Wednesday, September 26, 2012

Latest ShadowCopy Research - Part 1

Latest ShadowCopy Research - Part 1


It's been a while since I posted anything new regarding shadow copies. Microsoft never fails to drive me to despondent frustration because of poorly documented api's, broken examples and circular links. Putting that aside I have a few new discoveries that I really wanted to get down in writing before they went poof due to work priorities. I broke the posts up in to two parts to keep it simple.


So diskshadow looks very promising. According to this Technet article it is in Windows Server 2008 and now in Windows 8. The article was publish in April however it looks like diskshadow was introduced with Windows Server 2008 so it's not new (it's new to me though).  I was not able to find it in my Win8 Enterprise RTM virtual machine (what's up with that?) but verified it exists on Server 2008. It's possible it ships with a different Win 8 package than RTM.

diskshadow
Write up #1
Write up #2

Why you should care...
 
According to the link diskshadow will allow you to expose a shadow as a drive letter*. Diskshadow also supports some basic scripting which will should get you all gitty with excitement. For recovering shadows this app could make a lot of Digital Forensics and Incident Response peoples days a little easier.






*Let me say that I have not had a chance to do testing yet. It's possible Microsoft stiffed us and only made diskshadow work with Win8 ShadowCopies. I'm looking forward to finding out if i can mount a vhd from Win7 in Windows 8 and Expose the shadow's as drive letter using diskshadow.