I've come across a couple of instances lately where I have access to the raw files created by the Volume Shadow Service on Windows, where my goal is to recover files from the Shadow Copy that we no longer have access to by other means.

My current issue lies with a Locky-variant of the Ransomware family, where any shadow copies had been wiped out by the vssadmin command on the infected Windows 7 computer. I was able to recover the System Volume Information via testdisk from a separate Ubuntu installation and place that recovered files back into the System Volume Information folder. In a previous instance, I did not have to recover the System Volume Information and it did not have a ransomware infection, but I was still unable to use libvshadow to view the shadow copy store.

As I understand it, the VSS keeps its Shadow Copies in C:\System Volume Information\. Each "copy" is stored as a single file with a GUID-like name ({6d947e68-7c32-11e7-8b12-1078d273ab75}{3808876b-c176-4e48-b7ae-04046e6cc752}). In my case, I have several of these files each with a size of anywhere between 600MB to 1.1GB.

The drive is plugged in via USB dock to a standard desktop installation of Ubuntu 16.04, and the Windows partition is mounted at /media/user/Windows 7 OS/ via /dev/sdc2. When I run vshadowinfo /dev/sdc2, I'm told there are 0 stores.

So the question is- how do I access these files when it seems like everything is in the appropriate place, but both vshadowinfo on Linux and ShadowExplorer on Windows tells me there are no stores available?