Logo
RSS Feed

๐Ÿบ Backups

Created: 01.06.2023

Volume Shadow Copies and Restore

\System Volume Information\

Shadow Copies are exactly those pieces of data that get saved on disk when system restore option is enabled. Once it’s actually triggered, these files are used to restore the system to the previous state. It’s very useful when you are not an expert in PC and something weird is going on. However, not only ordinary people find this feature useful. Some bad guys might try cover their tracks which can sometimes be undone with this feature.

โš ๏ธ This option is turned on by default! However, in case of my Windows 10 VM on Parallels (Windows Insider program for ARM) this option was disabled resulting in the following line: No items found that satisfy the query. For my Dell notebook running Windows 10, build 18362 (value from registry, SOFTWARE\Microsoft\Windows NT\CurrentVersion, value CurrentBuild). I had to create the point of restore myself as well, since I didn’t find where I could make it happen on a regular basis.

๐Ÿงช May be it’s something else?

โœ๏ธ After the above steps were followed, PowerShell relaunched, I could finally see the valid output from vssadmin.exe /for=c:.

For Windows 7 (3-5%) and for Vista - 15%. For Windows 10 you can adjust this space when turning this feature on. To turn on: Control Panel -> All Control Panel Items -> Recovery or simply type Recovery in the Start menu search box.

User can set the regularity with which these copies are made: daily/weekly, on every new hardware attached, new installations, manual. There is rollover process for these files to save space. Sometimes these files are kept for years and sometimes deleted soon, first in, first out priority. Some OS versions don’t allow to access previously created points, but still keeps them. Once you have an OS that allow access to these files, you can view them.

From a forensic point of view, these files allow to view the previous versions of OS, recover files (find remnant metadata that can’t be recovered), examine user activity in different time points. Since shadow copies are system files, these are not accessed by wiping software.

Tools ๐Ÿ› : https://coptr.digipres.org/index.php/Forensic_Acquisition_Utilities

Collection

dd.exe for Windows. There used to be some FAU (Forensic Acquisition Utilities) package, containing dd, but I could not find it, so I downloaded dd.exe separately.

To get the list of shadow copies from a PC, run the following built-in utility:

vssadmin list shadows /for=<path_to_drive> # /for=c: for a logial drive

Now, to collect the image with a dd:

dd.exe if=\\.\HardDiskVolumeShadowCopy1 of=g:\shadow.img # for Windows, using the above mentioned version of dd, we type `if` and `of` instead of `-if` and `-of`.
# what's --localwrt

Better go and have a cup of coffee โ˜•๏ธ since it takes decent amount of time ๐Ÿ•ฐ, tick-tock!

References

Expand… Something here