Recover Data in Backups in System Volume Information Folder

[data-medics]

So I've got a sort of odd case here. OS was over installed wiping out a lot of the file structure. The primary users folder is completely missing, so I'm mostly just finding a million lost folders and raw files. I notice however that the bulk of the data found on the drive is in the "system volume information" folder which contains about 800Gb of backup files. Some of the backup files are from just a few days prior to the over install.

Has anyone had any success in extracting data from these backup files? Any tips you're willing to share? This is the first time I've ever had a reason to attempt this.

[DataWreck]

When you say backup files are you looking at shadow copy's and restore points? Also what version of OS was the system running?

[Blizzard]

This might help.
Mount the image or drive. I have only used an imaged drive but assume you can do it with a mounted image. I have done this in Windows 7, I only assume it works in 8 and 10. I have never tried it with just the system volume info folder, just a full image or the original HDD.
From an elevated cmd run "VSSAdmin list shadows". You will get a long list of each shadow copy. You can differentiate your machines shadow copies from the other by the Originating Machine field. You probably want to pick the highest number copy.
Example:

Code:

Contents of shadow copy set ID: {89b10c23-8458-490c-9b6c-35c49ef2739f}
   Contained 1 shadow copies at creation time: 12/6/2015 10:54:55 AM
      Shadow Copy ID: {5e965b64-38f9-4649-8979-70600b7e3d6e}
         Original Volume: (L:)\\?\Volume{e8a2defb-1f2f-11e7-af2f-005056c00008}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy42
         Originating Machine: HP-PC
         Service Machine: HP-PC
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

Now run mklink so you'll have a symbolic link to the files at C:\test1 (or your preferred location)
example (add a trailing backslash):

Code:

mklink /d c:\test1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy41\

Tip: For windows you remove a symbolic link by deleting it. Mklink is not used for removal.

[data-medics]

Blizzard, YOU ARE THE MAN!!!

That's exactly the sort of tip I was hoping someone would drop. I'm not totally sure it'll work or not either. But, the fact that there's 800Gb in that folder and only about 250Gb outside it makes me think it may contain full image backups. I guess I've just never had to delve this deeply into volume shadow copy backups.

[Blizzard]

I hope it gets you what you need. I only wish R-Studio could access the sym link so you wouldn't have to change permissions on the user's folders. If you are using an image it shouldn't matter though, it's just a pain. If you run in to a snag PM me on your forum.

[HaQue]

http://www.forensicexplorer.com/shadow-copy.php
http://journeyintoir.blogspot.com.au/20 ... opies.html

I think it was Harlan Carvey that wrote a tool to really get into VSS's

[Adminny]

Hi, how do extract files from foreign folder System Volume Information ?
Is it possible?

[SWM]

Hi, how do extract files from foreign folder System Volume Information ?

You need to assign yourself access rights to this folder.
By default, there are rights only for the system.

[Adminny]

Hi, how do extract files from foreign folder System Volume Information ?

You need to assign yourself access rights to this folder.
By default, there are rights only for the system.

I'm already have full access.
So I have folder with files:

Code:

<DIR>          Chkdsk
             0 MountPointManagerRemoteDatabase
<DIR>          SPP
    16 777 216 Syscache.hve
       262 144 Syscache.hve.LOG1
             0 Syscache.hve.LOG2
        20 480 tracking.log
<DIR>          Windows Backup
<DIR>          WindowsImageBackup
4 656 984 064 {0691bc91-b8f7-11ed-a2af-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}
   838 860 800 {1fa7217b-4997-11ee-a298-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}
        65 536 {3808876b-c176-4e48-b7ae-04046e6cc752}
1 906 429 952 {591acf2d-b35a-11ec-b853-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}
2 247 938 048 {691e49e5-3e8c-11ee-bd27-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}
6 293 544 960 {d68e05ee-381a-11ee-a86a-74f06db15165}{3808876b-c176-4e48-b7ae-04046e6cc752}

All vss utilities work only with System Volume Information Folder related to current OS.
ShadowExplorer, ShadowCopyView, VSC Toolset, Z-VSScopy.
But they don't work with any folder I specify.
For example D:\Test\System Volume Information

[crashpcberlin]

Did you do full File System Analyze via PC3K?

Normally it sort the data of those copys in a seperate virtual drive after scan?!

[Adminny]

Did you do full File System Analyze via PC3K?

Normally it sort the data of those copys in a seperate virtual drive after scan?!

Just copied that folder.
There are no damaged files.
Need to extract data.