As you have probably realised, the volume shadow copy facility is tied to the system restore feature of Windows. When you turn one off, you also turn the other off. This is unfortunate, since the System Restore may have its uses when you need to restore the state of your Windows system and programs back to a particular date such as before you made some disastrous mistake.
However, you can compensate for the lack of a system restore by keeping up-to-date backups of your hard disk. This is in many ways, is better than having system restore, since the latter doesn't really cleanly restore a system to an earlier state. If you like to keep previous versions of your files but just don't like Vista's built-in facility or perhaps you are using XP or some earlier version of Windows , you can also install a third party version control system.
These specialized software are generally more powerful than Windows built-in facility. Free versions of such software can be found on thefreecountry.
Even after you turn off volume shadow copy, do not imagine that your documents are now safe from prying eyes. The programs you use to create those documents usually create temporary files on your hard disk. Portions of your documents may also exist in your Windows paging and hibernation files. A Shadow Copy is kept on the same disc as the original data. In case of a disc failure all data is lost, including the Shadow Copies. ShadowExplorer is a good addition to regular backups, but not a replacement.
If an investigator examined the shadow volume created from the previous day's snapshot, the file is recoverable from that volume. The shadow volume that can be examined is an exact duplicate backup of the entire volume including unallocated space. How many shadow volumes will an investigator have access to? It depends on disk size. For all versions, system restore will utilize the VSS in order to back the computer up to a previous snapshot. For Business, Enterprise, and Ultimate versions, "Previous Versions" is enabled that will allow a user to "rewind" a file, a directory, or an entire volume.
Important: Currently, you can only examine shadow copy volumes if you have the original device the shadow copy volumes are on. You cannot examine or recover shadow copy volumes from a disk image file mounted on your SIFT workstation via ntfs-3g , Encase , vdk , or mount image pro.
However, you can examine a volume image duplicated from the Shadow Copy Volume. More on this shortly You have to mount, in read-only mode, your original hard drive that contains the shadow copy volumes on an VISTA machine.
How many Volumes are stored on the system you are examining? You can obtain a list of existing shadow volumes in the Volume Shadow copy Service by executing the tool, vssadmin. From the output of vssadmin, note the total number of shadow copy volumes from the machine. In this example, it only shows three. But there were 15 total shadow copy volumes that were listed as a result of running the "vssadmin list shadows" command.
This particular machine had a GB partition volume allocated for the C drive. If you decide to image the shadow copy volumes, you could theoretically have over 16 separate GB logical images created from this one machine, each one from a different point in time.
On a live machine it might be useful to manually browse or scan a directory that contains a shadow copy volume. It is relatively easy to do this from an administrator enabled command prompt using the tool mklink. Restoring Previous Versions With VSS set up—and again, most users will find their systems set up out of the box—restoring an older version of a file begins with a simple right-click on the file in question, in an Explorer window.
From the context menu, select Restore Previous Versions to see what's available. Depending on whether you've searched for a folder or a file, Vista gives you a different response. For a file, when you click Restore…, Vista displays the Copy File dialog, asking if you want to replace the existing version or rename the restored version so that the existing and the restored files can coexist in the same folder. When you click Restore… for a folder, however, an ominous warning dialog pops up, telling you that if you proceed, you'll be irrevocably replacing the existing folder with the restored folder.
Obviously, this isn't a decision to be made lightly—what's more, you needn't make it at all. From the Previous Versions dialog for a folder, you can open the folder and drag the files from inside to anywhere you wish—even into running programs. For this reason, if you know the approximate date for the file you're looking for, you should work with folders rather than individual files when you wish to restore.
This article originally appeared on PCMag.
0コメント