Seizing Volume Shadow Copies

I guess you can try to find their location first by using the following command
vssadmin list shadowstorage

You should be able to see shadow copies by GUID as well. See this link for more details http//technet.microsoft.com/en-us/library/bb491031.aspx

If files are stored on the server, use explorer to navigate to
\\localhost\Y$ where Y is the shared folders location. If the volume is located somewere on the network you may use Windows XP MS Shadow Copy Client to access shadow copies on Windows Server 2003
[http//www.microsoft.com/downloads/details.aspx?FamilyID=e382358f-33c3-4de7-acd8-a33ac92d295e&DisplayLang=en]
or use Win 2003 Server native client. If yo know which files you are after, than you can acees shadow copies through 'the Previous Versions tab' in these files properties inside the share. Use copy (not restore button) to get these files.

Hope this helps.
Regards ecophobia

You probably want to create a logical image of the shadow volume. Try

dd.exe if=\\.\HarddiskVolumeShadowCopy4 of=F\snapshot4.img –localwrt

See http//sansforensics.wordpress.com/2008/10/10/shadow-forensics/ for more information. GMG Systems, Inc. DD is a part of the Forensic Acquisition Utilities, available at http//www.gmgsystemsinc.com/fau.

You probably want to create a logical image of the shadow volume. Try

dd.exe if=\\.\HarddiskVolumeShadowCopy4 of=F\snapshot4.img –localwrt

See http//sansforensics.wordpress.com/2008/10/10/shadow-forensics/ for more information. GMG Systems, Inc. DD is a part of the Forensic Acquisition Utilities, available at http//www.gmgsystemsinc.com/fau.

Thanks for the link,

SOME of it may be applicable to Windows 2003 Server.

Thanks for all the info everyone.

I'll try some of this this out.

One of the problems with doing forensics on servers however is that you may be limited to seizing a specific user's data - and that can make seizing the entire shadow copy volume impossible.

Then there is the fact that even though you are limited to certain user's folders, that may still be a lot of files. Multiply that by the number of shadow copies available and it can quickly become impractical to use the GUI to copy the files out.

Maybe a creative batch file would do the trick… lol roll lol (In my dreams, right.)

I guess I was hoping that there might be a way from the command line to export shadow copies of a file and that I could then write a script to do this recursively through subdirectories.

erowe,

Its entirely possible to do what you're asking, if you're able to clearly define the files that you're interested in. The link that Mr. Garner referenced includes some basic commands for accessing Volume Shadow Copies. If you know the specific files you're looking for, or enough of the characteristics of them, then you can run a script to

1. Identify all Volume Shadow Copies on the system
2. Iterate through each Volume Shadow Copy, using the "mklink" command illustrated at the SANS Forensics site.
3. Copy out each file.

There appear to be a number of ways of doing this, from simple batch files to more sophisticated scripting using WMI classes and incorporating error checking/handling and logging (for forensic documentation purposes).