search

mnrkbys / vss_carver

Carves and recreates VSS catalog and store from Windows disk image.
MIT License
96 stars 21 forks source link

vshadowmount error #12

Open eCxgyY5V0xdFJxoEYpxl opened 3 years ago

eCxgyY5V0xdFJxoEYpxl commented 3 years ago

Hello,

I have a problem recovering the VSS. The disc was captured with the FTK imager. The OS of the captured disk is windows 2012 R2

I work with windows 10.

This is all i did:

mmls.exe F:\HDD-DD.001 

DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000718847   0000716800   NTFS / exFAT (0x07)
003:  000:001   0000718848   1953521663   1952802816   NTFS / exFAT (0x07)
004:  -------   1953521664   1953525167   0000003504   Unallocated

vshadowinfo.exe -o 368050176 F:\HDD-E01.E01

No Volume Shadow Snapshots found.

python vss_carver.py -t RAW -o 368050176 -i F:\HDD-DD.001 -c F:\catalog -s F:\store

==================================================
Stage 1: Checking if VSS is enabled.
Volume size: 0xe8cad00000
Found VSS volume header.
0x1e00: b'6b87083876c1484eb7ae04046e6cc752'
Catalog offset: 0x0
==================================================
Stage 2: Reading catalog from disk image.
VSS snapshot was enabled. But all snapshots were deleted.
==================================================
Stage 3: Carving data blocks.
Started at 2021/10/25 15:27:26
Progress: 999835041792 / 999835041792 bytes (100.00%) at 2021/10/25 16:56:17
Finished at 2021/10/25 16:56:17
==================================================
Stage 4: Grouping store blocks by VSS snapshot.
==================================================
Stage 5: Checking next block offset lists.
==================================================
Stage 6: Deduplicating carved catalog entries.
==================================================
Stage 7: Writing store file.
==================================================
Stage 8: Writing catalog file.

python vss_catalog_manipulator.py list F:\catalog

[0] Enable, Date: 2021-10-25 15:56:17, GUID: ac4b5ab5-a335-ec11-834c-b06ebf5f2047
[1] Enable, Date: 2021-10-25 14:56:17, GUID: 907d5cb5-a335-ec11-ba02-b06ebf5f2047

vshadowmount.exe -o 368050176 -c F:\catalog -s F:\store F:\HDD-DD.001 X:

Unable to open source volume
libvshadow_store_block_read_header_data: invalid store block list header identifier.
libvshadow_store_block_read: unable to read store block header.
libvshadow_store_descriptor_read_store_header: unable to read store block at offset: 0.
libvshadow_volume_open_read: unable to read store: 0 header.
libvshadow_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open: unable to open volume.