Disk file recovery

I worked on a failed Windows 7 hard disk for a client recently where there was no backup available. Major issue was the fact that the home directory was encrypted with a third party product.

I mounted the encrypted drive in my workshop PC and scanned the drive for deleted files and folder. I attempted to read the files in the home directory without any success. The software vendor had no answers for me either and Googling came up with nothing.

It occurred to me as a matter of course to check the System Volume Information folder, in there I discovered about 140 VSS shadow copy files.

I ran “vssadmin list shadows /for=E:\” where E: was the filesystem of the mounted client hard disk.

Then “mklink /D C:\S \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy122\”
which was a very recent large shadow copy file.

Now browsing to C:\S folder showed me all the files and folders located in the shadow copy. Very cool! I copied off all the files and folders to a portable USB drive for the client. The client confirmed that I had recovered all the major files that were required.

A major concern that I have with this is, the client expected that their files and folders were encrypted, but clearly this is not always the case.

This entry was posted in Computer, Consultancy and tagged , , . Bookmark the permalink.