Switch to full style
Anything related to computer forensics (new section!)
Post a reply

Undeleted Shadow Copies

May 30th, 2017, 6:20

Hello guys,

My Windows is telling me that for a specific volume I have exactly one shadow copy. It can be found in the folder System Volume Information of the volume, in this form:


But what I need desperately are the shadow copies from before. And I need them so desperately thet I restored them with an undelete program, from the folder System Volume Information. No clusters had been overwritten yet. I recovered the last 10 or so, just in case, you know. :mrgreen:

But I have absolutely no clue though if that was useful at all. :? I did some reading on mounting shadow copies, but it's always about mounting via \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\". I found something about mounting a .raw file in linux though.

Of course my files aren't adressable like that, since they're in the format described above in some random folder and not "in the system". And also after recovering the program said that they had only been partly recovered.

Is there any possibility somehow to still access the content of those files? Would that even get me anywhere, or is there just something in them that points to something else that maybe isn't even there anymore? I don't know anything about this!

It would be awesome if you guys could help me! :D

Many kind regards,

Re: Undeleted Shadow Copies

May 30th, 2017, 8:15




You MUST listen to this if you are interested in shadow copies:

you dont mention what you did after that, or what search results you had that were/were not helpful. i would start here..

Re: Undeleted Shadow Copies

May 30th, 2017, 9:46

Hello HaQue! :)

Thank you a lot for your reply and your links. I am gonna listen to the last link later.

I already tried Shadow explorer. I think I need to explain my problem better.

Since there is only one shadow copy available in the sytem, listing all available shadow copies with
vssadmin list shadows
results in this:


In Shadow Explorer only this shadow copy is visible:


To my knowledge the shadow copies are stored in the System Volume Information folder of the specific drive. Accordingly the one seen above is stored in the System Volume Information folder of T:, in the format mentioned in my first post.

All shadow copies before the date of the last one (05/23) have been deleted and then recovered from the System Volume Information folder of T: using Recuva. They are now stored in a folder created by me on some other drive. They also look like this:

The system logically doesn't recognize them as valid shadow copies of T:, since they are not stored in the System Volume Information folder and are not listed as \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\,
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\ etc., and whatever background stuff is still necessary for them to show up. So I can't mount them using mklink, to my knowledge. Then again I don't know what "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\" actually is and if I can make it myself for a shadow copy file restored from the System Volume Information folder.

I would have to directly access the files somehow. Also as I've said Recuva said they weren't fully recovered. Some of them are even up to 2.5GB big though, so there must be something in them. :mrgreen:
I just don't know whether it's still accessable at all now or not (since they have only been partly recovered), and if it's still accessable, how I can do it.

I'll look into the forensics tool you provided, but I hope I have made it clear now that the shadow copies I have are restored, incomplete versions that are not recognized as shadow copies by the system, because they were deleted out of the "shadow copy system" and the System Volume Information folder when the one available now was created.

Thanks again,
Post a reply