Overview
In case of data loss, it is good practice to restore a tested backup. Sometimes, such a functioning backup is not available. This document intends to collect alternative ways to at least partially restore lost data from the source disk.
Disclaimer: In case data is lost or damaged it is highly recommended to work on a copy of the data and not on the original disk. Please see our document about acquisition first (TR-30).
Volume Shadow Copies
On Windows operating systems Volume Shadow Copies are created by the operating system (as long as the Windows version is recent and the functionality is not turned off). Volume Shadow Copies are copies of files on the file system.
Operating systems: - Windows starting at Windows XP SP2 (not persistent after reboot) - All other Windows versions since Windows Server 2003 (persistent)
Accessing these shadow copies from a Linux operating system is described in this section.
First the partition layout of the file system image resulting from the
acquisition can be shown with the command mmls
included in the Sleuthkit
package as shown below
mmls disk.image
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0001023999 0001021952 NTFS / exFAT (0x07)
003: 000:001 0001024000 0467935231 0466911232 NTFS / exFAT (0x07)
004: 000:002 0467935232 0468856831 0000921600 Unknown Type (0x27)
005: ------- 0468856832 0468862127 0000005296 Unallocated
The output includes the number of bytes per sector and the offsets expressed in sectors to the file system partitions.
The tool vshadowinfo can be used to display the amount of shadow copies that were created. This tool needs an offset to the file system expressed in bytes which results from a multiplication of the offset expressed in sectors and the number of bytes per sector.
In the example below the shadow copy of the second NTFS partition is shown:
vshadowinfo -o $((512*1024000)) disk.image
vshadowinfo 20160110
Volume Shadow Snapshot information:
Number of stores: 3
Store: 1
Identifier: xxx
Shadow copy set ID: xxx
Creation time: Apr 12, 2016 11:05:01.377103000 UTC
Shadow copy ID: xxx
Volume size: 499867713536 bytes
Attribute flags: 0x0042000d
Store: 2
Identifier: xxx
Shadow copy set ID: xxx
Creation time: Apr 15, 2016 11:23:57.017769600 UTC
Shadow copy ID: xxxx
Volume size: 499867713536 bytes
Attribute flags: 0x0042000d
Store: 3
Identifier: xxx
Shadow copy set ID: xxx
Creation time: Apr 15, 2016 14:57:52.271171500 UTC
Shadow copy ID: xxx
Volume size: 499867713536 bytes
Attribute flags: 0x0042000d
The tool shows the number of shadow copies and enumerates them with their creation time.
The tool vshadowmount can be used to access the shadow copies. A file for each shadow copy is created in the mount point. In the example below the files vss1, vss2, vss3 are created. Hence, in this example three shadow copies are available.
vshadowmount -o $((512*1024000)) 2016-04-06_13-40-46.001 /vss
These files can then be mounted as shown below
mount -o ro /vss/vss1 /loop
The files can be copied from the /loop folder.
Carving
When previous techniques of recovery don’t work, file carving is an alternative process to recover files by reassembling fragments of potential files. This technique often relies on some remaining artifacts without using the original metadata. Carving is often prone to errors but can be considered as a last resort solution to recover some data. A free software tool called photorec can perform file carving not only on pictures but also various file types.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
References
- TR-30 - Acquisition Support Tools for Local Incident Response Teams (LIRT)
- Volume Shadow Copy Service
- Wikipedia on Shadow Copies
- http://www.sleuthkit.org/
- libvshadow tool to mount Volume Service Snapshot (VSS) volume
Revision
- Version 1.0 May 12, 2016 Initial version (TLP:WHITE)
- Version 1.1 Feb 10, 2017 Spelling corrected (TLP:WHITE)