New
#1
Recovery Options for vssadmin “No items found” error
Hi i'm doing a forensics analysis on a drive containing a Windows 10 System. I have a situation where I need to compare a list of applications that were removed by analyzing the system state before and after the applications were deleted. System Restore does not show any restore points for me to recover from to compare the differences.
I made a image of the disk and examined the file system. The "system volume information" folder exists with various snap shots:
after I mounted the VHD vssadmin gives me an error when I try to list the shadows:Code:K:\System Volume Information\ {3808876b-c176-4e48-b7ae-04046e6cc752} 65,536 12/14/2015 12:08 12/14/2015 12:08 12/14/2015 12:08 {7a074314-a711-11e5-8d73-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752} 469,762,048 12/27/2015 01:58 12/28/2015 14:27 12/27/2015 01:58 {c84c39a0-a42b-11e5-85ed-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752} 4,447,035,392 12/18/2015 12:33 12/27/2015 01:59 12/18/2015 12:33 {d90c1d4c-a0c9-11e5-85ed-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752} 382,533,632 12/14/2015 12:08 12/18/2015 12:33 12/14/2015 12:08 IndexerVolumeGuid 76 10/31/2015 14:18 10/31/2015 14:18 10/31/2015 14:18 MountPointManagerRemoteDatabase 0 1/9/2013 17:03 1/9/2013 17:03 1/9/2013 17:03 Syscache.hve 19,398,656 1/9/2013 17:04 10/31/2015 13:29 10/31/2015 13:29 Syscache.hve.LOG1 262,144 1/9/2013 17:04 10/31/2015 13:28 1/9/2013 17:04 Syscache.hve.LOG2 0 1/9/2013 17:04 1/9/2013 17:04 1/9/2013 17:04 tracking.log 20,480 1/9/2013 17:04 6/4/2013 02:28 1/9/2013 17:04 WPSettings.dat 12 12/14/2015 09:49 12/14/2015 09:49 12/14/2015 09:49 K:\System Volume Information\Chkdsk\ Chkdsk20141031191126.log 5,120 10/31/2014 11:11 10/31/2014 11:11 10/31/2014 11:11 Chkdsk20150330154511.log 5,120 3/30/2015 07:45 3/30/2015 07:45 3/30/2015 07:45 Chkdsk20150604212154.log 29,696 6/4/2015 13:21 6/4/2015 13:21 6/4/2015 13:21 K:\System Volume Information\Chkdsk\ K:\System Volume Information\SPP\ K:\System Volume Information\SPP\OnlineMetadataCache\ {0f020207-6730-4eeb-9d6c-8e36789dbc7f}_OnDiskSnapshotProp 15,696 12/18/2015 12:33 12/18/2015 12:33 12/18/2015 12:33 {1dedc651-f0f0-48bc-8cfe-75efd86f9e7c}_OnDiskSnapshotProp 15,696 12/14/2015 12:08 12/14/2015 12:08 12/14/2015 12:08 {c840a18f-5f36-497b-b321-390438aed0db}_OnDiskSnapshotProp 15,736 12/27/2015 01:58 12/27/2015 01:58 12/27/2015 01:58 K:\System Volume Information\SPP\OnlineMetadataCache\ K:\System Volume Information\SPP\SppCbsHiveStore\ K:\System Volume Information\SPP\SppCbsHiveStore\ K:\System Volume Information\SPP\SppGroupCache\ {0F020207-6730-4EEB-9D6C-8E36789DBC7F}_DriverPackageInfo 87,512 12/18/2015 12:43 12/18/2015 12:43 12/18/2015 12:43 {0F020207-6730-4EEB-9D6C-8E36789DBC7F}_WindowsUpdateInfo 304 12/18/2015 12:43 12/18/2015 12:43 12/18/2015 12:43 {1DEDC651-F0F0-48BC-8CFE-75EFD86F9E7C}_DriverPackageInfo 87,512 12/15/2015 19:28 12/15/2015 19:28 12/15/2015 19:28 {1DEDC651-F0F0-48BC-8CFE-75EFD86F9E7C}_WindowsUpdateInfo 176 12/15/2015 19:29 12/15/2015 19:29 12/15/2015 19:29 {C840A18F-5F36-497B-B321-390438AED0DB}_DriverPackageInfo 87,512 12/27/2015 01:59 12/27/2015 01:59 12/27/2015 01:59 {C840A18F-5F36-497B-B321-390438AED0DB}_WindowsUpdateInfo 408 12/27/2015 01:59 12/27/2015 01:59 12/27/2015 01:59 K:\System Volume Information\SPP\SppGroupCache\ K:\System Volume Information\SPP\ K:\System Volume Information\SystemRestore\ K:\System Volume Information\SystemRestore\FRStaging\ K:\System Volume Information\SystemRestore\FRStaging\ K:\System Volume Information\SystemRestore\ K:\System Volume Information\Windows Backup\ K:\System Volume Information\Windows Backup\Catalogs\ GlobalCatalogLock.dat 0 7/16/2015 09:36 7/16/2015 09:36 7/16/2015 09:36 K:\System Volume Information\Windows Backup\Catalogs\ K:\System Volume Information\Windows Backup\ K:\System Volume Information
My question is, is there a way to recover the system state from the snap shot when the vss doesn't recognize it?Code:C:\Windows\system32>vssadmin list shadows /for=k:\ vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp. No items found that satisfy the query.
I did extensive research online and nobody so far as I can tell even talks about recovering a snap shot that vss does not recognize so please dont vote this down because it was unclear or not properly researched. Thank you.