TR-45 - Data recovery techniques

Overview

In case of data loss, it is good practice to restore a tested backup. Sometimes, such a functioning backup is not available. This document intends to collect alternative ways to at least partially restore lost data from the source disk.

Disclaimer: In case data is lost or damaged it is highly recommended to work on a copy of the data and not on the original disk. Please see our document about acquisition first (TR-30).

Volume Shadow Copies

On Windows operating systems Volume Shadow Copies are created by the operating system (as long as the Windows version is recent and the functionality is not turned off). Volume Shadow Copies are copies of files on the file system.

Operating systems: - Windows starting at Windows XP SP2 (not persistent after reboot) - All other Windows versions since Windows Server 2003 (persistent)

Accessing these shadow copies from a Linux operating system is described in this section.

First the partition layout of the file system image resulting from the acquisition can be shown with the command mmls included in the Sleuthkit package as shown below

mmls disk.image

DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0001023999   0001021952   NTFS / exFAT (0x07)
003:  000:001   0001024000   0467935231   0466911232   NTFS / exFAT (0x07)
004:  000:002   0467935232   0468856831   0000921600   Unknown Type (0x27)
005:  -------   0468856832   0468862127   0000005296   Unallocated

The output includes the number of bytes per sector and the offsets expressed in sectors to the file system partitions.

The tool vshadowinfo can be used to display the amount of shadow copies that were created. This tool needs an offset to the file system expressed in bytes which results from a multiplication of the offset expressed in sectors and the number of bytes per sector.

In the example below the shadow copy of the second NTFS partition is shown: vshadowinfo -o $((512*1024000)) disk.image

vshadowinfo 20160110

Volume Shadow Snapshot information:
    Number of stores:   3

Store: 1
    Identifier: xxx
    Shadow copy set ID: xxx
    Creation time: Apr 12, 2016 11:05:01.377103000 UTC
    Shadow copy ID: xxx
    Volume size: 499867713536 bytes
    Attribute flags: 0x0042000d

Store: 2
    Identifier: xxx
    Shadow copy set ID: xxx
    Creation time: Apr 15, 2016 11:23:57.017769600 UTC
    Shadow copy ID: xxxx
    Volume size: 499867713536 bytes
    Attribute flags: 0x0042000d

Store: 3
    Identifier: xxx
    Shadow copy set ID: xxx
    Creation time: Apr 15, 2016 14:57:52.271171500 UTC
    Shadow copy ID: xxx
    Volume size: 499867713536 bytes
    Attribute flags: 0x0042000d

The tool shows the number of shadow copies and enumerates them with their creation time.

The tool vshadowmount can be used to access the shadow copies. A file for each shadow copy is created in the mount point. In the example below the files vss1, vss2, vss3 are created. Hence, in this example three shadow copies are available.

vshadowmount -o $((512*1024000)) 2016-04-06_13-40-46.001  /vss

These files can then be mounted as shown below

mount -o ro /vss/vss1 /loop

The files can be copied from the /loop folder.

Carving

When previous techniques of recovery don’t work, file carving is an alternative process to recover files by reassembling fragments of potential files. This technique often relies on some remaining artifacts without using the original metadata. Carving is often prone to errors but can be considered as a last resort solution to recover some data. A free software tool called photorec can perform file carving not only on pictures but also various file types.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

References

Revision

  • Version 1.0 May 12, 2016 Initial version (TLP:WHITE)
  • Version 1.1 Feb 10, 2017 Spelling corrected (TLP:WHITE)