blizzard Data Recovery


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 16:51 
Offline
User avatar

Joined: April 3rd, 2011, 0:19
Posts: 1554
Location: Providence, RI
Blizzard, YOU ARE THE MAN!!!

That's exactly the sort of tip I was hoping someone would drop. I'm not totally sure it'll work or not either. But, the fact that there's 800Gb in that folder and only about 250Gb outside it makes me think it may contain full image backups. I guess I've just never had to delve this deeply into volume shadow copy backups.

_________________
Hard Drive & RAID Data Recovery Services
https://www.data-medics.com/raid-data-recovery/


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 16:58 
Offline
User avatar

Joined: October 21st, 2014, 1:39
Posts: 42
Location: Ellijay, GA
I hope it gets you what you need. I only wish R-Studio could access the sym link so you wouldn't have to change permissions on the user's folders. If you are using an image it shouldn't matter though, it's just a pain. If you run in to a snag PM me on your forum.

_________________
Blizzard Data Recovery


Top
 Profile  
 
 Post subject: Re: Recover Data in Backups in System Volume Information Fol
PostPosted: April 19th, 2017, 19:21 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2839
Location: Adelaide, Australia
http://www.forensicexplorer.com/shadow-copy.php
http://journeyintoir.blogspot.com.au/20 ... opies.html

I think it was Harlan Carvey that wrote a tool to really get into VSS's


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot], Yahoo [Bot] and 28 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group