Windows
Volume Shadow Copies and Restore
\System Volume Information\
Shadow Copies are exactly those pieces of data that get saved on disk when system restore option is enabled. Once it’s actually triggered, these files are used to restore the system to the previous state. It’s very useful when you are not an expert in PC and something weird is going on. However, not only ordinary people find this feature useful. Some bad guys might try cover their tracks which can sometimes be undone with this feature.
โ ๏ธ This option is turned on by default! However, in case of my Windows 10 VM on Parallels (Windows Insider program for ARM) this option was disabled resulting in the following line:
No items found that satisfy the query.
For my Dell notebook running Windows 10, build 18362 (value from registry,SOFTWARE\Microsoft\Windows NT\CurrentVersion
, valueCurrentBuild
). I had to create the point of restore myself as well, since I didn’t find where I could make it happen on a regular basis.๐งช May be it’s something else?
โ๏ธ After the above steps were followed, PowerShell relaunched, I could finally see the valid output from
vssadmin.exe /for=c:
.
For Windows 7 (3-5%) and for Vista - 15%. For Windows 10 you can adjust this space when turning this feature on. To turn on: Control Panel -> All Control Panel Items -> Recovery
or simply type Recovery in the Start menu search box.
User can set the regularity with which these copies are made: daily/weekly, on every new hardware attached, new installations, manual. There is rollover process for these files to save space. Sometimes these files are kept for years and sometimes deleted soon, first in, first out priority. Some OS versions don’t allow to access previously created points, but still keeps them. Once you have an OS that allow access to these files, you can view them.
From a forensic point of view, these files allow to view the previous versions of OS, recover files (find remnant metadata that can’t be recovered), examine user activity in different time points. Since shadow copies are system files, these are not accessed by wiping software.
Tools ๐ : https://coptr.digipres.org/index.php/Forensic_Acquisition_Utilities
Collection
dd.exe for Windows. There used to be some FAU (Forensic Acquisition Utilities) package, containing dd
, but I could not find it, so I downloaded dd.exe
separately.
To get the list of shadow copies from a PC, run the following built-in utility:
vssadmin list shadows /for=<path_to_drive> # /for=c: for a logial drive
Now, to collect the image with a dd
:
dd.exe if=\\.\HardDiskVolumeShadowCopy1 of=g:\shadow.img # for Windows, using the above mentioned version of dd, we type `if` and `of` instead of `-if` and `-of`.
# what's --localwrt
Better go and have a cup of coffee โ๏ธ since it takes decent amount of time ๐ฐ, tick-tock!
macOS
Backups
/Users/%username%/Library/Application Support/MobileSync/Backup/
iOS
The backups are not encrypted by default, but can be if this option was on during the backup process. If it was encrypted, you’ll need device PIN to unlock it. These backups can be stored in the cloud or locally on the user’s PC.
๐ Tools
iBackupViewer. It’s free to some extent.
Android
Backups are either made automatically or manually with adb backup
. These backups can be stored in the cloud or locally on the user’s PC.
๐ Tools
adb. Used to make a backup.
abc.jar. Used to convert the ab
(adb uses this file format) file into a tar
. Available for free.
References
[1] SDF: Volume Shadow Copies (Udemy course)
Suhanov’s blog: [2] Shadow copies become less visible, [3] Offline shadow copies, [4] Extracting unallocated clusters from a shadow copy, [5] Scoped shadow copies, [6] Things you probably didnโt know about shadow copies