Researchers at UK computer forensics firm Disklabs have helped develop technology that will drastically speed up the forensic analysis of 'Volume Shadow Copies' (VSC) of suspect Windows computers. The introduction of VSC technology in Windows 2003 created a huge headache for forensic investigators, who have struggled to find a …
... not being funny or anything, but isn't the process of "decompiling VSCs" as it's described here just mounting them like so:
as it says here:
Then using the analysis tools on these directories which contain the snapshot view of the shadow copy?
Or am I missing something like the tools work at the disc block level?
Addressing some points
First of all the process described on the Microsoft website means that the volumes with the VSS enabled must be run on a VSS enabled computer to extract the data. Shadow Analyser will allow investigators and data recovery people to use a disk image, without the need for mounting, and recover data that way. These files have essentially been reverse engineered so that we know what blocks belong to where without having to use a computer with VSS enabled. This means that it is also operating system agnostic too so you could view the contents of a shadow volume whether on OS X, Linux, XP, Vista, etc.
Second, when you securely erase files on a VSS enabled system the files are still stored on a volume shadow file so, unless you turn off the VSS service (thereby losing all system restore capabilities) any securely erased files will still be contained with the shadow file.
I too wondered that...
Shadow copies can already be read and extracted quite easily. I have a shadow reader that works just like Windows explorer to read all previous files.
If it was at the hardware disk level then VSCs, don't really exist they would just be read as a block on a disk.
I wonder whether this guy is over-egging his technology or if there is more to it?
To me it just seems like a Shadow file reader that works across all copies at the same time but that isn't really that revolutionary, is it?
Hey Daf, work in a high volume production forensic environment, then we'll care. Grats on being able to use Windows Explorer though , while anyone with any competence in this area doesn't.
Good job nobody's invented erase-on-delete
be seeing you
shred(1) - Linux man page
shred - overwrite a file to hide its contents, and optionally delete it
shred [OPTIONS] FILE [...]
Overwrite the specified FILE(s) repeatedly, in order to make it harder for even very expensive hardware probing to recover the data.
An average investigation can take 35 hours
presumably that's 35 hours at the end of the 18 month waiting list.
"any securely erased files will still be contained with the shadow file."
Shouldn't the feature then be marketed as "pointlessly insecure erasure"? I mean it's Microsoft so nobody should take its alleged security too seriously anyway, but thanks for confirming.
There's some free software that can explore shadow copies
and you can find it here http://www.shadowexplorer.com/downloads.html