Shadow Copy Question

[Keith Swanson]

I normally don't try to recovery shadow copy's from windows.  What I am up against is a client that accidentally restored her computer to 6/20/2011.  Is there a good program that I can use to look at all of the shadow copy files without having to look at each file?  The program has about 30 individual files that all have .dat, .ixd and .ou file associated with it.

Thanks

Keith Swanson

[Networks]

I think Harlen Carvey's reg ripper tool or another one of his tools has some way to look at restore points

Jim

--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To post to this group, send email to datarecovery...@googlegroups.com.
To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.

[Conray van Biljon]

Hi

U can see by the date of each shadow copy , its possible that they are
numbered , I look for that tool and tutorial , it let's u restore a
shadow copy to a drive or at least the contents of it , it is scary
what shadow reveals

> --
> You received this message because you are subscribed to the Google Groups
> "DataRecoveryCertification" group.
> To post to this group, send email to
> datarecovery...@googlegroups.com.
> To unsubscribe from this group, send email to
> datarecoverycertif...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/datarecoverycertification?hl=en.
>
>

--
Sent from my mobile device

Regards,

Conray

[Weg, Jimmy]

Shadow Explorer, http://www.shadowexplorer.com/, which I run in a VM of the target image.  However, I’m not sure that the restored system will allow you to bring the system forward from 6/20.  I haven’t tested that.

 

Jimmy Weg, CFCE

Agent in Charge, Computer Crime Unit

Montana Division of Criminal Investigation

2225 11th Ave.

Helena, MT 59601

406.444.6681

406.465.5617 (cell)

jw...@mt.gov

--

[Conray van Biljon]

have a look at this , hope it helps

 

 

--

You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To post to this group, send email to datarecovery...@googlegroups.com.
To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.

--

Regards,

 

Conray

[Keith Swanson]

I looked and can't find anything before 6/20. I tried using a search string but can't find anything hidden in the free space of the image.

thanks 

keith

[Keith Swanson]

Jim, tried to restore before 6/20 did not have anything.  only this I found was old files from 1/8/2011.

Thanks for the help

On Wed, Jun 29, 2011 at 10:42 AM, Weg, Jimmy <jw...@mt.gov> wrote:

[Weg, Jimmy]

I’m not entirely sure of what you have, but once the system was restored to 6/20, I’m not sure that you can restore it back to, for example, 6/21.  My guess is that, since you went backwards, you can’t restore to the future, which makes sense.  I would think, however, that you can restore to 6/19 and earlier, provided that the shadow volumes exist.

[Keith Swanson]

when they did the restore it wiped out everything in the system volume information repository.  Trying to restore to anything between 1/8 and 6/20, I have been able to find files from 1/8 but that was all, when they did the restore it must have overwritten the original files.  It struck me as odd that I could find files from 1/8/ but nothing after that. They have backups turned on but they were not working.

Keith Swanson, CCE, CISSP

Computer Security Investigations