Reconstruct the World from Vanished Shadow: Recovering Deleted VSS Snapshots

Conference:  BlackHat USA 2018



The presentation discusses the process of recovering files from a disk image after a ransomware attack, with a focus on the importance of scope subshots and limitations of recovery.
  • The presentation outlines the steps for recovering files from a disk image after a ransomware attack
  • Scope subshots are a crucial parameter for VSS and should be enabled by default
  • If an attacker directly accesses the disk to randomly overwrite data blocks, recovery may not be possible
  • The presenter shares an anecdote about a case where recovery was not possible due to the lack of snapshot data
  • The presentation concludes by discussing improvements to the tool and future developments in the field
The presenter shares an experience where someone was unable to recover data from a ransomware attack, but it is unclear why. The presenter suggests that in theory, recovery may be possible if the store data remains in unallocated spaces.


Volume Shadow Copy Service (VSS) is a backup feature for recent Windows OSes. You can create storage snapshots by using VSS. If users refer to snapshots, they can recover its contents. VSS is one of the most important things to restore deleted files such as files created by attackers (e.g. attack tools) in the computer forensic task.However, in recent years, ransomware deletes the snapshots before encrypting files. When the snapshots are deleted, there is no way to access them officially. But, if we can recover the deleted snapshots, we can recover the files which were managed by the snapshots and which must have been lost.Roughly speaking, VSS manages two kinds of data. One is called "Catalog" and another is called "Store." These files are located in the "System Volume Information" folder. The meta information of VSS snapshots are stored in catalog file, such as creation date and time, offsets to Store data, and so on. The differential data between the current NTFS volume and the snapshot is stored in store files. Store files are created every snapshots creation.If snapshots are deleted, catalog and store files are deleted. Furthermore, the content of catalog file is destroyed. On the other hand, store data is almost intact. It means that we can access deleted snapshots if we could carve store files and reconstruct the catalog file from recovered store files.Although Windows can't access deleted snapshots data, our new tools named vss_carver and extended vshadowmount command are able to handle this.We will cover the details of the implementation and we will also give you several demonstrations with the new tools.