All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Undeleted Shadow Copies
PostPosted: May 30th, 2017, 6:20 
Offline

Joined: May 30th, 2017, 6:06
Posts: 2
Location: Reality
Hello guys,

My Windows is telling me that for a specific volume I have exactly one shadow copy. It can be found in the folder System Volume Information of the volume, in this form:

{dac4924d-3ca1-11e7-9be0-cc88a4ca0b0c}{3808876b-c176-4e48-b7ae-04046e6cc752}

But what I need desperately are the shadow copies from before. And I need them so desperately thet I restored them with an undelete program, from the folder System Volume Information. No clusters had been overwritten yet. I recovered the last 10 or so, just in case, you know. :mrgreen:

But I have absolutely no clue though if that was useful at all. :? I did some reading on mounting shadow copies, but it's always about mounting via \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\". I found something about mounting a .raw file in linux though.

Of course my files aren't adressable like that, since they're in the format described above in some random folder and not "in the system". And also after recovering the program said that they had only been partly recovered.

Is there any possibility somehow to still access the content of those files? Would that even get me anywhere, or is there just something in them that points to something else that maybe isn't even there anymore? I don't know anything about this!

It would be awesome if you guys could help me! :D

Many kind regards,
hhtech


Top
 Profile  
 
 Post subject: Re: Undeleted Shadow Copies
PostPosted: May 30th, 2017, 8:15 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2893
Location: Adelaide, Australia
http://journeyintoir.blogspot.com.au/2012/01/ripping-volume-shadow-copies.html

http://www.forensicexplorer.com/shadow-copy.php


http://www.shadowexplorer.com/
https://www.bleepingcomputer.com/download/shadowexplorer/

You MUST listen to this if you are interested in shadow copies:
http://cyberspeak.libsyn.com/cyber-speak-may-7-2012-volume-shadow-copies

you dont mention what you did after that, or what search results you had that were/were not helpful. i would start here..


Top
 Profile  
 
 Post subject: Re: Undeleted Shadow Copies
PostPosted: May 30th, 2017, 9:46 
Offline

Joined: May 30th, 2017, 6:06
Posts: 2
Location: Reality
Hello HaQue! :)

Thank you a lot for your reply and your links. I am gonna listen to the last link later.

I already tried Shadow explorer. I think I need to explain my problem better.

Since there is only one shadow copy available in the sytem, listing all available shadow copies with
Code:
vssadmin list shadows
results in this:

Image

In Shadow Explorer only this shadow copy is visible:

Image

To my knowledge the shadow copies are stored in the System Volume Information folder of the specific drive. Accordingly the one seen above is stored in the System Volume Information folder of T:, in the format mentioned in my first post.

All shadow copies before the date of the last one (05/23) have been deleted and then recovered from the System Volume Information folder of T: using Recuva. They are now stored in a folder created by me on some other drive. They also look like this:
{dac4924d-3ca1-11e7-9be0-cc88a4ca0b0c}{3808876b-c176-4e48-b7ae-04046e6cc752}

The system logically doesn't recognize them as valid shadow copies of T:, since they are not stored in the System Volume Information folder and are not listed as \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\,
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\ etc., and whatever background stuff is still necessary for them to show up. So I can't mount them using mklink, to my knowledge. Then again I don't know what "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\" actually is and if I can make it myself for a shadow copy file restored from the System Volume Information folder.

I would have to directly access the files somehow. Also as I've said Recuva said they weren't fully recovered. Some of them are even up to 2.5GB big though, so there must be something in them. :mrgreen:
I just don't know whether it's still accessable at all now or not (since they have only been partly recovered), and if it's still accessable, how I can do it.

I'll look into the forensics tool you provided, but I hope I have made it clear now that the shadow copies I have are restored, incomplete versions that are not recognized as shadow copies by the system, because they were deleted out of the "shadow copy system" and the System Volume Information folder when the one available now was created.

Thanks again,
hhtech


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group