Feeds

back to article Shadow Analyser speeds digital analysis of recovery files

Researchers at UK computer forensics firm Disklabs have helped develop technology that will drastically speed up the forensic analysis of 'Volume Shadow Copies' (VSC) of suspect Windows computers. The introduction of VSC technology in Windows 2003 created a huge headache for forensic investigators, who have struggled to find a …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Err....

... not being funny or anything, but isn't the process of "decompiling VSCs" as it's described here just mounting them like so:

vshadow-el=ShadowCopyId,LocalEmptyDirectory

as it says here:

http://msdn.microsoft.com/en-us/library/bb530725(VS.85).aspx

Then using the analysis tools on these directories which contain the snapshot view of the shadow copy?

Or am I missing something like the tools work at the disc block level?

0
0

Addressing some points

First of all the process described on the Microsoft website means that the volumes with the VSS enabled must be run on a VSS enabled computer to extract the data. Shadow Analyser will allow investigators and data recovery people to use a disk image, without the need for mounting, and recover data that way. These files have essentially been reverse engineered so that we know what blocks belong to where without having to use a computer with VSS enabled. This means that it is also operating system agnostic too so you could view the contents of a shadow volume whether on OS X, Linux, XP, Vista, etc.

Second, when you securely erase files on a VSS enabled system the files are still stored on a volume shadow file so, unless you turn off the VSS service (thereby losing all system restore capabilities) any securely erased files will still be contained with the shadow file.

0
0
Bronze badge

I too wondered that...

Shadow copies can already be read and extracted quite easily. I have a shadow reader that works just like Windows explorer to read all previous files.

If it was at the hardware disk level then VSCs, don't really exist they would just be read as a block on a disk.

I wonder whether this guy is over-egging his technology or if there is more to it?

To me it just seems like a Shadow file reader that works across all copies at the same time but that isn't really that revolutionary, is it?

0
0
Thumb Down

golfclap

Hey Daf, work in a high volume production forensic environment, then we'll care. Grats on being able to use Windows Explorer though , while anyone with any competence in this area doesn't.

0
0
Coat

Good job nobody's invented erase-on-delete

be seeing you

0
0
Linux

someone has

from http://linux.die.net/man/1/shred

shred(1) - Linux man page

Name

shred - overwrite a file to hide its contents, and optionally delete it

Synopsis

shred [OPTIONS] FILE [...]

Description

Overwrite the specified FILE(s) repeatedly, in order to make it harder for even very expensive hardware probing to recover the data.

0
0
Flame

An average investigation can take 35 hours

presumably that's 35 hours at the end of the 18 month waiting list.

2
0
Linux

"any securely erased files will still be contained with the shadow file."

Shouldn't the feature then be marketed as "pointlessly insecure erasure"? I mean it's Microsoft so nobody should take its alleged security too seriously anyway, but thanks for confirming.

0
0
Pint

There's some free software that can explore shadow copies

and you can find it here http://www.shadowexplorer.com/downloads.html

0
0
This topic is closed for new posts.