Monday, June 4, 2012

Access Shadow Copies (VSS) Natively

This is a first glance at accessing Shadow Copies (VSS) natively in Windows 7.

Did you know that you can access Shadows from the Previous Versions tab from the drive letter (root) in Windows 7? That's right, ding ding. This came as a surprise to me as well. I stumbled across this unintentionally.

When on Previous Versions you see the versions per date. I have always thought the Previous Versions tab was for individual files only...Wow was I wrong!!

For this test case I mounted my test VHD using a method I documented in a previous post (ShadowKit – Working with Disk Images).

I am not going to go in to too much detail as it is very simple. I'll stick to two steps.

First, I am showing you an example of my C: drive and H: drive. The H: drive is a mounted vhd I like to use for testing.


Right click on the date you are interested in and select "Open" from the context menu.

Below:  Now you see that Windows Explorer has exposed a view of the snapshot you selected. Blow is my H: drive snapshot from Feb 24th.
*I will show you C: in a forensic imaging tool in the next section.

I can now copy the files I wish to recover!

Forensic tools

It's very nice being able to access Shadows natively in this way. Navigating to the UNC path "\\localhost\H$\@GMT-2012.02.24-22.51.29" is doable with imaging and DIR tools such as FTK Imager or reg ripper. I was able to navigate to \Windows\System32\config and recover registry hive files to my hearts content.

Example using FTK Imager:


As you can see Windows 7 will expose both my C: and H: (vhd) shadow copies through explorer....I did not need to run ShadowKit or any third party VSS tools to get access to the VSS files.
*Check out the Cons below for the issues you are going to run in to.

This method is simple and convenient however there are issues with permissions. Some files and directories are not going to be available such as System Volume Information and ProgramData or folders from another system that you do not have permissions to access. For these and other issues and for a few additional features you will want to fire up ShadowKit to get the needed access!

No comments:

Post a Comment