The shadow copy is a volume snapshot or volume shadow copy service (VSS). It is a property that works with Windows operating systems and was implemented starting with Windows Vista. One of the problems that the shadow copy is that it is not enabled in Windows 8, Windows 10 and Windows Server 2012.
Let’s see in this article a little more in depth what the shadow copiesthe Windows components necessary for it to work and everything related to this curious term.
What is shadow copy?
The shadow copy It works by creating snapshots of the volume at a given point in time, which are saved as read-only copies somewhere else on the disk. These snapshots are exact images of the file system at that time and can be used to restore individual files or folders, or even to restore the entire volume in the event of a disaster.
The shadow copy Commonly used as a disaster recovery tool to restore files or entire volumes in the event of a system failure or data loss. It can also be used to backup important data, helping to protect data
Shadow copy: generalities
The shadow copy allows you to create backup copies of files, that is, save a snapshot copy of a point in time files. For this reason, they are also called hidden copies, since they are not reflected as such in the history of files on the hard drive.
Likewise, the shadow copy It also allows administrators to recover information by returning to the past point. It works as a system backup automatic and transparent for the user.
Where is the shadow copy? It is located in the root directory folder. Let’s see:
If we see these files within the selected path, it means that we have a shadow copyor even several, and that we can obtain information from a previous state of the system.
Every time you create a shadow copy a file is created and, depending on the changes in the system or in the configuration path, the shadow copy It will be a larger or smaller file.
In the image we see, for example, that there is one file smaller than another. This is because, probably, when another snapshot was taken there was no excessive modification of files, which is why the size of one compared to the other is much smaller.
Shadow copy analysis
ShadowCopyViewer
To analyze the shadow copies on a living system a software named ShadowCopyViewer.
Let’s look at an example of how we would see some shadow copies:
We see that we have two shadow copies different. If we analyze the first one, we would have the entire directory tree, that is, all the folders that are included within the shadow copies. This is possible because we can say make us one shadow copy of the entire disk or to do it for us from certain folders in a particular way. If it were the entire disk, we would see folder C.
After the first shadow copy, only those files that have been modified are stored. This means that files that have not been modified or are not in our folder are not stored in a respective shadow copy and, therefore, we could not obtain information from them.
ShadowExplorer
There is also another tool to analyze shadow copies. Its name is ShadowExplorer.
This program works more graphically. We can also observe that, if we have several shadow copieseach one has a date and we can choose, between the different shadow copies, which is the one we want to recover; all through the date.
We could not say for sure which of these tools is better, since each one fulfills a very different function. The important thing is that we choose well, based on the needs we have at that moment and taking into account the pros and cons of each of the programs.
How to continue learning about cybersecurity?
We have already seen what is shadow copy and how to analyze it. If you want to continue learning about different areas of computer security, here we have the ideal intensive and comprehensive training for you. Access our Full Stack Cybersecurity Bootcamp and discover how you can become an IT professional in a few months with the constant support of expert teachers in the world. Request more information now and take the step that will transform your future!