Brett's Ramblings

Font size: +
2 minutes reading time (382 words)

Getting a Quick Look at Shadow Volumes

We’ve come to the point where we can conduct a rather complete exam of shadow volumes using dd and E01 image files.  Let’s say that we don’t need to do such a complete exam.  For example, we’re confident that one, particular folder may contain previous, unrecovered copies of a small number relevant files.  Maybe we’re looking for one file in particular.  In those instances, we may not need to mount the shadow volumes.

We can accomplish this task in either our SEAT workstation, in which we added a virtual disk of the target system, or in a running VM of the target.  The latter approach is required for E01 images and optional for dd image files.  You also can accomplish this with the VHD method that I presented earlier.  The approach is the same regardless of which method you choose.  Remember, however, that using a “live” VM of a system runs the risk that the system will delete old shadow volumes.  The risk can be overcome, but keep it in mind.

To demonstrate the procedure, I’m going to use my SEAT workstation, in which I added a virtual disk.


It’s that easy!  Note, too, that you can invoke Windows Previous Versions on almost any file or folder.

In my example, no previous versions existed.  If they had, we would have seen a list of earlier versions by date.  We then could open and examine any available version of the file.  Should you find files of value in the approach that I presented, you can copy the files from the VM to your host system.  Copying is seamless if you install VMware Tools in your VM.  Otherwise, you can enable a shared folder with your host.  Any such copy operation, however, is not a forensic recovery, so consider whether it suits your needs.

Now that we have a quick and easy approach to a limited review of shadow volumes, don’t become too accustomed to using it into the future.  Windows 8 seems to have done away with the Previous Versions aspect of the Volume Shadow Service.  In my tests of the latest Windows 8 Enterprise edition, it’s gone, and I believe that this has been confirmed on MSDN or similar forums.  We can take heart, however, in the fact that shadow volumes remain; at least for the time being.

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

RAIDs & Virtual Machines
Windows 8 and WinFE