Hello Reader,
For those of you who use libvshadow you may have noticed that it shows deleted shadow copies but does not differentiate between active and deleted shadow copies. This can be an issue as parts of the deleted shadow copies could be overwritten leading to strange results.
Looks like two researchers out of Japan are attempting to fix that issue with an extension to libvshadow and some really interesting catalog recreation research.
Check it out below!
http://i.blackhat.com/us-18/Thu-August-9/us-18-Kobayashi-Reconstruct-The-World-From-Vanished-Shadow-Recovering-Deleted-VSS-Snapshots.pdf
Also Read: Daily Blog #451
Post a Comment