Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vshadowmount error #12

Open
eCxgyY5V0xdFJxoEYpxl opened this issue Oct 25, 2021 · 0 comments
Open

vshadowmount error #12

eCxgyY5V0xdFJxoEYpxl opened this issue Oct 25, 2021 · 0 comments

Comments

@eCxgyY5V0xdFJxoEYpxl
Copy link

eCxgyY5V0xdFJxoEYpxl commented Oct 25, 2021
edited
Loading

Hello,

I have a problem recovering the VSS.
The disc was captured with the FTK imager.
The OS of the captured disk is windows 2012 R2

I work with windows 10.

This is all i did:

mmls.exe F:\HDD-DD.001 

DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000718847   0000716800   NTFS / exFAT (0x07)
003:  000:001   0000718848   1953521663   1952802816   NTFS / exFAT (0x07)
004:  -------   1953521664   1953525167   0000003504   Unallocated

vshadowinfo.exe -o 368050176 F:\HDD-E01.E01

No Volume Shadow Snapshots found.

python vss_carver.py -t RAW -o 368050176 -i F:\HDD-DD.001 -c F:\catalog -s F:\store

==================================================
Stage 1: Checking if VSS is enabled.
Volume size: 0xe8cad00000
Found VSS volume header.
0x1e00: b'6b87083876c1484eb7ae04046e6cc752'
Catalog offset: 0x0
==================================================
Stage 2: Reading catalog from disk image.
VSS snapshot was enabled. But all snapshots were deleted.
==================================================
Stage 3: Carving data blocks.
Started at 2021/10/25 15:27:26
Progress: 999835041792 / 999835041792 bytes (100.00%) at 2021/10/25 16:56:17
Finished at 2021/10/25 16:56:17
==================================================
Stage 4: Grouping store blocks by VSS snapshot.
==================================================
Stage 5: Checking next block offset lists.
==================================================
Stage 6: Deduplicating carved catalog entries.
==================================================
Stage 7: Writing store file.
==================================================
Stage 8: Writing catalog file.

python vss_catalog_manipulator.py list F:\catalog

[0] Enable, Date: 2021-10-25 15:56:17, GUID: ac4b5ab5-a335-ec11-834c-b06ebf5f2047
[1] Enable, Date: 2021-10-25 14:56:17, GUID: 907d5cb5-a335-ec11-ba02-b06ebf5f2047

vshadowmount.exe -o 368050176 -c F:\catalog -s F:\store F:\HDD-DD.001 X:

Unable to open source volume
libvshadow_store_block_read_header_data: invalid store block list header identifier.
libvshadow_store_block_read: unable to read store block header.
libvshadow_store_descriptor_read_store_header: unable to read store block at offset: 0.
libvshadow_volume_open_read: unable to read store: 0 header.
libvshadow_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open: unable to open volume.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eCxgyY5V0xdFJxoEYpxl