Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recovering deleted shadow copies


  • Please log in to reply
7 replies to this topic

#1 musicbits

musicbits

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 07 March 2016 - 12:29 PM

https://www.kazamiya.net/en/artifact/wipe/deletedsc

 

That article is almost a year old now. Are there any updates to linux and windows recovery tools that recover deleted shadow copies?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:29 AM

Posted 07 March 2016 - 02:00 PM

Most crypto malware typically delete all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using native Windows Previous Versions or a program like Shadow Explorer and file recovery software. However, it never hurts to try since it is not uncommon for these infections to sometimes fail to do what they are supposed to do.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 07 March 2016 - 02:57 PM

Most crypto malware typically delete all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using native Windows Previous Versions or a program like Shadow Explorer and file recovery software. However, it never hurts to try since it is not uncommon for these infections to sometimes fail to do what they are supposed to do.

 

This thread, and the linked article, is about recovering the vssadmin deleted shadow copy snapshots. The linked article proves that previously deleted shadow copies can be recovered if they haven't already been over written.


Edited by musicbits, 07 March 2016 - 03:39 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:29 AM

Posted 07 March 2016 - 06:18 PM

Here are a couple articles that I found.

Forensicist...Deleted Shadow Copies
Recovering from deleted shadow copies

The second link is old but I found it to be an interesting read in regards to the topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 07 March 2016 - 07:57 PM

Here are a couple articles that I found.

Forensicist...Deleted Shadow Copies
Recovering from deleted shadow copies

The second link is old but I found it to be an interesting read in regards to the topic.

 

Looks promising. I have seen a few comments from others saying they have recovered the deleted shadow copies after being hit with ransomware but no details on what tools were used.

 

Here's another post on this topic. 

 

http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/?p=3934730


Edited by musicbits, 07 March 2016 - 08:05 PM.


#6 kaljukass

kaljukass

  • Banned
  • 291 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 07 March 2016 - 08:06 PM

https://www.kazamiya.net/en/artifact/wipe/deletedsc

 

That article is almost a year old now. Are there any updates to linux and windows recovery tools that recover deleted shadow copies?

Why you need is any old backups that are one or another way been already damaged and of course obsolete?



#7 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 07 March 2016 - 11:51 PM

The deleted shadow copies are not obsolete and we don't know if they are damaged or not but this is a last ditch effort to help a friend and I want to try everything possible.



#8 theshiv

theshiv

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 13 August 2018 - 07:42 PM

There was a presentation on this at Black Hat 2018:

 

https://github.com/mnrkbys/vss_carver

 

http://i.blackhat.com/us-18/Thu-August-9/us-18-Kobayashi-Reconstruct-The-World-From-Vanished-Shadow-Recovering-Deleted-VSS-Snapshots.pdf


Edited by theshiv, 13 August 2018 - 07:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users