Shadow copy recovered files contain lots of NULL blocks

0

1

A computer I am working on had most of the files on it encrypted by the TeslaCrypt ransomware program. I found that it did not delete the shadow copies and there may be a number of backups available.

I tried mounting several of the shadow copies prior to infection using vssadmin list shadows and mklink /D C:\restore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\ and am able to see most of the files we are interested in recovering.

The problem is most of the files I look at partially contain the correct data but have large blocks of zeroes (\x00) either at the end or the middle of the files.

The files are all the original sizes except that they are missing large chunks. Are those missing portions of the files lost or is there some issue with these shadow copies?

System: Windows 8.1 64-bit.

EDIT:

Maybe this is happening because Windows 8 is phasing out volume shadow copy and instead using block level backup?

drew010

Posted 2015-03-11T17:35:34.963

Reputation: 351

I recently experienced a similar issue. I posted my problem to MS communities just minutes before discovering this question. Just for cross-reference: http://answers.microsoft.com/en-us/windows/forum/windows8_1-files/shadow-copy-snapshot-file-contents-silently/06a5e25b-6607-45eb-81a1-71cfc2b0cce3?tm=1431093840771

– Don Zoomik – 2015-05-08T14:08:27.547

@DonZoomik Glad you found this, thanks for the comment. I just replied on the MS post and hope someone has some info on this. Surely would be useful to someone in the future. Unfortunately there was nothing I could do for the person who's files I was trying to recover before since there was no relevant info on the problem. – drew010 – 2015-05-08T16:12:25.627

I talked my boss into providing compiany credit card and just created a Microsoft Professional Support incident, let's see what happens...

In the meantine I also asked the same question on TechNet forums (maybe there would be more competent eyes...) but no useful replies. https://social.technet.microsoft.com/Forums/en-US/8012dd85-410e-49d4-8d09-191b915b2852/shadow-copy-snapshot-file-contents-silently-corrupted-on-windows-81?forum=w8itprogeneral

– Don Zoomik – 2015-06-08T15:35:56.617

@DonZoomik Good luck, hopefully they will help get it figured out. Looking forward to hearing the results. – drew010 – 2015-06-09T17:26:38.027

Answers

0

Microsoft Professional Support confirmed the issue (previously unknown by Microsoft). No workarounds but there will very likely be a public hotfix in the future (currently there is no timeline).

Don Zoomik

Posted 2015-03-11T17:35:34.963

Reputation: 314

For anyone wishing to contact MS Support, please reference my support incident 115060812822144 to increase visibility. The issue remains unsolved (but confirmed). – Don Zoomik – 2015-11-23T15:48:23.777

Asked: 2015-03-11T17:35:34.963

Viewed: 529 times

Active: 2015-06-15T14:18:23.600