Good job nobody's invented erase-on-delete
be seeing you
Researchers at UK computer forensics firm Disklabs have helped develop technology that will drastically speed up the forensic analysis of 'Volume Shadow Copies' (VSC) of suspect Windows computers. The introduction of VSC technology in Windows 2003 created a huge headache for forensic investigators, who have struggled to find a …
from http://linux.die.net/man/1/shred
shred(1) - Linux man page
Name
shred - overwrite a file to hide its contents, and optionally delete it
Synopsis
shred [OPTIONS] FILE [...]
Description
Overwrite the specified FILE(s) repeatedly, in order to make it harder for even very expensive hardware probing to recover the data.
... not being funny or anything, but isn't the process of "decompiling VSCs" as it's described here just mounting them like so:
vshadow-el=ShadowCopyId,LocalEmptyDirectory
as it says here:
http://msdn.microsoft.com/en-us/library/bb530725(VS.85).aspx
Then using the analysis tools on these directories which contain the snapshot view of the shadow copy?
Or am I missing something like the tools work at the disc block level?
First of all the process described on the Microsoft website means that the volumes with the VSS enabled must be run on a VSS enabled computer to extract the data. Shadow Analyser will allow investigators and data recovery people to use a disk image, without the need for mounting, and recover data that way. These files have essentially been reverse engineered so that we know what blocks belong to where without having to use a computer with VSS enabled. This means that it is also operating system agnostic too so you could view the contents of a shadow volume whether on OS X, Linux, XP, Vista, etc.
Second, when you securely erase files on a VSS enabled system the files are still stored on a volume shadow file so, unless you turn off the VSS service (thereby losing all system restore capabilities) any securely erased files will still be contained with the shadow file.
Shadow copies can already be read and extracted quite easily. I have a shadow reader that works just like Windows explorer to read all previous files.
If it was at the hardware disk level then VSCs, don't really exist they would just be read as a block on a disk.
I wonder whether this guy is over-egging his technology or if there is more to it?
To me it just seems like a Shadow file reader that works across all copies at the same time but that isn't really that revolutionary, is it?