2

Short of buying identical hardware, my sister's computer died and she kept only the hard drive. She moved a file to a USB FD prior to it dying, but she can't find the FD. She knows it was on the desktop. I've used the "Previous Versions" feature on her computer to recover files, so I know it's enabled. But with the drive being attached to a USB hard drive dock, is it possible to browse Windows 7 Previous Versions of her desktop folder?

user208145
  • 123
  • 3

2 Answers2

1

The short answer is maybe. Windows previous versions are held in what are called volume shadow copies. The volume shadow copy service (VSC) is what is responsible for keeping these previous versions of your files. So if you are looking for one you need to gain access to the shadow copy of the drive.

The VSC does not take up used drive space but instead uses free space to store the files, as the drive fills up these copies are automatically deleted to make room for used space files.

As for accessing it, if all you have is the drive itself the best thing you can do is follow a forensic or incident response method. EnCase has the ability to mount VSC from a drive image but I doubt you have access to it. If you do then create an image of the drive and then mount it in EnCase PDE and use vssadmin to access the shadow copy.

If not there may be a method that helps you but I have not tested it myself. I have been meaning to do a trail of this method to retrieve VSC files from a drive image but never got the time to make a lab suitable for it yet. It's on my todo list. However I think it might be your best shot to recovering the files if they are indeed held in a VSC.

The full blog post is located here:

It is important that you create a full disk image of the drive. A direct bit by bit copy. dd will do fine for this or testdisk, both linux tools you can use easily to create a suitable image. I urge you not to use the drive itself for this kind of test. An image can be replaced. The drive cannot.

Follow the steps this person used to access and manipulate VSCs and you may be able to mount your VSC and find what you are looking for.

Good luck!

Nalaurien
  • 1,614
  • 9
  • 16
0

A dd'c copy will not have the original bit-depth and therefore the overwritten data that you are trying to recover will not be there. You must use a copy tool that understands depth-multiplexing, hopefully to the maximum depth of 32. Encase is one (good) example.

JuliaTheMad
  • 59
  • 4
  • `dd` is a bit-by-bit clone of a drive. That's why it can be used in court proceedings. – user208145 Aug 29 '17 at 22:29
  • right, but getting data on any of the bitwise 'layers' is then impossible without the original. The principle is called depth multiplexing. It means the electromagnetic 'layers' of the hard drive can be detected and data can be recovered from older installations. The maximum recoverable depth, as in the maximum amount of times you can write to the same spot is 32 before the layers become illegible. – JuliaTheMad Aug 30 '17 at 23:55
  • Are you equating (damaged) drive forensic recovery - e.g. with an electron microscope - and volume shadow copy that, in a nutshell, makes a copy of a file or its changes to unallocated space on a drive? – user208145 Sep 08 '17 at 02:08
  • No, using a computer it is definitely possible to shadow copy a drive where previous information can be retrieved, it puts each bit at a 'depth' level when copying it, and pastes the bit at the same appropriate level. Software such as Encase does this but dd doesn't. – JuliaTheMad Sep 08 '17 at 18:37
  • To rule out the "bit depth" you've mentioned. I dd'd a SSD to another and the previous versions of a test folder were transferred. I verified contents and md5 checksums of the files and they're correct. – user208145 Sep 08 '17 at 22:49