impossible to mount shadow copies, size 0

[stibi666]

Hi,
I have a problem with mounting shadow copies when parameters -c and -s are specified.
Steps I have taken so far. I installed new Win10 instance in virtulabox on Ubuntu 16.04, created 4 shadow copies, deleted the oldest one and exported VDI to RAW image.

fdisk -l win10.img

Device Boot Start End Sectors Size Id Type
win10.img1 * 2048 104447 102400 50M 7 HPFS/NTFS/exFAT
win10.img2 104448 63691339 63586892 30,3G 7 HPFS/NTFS/exFAT
win10.img3 63692800 64737279 1044480 510M 27 Hidden NTFS WinRE
offset=104448*512=53477376

vshadowinfo /media/sun/D:/Image/win10.img -o 53477376
vshadowinfo 20191221

Volume Shadow Snapshot information:
Number of stores: 3

Store: 1
Identifier : 24a28125-397c-11ec-9e53-080027d234e6
Shadow copy set ID : efc3a883-2aed-47b2-88b2-ae7ca3016716
Creation time : Oct 30, 2021 12:24:26.085246900 UTC
Shadow copy ID : 51638f75-2950-4b77-b127-edac6f93305d
Volume size : 30 GiB (32556488704 bytes)
Attribute flags : 0x0042000d

Store: 2
Identifier : a3e89152-3a1e-11ec-9e54-080027d234e6
Shadow copy set ID : 570ac455-baf0-4204-9471-ccda32999640
Creation time : Oct 31, 2021 07:48:24.269345700 UTC
Shadow copy ID : ff5c9ef0-1dc9-4bc3-868d-4a4da47ddeb2
Volume size : 30 GiB (32556488704 bytes)
Attribute flags : 0x0042000d

Store: 3
Identifier : a3e89199-3a1e-11ec-9e54-080027d234e6
Shadow copy set ID : aba6e8fd-6bab-483e-809d-dd858315ebe8
Creation time : Oct 31, 2021 07:50:11.752992200 UTC
Shadow copy ID : 926e8df1-c4f4-4bf6-bfe3-de52a200f620
Volume size : 30 GiB (32556488704 bytes)
Attribute flags : 0x0042000d

vshadowmount /media/sun/D:/Image/win10.img /mnt/shadow/ -o 53477376
vshadowmount 20191221

sun@sun:/mnt$ ls -la /mnt/shadow/
total 4
dr-xr-xr-x 2 sun sun 0 říj 31 15:37 .
drwxr-xr-x 13 root root 4096 říj 30 09:21 ..
-r--r--r-- 1 sun sun 32556488704 říj 31 15:37 vss1
-r--r--r-- 1 sun sun 32556488704 říj 31 15:37 vss2
-r--r--r-- 1 sun sun 32556488704 říj 31 15:37 vss3
I am able to see different versions of myfile of interest in all of them.

python3 vss_carver.py -o 53477376 -i /media/sun/D:/Image/win10.img -c catalog -s storage -t RAW
vss_carver 20200312

Stage 1: Checking if VSS is enabled.
Volume size: 0x794849800
Found VSS volume header.
0x1e00: b'6b87083876c1484eb7ae04046e6cc752'
Catalog offset: 0xecf4000

Stage 2: Reading catalog from disk image.

Stage 3: Carving data blocks.
Started at 2021/10/31 15:50:47
Progress: 32556498944 / 32556488704 bytes (100.00%) at 2021/10/31 15:52:06
Finished at 2021/10/31 15:52:06

Stage 4: Grouping store blocks by VSS snapshot.

Stage 5: Checking next block offset lists.

Stage 6: Deduplicating carved catalog entries.

Stage 7: Writing store file.

Stage 8: Writing catalog file.

python3 vss_catalog_manipulator.py list catalog
vss_carver 20200312
[0] Enable, Date: 2021-10-30 12:24:26.085247, GUID: 24a28125-397c-11ec-9e53-080027d234e6
[1] Enable, Date: 2021-10-31 07:48:24.269346, GUID: a3e89152-3a1e-11ec-9e54-080027d234e6
[2] Enable, Date: 2021-10-31 07:50:11.752992, GUID: a3e89199-3a1e-11ec-9e54-080027d234e6
[3] Enable, Date: 2021-10-31 06:50:11.752992, GUID: 4270cb1d-5a3a-ec11-9204-6045cb61c09c
I can see the undeleted ones and the deleted one.

vshadowmount /media/sun/D:/Image/win10.img -c catalog -s storage -o 53477376 /mnt/shadow/
vshadowmount 20191221

ls -la /mnt/shadow/
total 4
dr-xr-xr-x 2 sun sun 0 říj 31 16:07 .
drwxr-xr-x 13 root root 4096 říj 30 09:21 ..
-r--r--r-- 1 sun sun 0 říj 31 16:07 vss1
-r--r--r-- 1 sun sun 0 říj 31 16:07 vss2
-r--r--r-- 1 sun sun 0 říj 31 16:07 vss3
-r--r--r-- 1 sun sun 0 říj 31 16:07 vss4
There is 0 size on all of the copies. Why? Where could be a problem?
I tried compilation of libvshadow-vss_carver-vss_carver.zip again then tried to test in Windows 10 with
precompiled_libyal_libs-master.zip
vshadowmount.exe -o 53477376 e:\Image\win10.img -c catalog -s storage i:
vshadowmount 20191221

Unable to run dokan main: unable to assign drive letter

It works without catalog and storage parameters and I can see vss1-vss3
vshadowmount.exe -o 53477376 e:\Image\win10.img i:
vshadowmount 20191221

mount_dokan_ZwCreateFile: unable to retrieve file entry for path: \autorun.inf.
mount_dokan_ZwCreateFile: unable to retrieve file entry for path: \autorun.inf.
mount_dokan_ZwCreateFile: unable to retrieve file entry for path: \autorun.inf.
mount_dokan_ZwCreateFile: unable to retrieve file entry for path: \AutoRun.inf.
Thanks

[padie80]

I'm having the exact same issue and would like to know the answer.