Sign in / up

back to article Shadow Analyser speeds digital analysis of recovery files

Researchers at UK computer forensics firm Disklabs have helped develop technology that will drastically speed up the forensic analysis of 'Volume Shadow Copies' (VSC) of suspect Windows computers. The introduction of VSC technology in Windows 2003 created a huge headache for forensic investigators, who have struggled to find a …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Anonymous Coward
    Coat

    Good job nobody's invented erase-on-delete

    be seeing you

    0 0
    1. copsewood
      Reply Icon
      Linux

      someone has

      from http://linux.die.net/man/1/shred

      shred(1) - Linux man page

      Name

      shred - overwrite a file to hide its contents, and optionally delete it

      Synopsis

      shred [OPTIONS] FILE [...]

      Description

      Overwrite the specified FILE(s) repeatedly, in order to make it harder for even very expensive hardware probing to recover the data.

      0 0
  2. Anonymous Coward
    Anonymous Coward

    Err....

    ... not being funny or anything, but isn't the process of "decompiling VSCs" as it's described here just mounting them like so:

    vshadow-el=ShadowCopyId,LocalEmptyDirectory

    as it says here:

    http://msdn.microsoft.com/en-us/library/bb530725(VS.85).aspx

    Then using the analysis tools on these directories which contain the snapshot view of the shadow copy?

    Or am I missing something like the tools work at the disc block level?

    0 0
    1. Lee Whitfield
      Reply Icon

      Addressing some points

      First of all the process described on the Microsoft website means that the volumes with the VSS enabled must be run on a VSS enabled computer to extract the data. Shadow Analyser will allow investigators and data recovery people to use a disk image, without the need for mounting, and recover data that way. These files have essentially been reverse engineered so that we know what blocks belong to where without having to use a computer with VSS enabled. This means that it is also operating system agnostic too so you could view the contents of a shadow volume whether on OS X, Linux, XP, Vista, etc.

      Second, when you securely erase files on a VSS enabled system the files are still stored on a volume shadow file so, unless you turn off the VSS service (thereby losing all system restore capabilities) any securely erased files will still be contained with the shadow file.

      0 0
    2. Daf L
      Reply Icon

      I too wondered that...

      Shadow copies can already be read and extracted quite easily. I have a shadow reader that works just like Windows explorer to read all previous files.

      If it was at the hardware disk level then VSCs, don't really exist they would just be read as a block on a disk.

      I wonder whether this guy is over-egging his technology or if there is more to it?

      To me it just seems like a Shadow file reader that works across all copies at the same time but that isn't really that revolutionary, is it?

      0 0
      1. Battered Pav
        Reply Icon
        Thumb Down

        golfclap

        Hey Daf, work in a high volume production forensic environment, then we'll care. Grats on being able to use Windows Explorer though , while anyone with any competence in this area doesn't.

        0 0
  3. Anonymous Coward
    Flame

    An average investigation can take 35 hours

    presumably that's 35 hours at the end of the 18 month waiting list.

    2 0
  4. Anonymous Coward
    Linux

    "any securely erased files will still be contained with the shadow file."

    Shouldn't the feature then be marketed as "pointlessly insecure erasure"? I mean it's Microsoft so nobody should take its alleged security too seriously anyway, but thanks for confirming.

    0 0
  5. Not bad
    Pint

    There's some free software that can explore shadow copies

    and you can find it here http://www.shadowexplorer.com/downloads.html

    0 0
This topic is closed for new posts.