Shadow Copies – What are They?
Shadow copies are a concept that recovery was first introduced in Windows Server 2003. It works by Windows periodically crawling the system and looking for file changes made since the last crawl and recording the changes. These changes are indexed and stacked on top of each other which creates a history of the file/folder. This process was then added to Windows Vista (and later) under the System Restore function.
For earlier Windows versions (prior to Windows Vista) the technology is a critical component of proper OS functionality.
The process is done in the background as a system-level process (a Restore Point creation) which isn’t subject to the same limitations as user-initiated file operations. As a result, the system is able to capture changes to files that are inaccessible to the user.
Therefore, in order to access a locked file, we simply need to access the most recent shadow copy (snapshot). This is the same premise used by Windows Backup and other commercial backup products which are able to access, for example, Outlook PST files (Outlook needs to be running).
However, it is important to note - since shadow copies are taken when a system restore point is created, the contents between the live file and shadow copy version can be different. By default, Windows creates a restore point every day so for most situations this should be a reasonable candidate for backup.
In other words, shadow copies are no more than a backup to the machine file system. They can be very useful for restoring a backup of the file system in order to examine a deleted file or recover lost evidence.
Restoring Shadow Copies on a Live System
During incident response and forensic investigations, deleted files may be required to retrieve evidence that could answer key questions and "crack the case". In order to view the shadow copies available to us on a given machine, run the following command: (A command prompt with administrative privileges is needed)
vssadmin list shadows
Pay attention to the following information:
● Creation Time
● Shadow Copy Volume – The shadow copy path
After we listed our shadow copies available to us, browse to the folder you want to mount the shadow copy to and run the following command in order to mount the desired shadow copy (mostly based on date and time):
mklink /d <Folder to storage the shadow copy data> <Path to the desired shadow copy>Important to mention that the <Folder to storage the shadow copy data> will be created after the command, which means it doesn’t need to be an existing folder, and after you copy the shadow copy path add the “\” string at the end of the path, as the below:
In this case, a folder named "TEST" will be created on my C:\ directory with the content from the selected shadow copy:
To Wrap Up
Knowing how to recover deleted files using Shadow Copies is key. If you ever wonder how to recover deleted files on an investigated system, there are a few options that can serve you, such as Recycle Bin forensics, file carving and more.
We hope this content was useful and that you enjoyed it.
See you in our next DFIR shorts with more useful content :)