Another awesome video, I mounted an image that contain 6 VSC with Arsenal and utilized Shadow Explorer to recover illegal materials (videos) that were deleted, after I exported them they didn't play, I can only think they most be corrupted.
what does block-level copies mean in VSS? I know that creates differential backups, i.e only save changes in data, but i dont truly understand what makes it different by doing it at block-level . Thanks in advance!
It just means that VSS operates at the block level of the data storage model. More here: en.wikipedia.org/wiki/Block_(data_storage) and en.wikipedia.org/wiki/Shadow_Copy. The data is copied in 16KB "chunks".
Firstly, thank you for making such great quality video. I was able to access shadow copy under current users profile but unable to access Documents under different users. Is there a way to look into other users profile aswell.
Question Lets say i have shadow copy for my c drive and i got infected with a ransomeware and it encrypt all my files can i be able to retrieve the un encrypted c drive ?
Interesring video.. I tried to recover a deleted file listed in a vsc, but when I opened it, I found that the file was corrupted, the content was filled with all null values, it was a pdf. Instead I notice that for existing files, recover from vsc get a valid file. Did even happens that to you ? I'm using a full patched win 10 pro. Thank you..
Hmm, I don't think I've run into this particular problem -- any file I've found that is still present within a volume shadow is usually able to be extracted from that shadow without issue.
Hi sir, i think you left the important section in forensics, disk forensic. what if the hard drive is curropted and investigator need the data ? how would he do that??
That's a little beyond the scope of what I am covering in this episode. Data recovery is an entire topic/field into itself. Here's a great resource: Scott Moulton's myharddrivedied.com
In some cases, it may be possible recover deleted Volume Shadow Copies, though admittedly I've not had much luck with this. There was a Blackhat presentation a few years ago discussing this. So, TL;DR, like so many other things in forensics, "it depends..."
Alternatively I use undelete 11 from Softgate Solutions no need to burden the server with addition configuration which take administrative time. Undelete simply provides a network based recycle bin which the user can quickly recover their files without administrators help
Great Video! I always learn something when I watch your channel
Thanks!
Another awesome video, I mounted an image that contain 6 VSC with Arsenal and utilized Shadow Explorer to recover illegal materials (videos) that were deleted, after I exported them they didn't play, I can only think they most be corrupted.
thanks i was going to be looking at shadow copies as part of a project so this was good timing
Thanks mate, also I like the new banners that pop up. look cool as heck.
Thanks!
Fabulous video. Thank you!
what does block-level copies mean in VSS? I know that creates differential backups, i.e only save changes in data, but i dont truly understand what makes it different by doing it at block-level . Thanks in advance!
It just means that VSS operates at the block level of the data storage model. More here: en.wikipedia.org/wiki/Block_(data_storage) and en.wikipedia.org/wiki/Shadow_Copy. The data is copied in 16KB "chunks".
Firstly, thank you for making such great quality video. I was able to access shadow copy under current users profile but unable to access Documents under different users. Is there a way to look into other users profile aswell.
Question
Lets say i have shadow copy for my c drive and i got infected with a ransomeware and it encrypt all my files can i be able to retrieve the un encrypted c drive ?
Unlikely, as nearly all ransomware I've seen will kill all of the volume shadows as one of the first steps.
@@13Cubed oh god , malware authors know what they are doing :/
Interesring video.. I tried to recover a deleted file listed in a vsc, but when I opened it, I found that the file was corrupted, the content was filled with all null values, it was a pdf. Instead I notice that for existing files, recover from vsc get a valid file. Did even happens that to you ? I'm using a full patched win 10 pro. Thank you..
Hmm, I don't think I've run into this particular problem -- any file I've found that is still present within a volume shadow is usually able to be extracted from that shadow without issue.
usually this happens because of bitlocker or some other encryption
Is there a way to prevent from copying ntds.dit to a volume shadow ?
Not sure I understand your question.
Hi sir, i think you left the important section in forensics, disk forensic. what if the hard drive is curropted and investigator need the data ? how would he do that??
That's a little beyond the scope of what I am covering in this episode. Data recovery is an entire topic/field into itself. Here's a great resource: Scott Moulton's myharddrivedied.com
@@13Cubed thanks sir
Thanks for the video...........
If Ransomware deletes the shadow copies, can we recover them?
In some cases, it may be possible recover deleted Volume Shadow Copies, though admittedly I've not had much luck with this. There was a Blackhat presentation a few years ago discussing this. So, TL;DR, like so many other things in forensics, "it depends..."
I used it many times to recover files from csc
Alternatively I use undelete 11 from Softgate Solutions no need to burden the server with addition configuration which take administrative time. Undelete simply provides a network based recycle bin which the user can quickly recover their files without administrators help