Hello HaQue!
Thank you a lot for your reply and your links. I am gonna listen to the last link later.
I already tried Shadow explorer. I think I need to explain my problem better.
Since there is only one shadow copy available in the sytem, listing all available shadow copies with
Code:
vssadmin list shadows
results in this:
In Shadow Explorer only this shadow copy is visible:
To my knowledge the shadow copies are stored in the System Volume Information folder of the specific drive. Accordingly the one seen above is stored in the System Volume Information folder of T:, in the format mentioned in my first post.
All shadow copies before the date of the last one (05/23) have been deleted and then recovered from the System Volume Information folder of T: using Recuva. They are now stored in a folder created by me on some other drive. They also look like this:
{dac4924d-3ca1-11e7-9be0-cc88a4ca0b0c}{3808876b-c176-4e48-b7ae-04046e6cc752}
The system logically doesn't recognize them as valid shadow copies of T:, since they are not stored in the System Volume Information folder and are not listed as \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\,
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\ etc., and whatever background stuff is still necessary for them to show up. So I can't mount them using mklink, to my knowledge. Then again I don't know what "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\" actually is and if I can make it myself for a shadow copy file restored from the System Volume Information folder.
I would have to directly access the files somehow. Also as I've said Recuva said they weren't fully recovered. Some of them are even up to 2.5GB big though, so there must be something in them.
I just don't know whether it's still accessable at all now or not (since they have only been partly recovered), and if it's still accessable, how I can do it.
I'll look into the forensics tool you provided, but I hope I have made it clear now that the shadow copies I have are restored, incomplete versions that are not recognized as shadow copies by the system, because they were deleted out of the "shadow copy system" and the System Volume Information folder when the one available now was created.
Thanks again,
hhtech