0

A computer I am working on had most of the files on it encrypted by the TeslaCrypt ransomware program. I found that it did not delete the shadow copies and there may be a number of backups available.

I tried mounting several of the shadow copies prior to infection using vssadmin list shadows and mklink /D C:\restore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\ and am able to see most of the files we are interested in recovering.

The problem is most of the files I look at partially contain the correct data but have large blocks of zeroes (\x00) either at the end or the middle of the files.

The files are all the original sizes except that they are missing large chunks. Are those missing portions of the files lost or is there some issue with these shadow copies?

System: Windows 8.1 64-bit.

EDIT:

Maybe this is happening because Windows 8 is phasing out volume shadow copy and instead using block level backup?

Improve this question
4
  • I recently experienced a similar issue. I posted my problem to MS communities just minutes before discovering this question. Just for cross-reference: answers.microsoft.com/en-us/windows/forum/windows8_1-files/…
    – Don Zoomik
    Commented May 8, 2015 at 14:08
  • @DonZoomik Glad you found this, thanks for the comment. I just replied on the MS post and hope someone has some info on this. Surely would be useful to someone in the future. Unfortunately there was nothing I could do for the person who's files I was trying to recover before since there was no relevant info on the problem.
    – drew010
    Commented May 8, 2015 at 16:12
  • I talked my boss into providing compiany credit card and just created a Microsoft Professional Support incident, let's see what happens... In the meantine I also asked the same question on TechNet forums (maybe there would be more competent eyes...) but no useful replies. social.technet.microsoft.com/Forums/en-US/…
    – Don Zoomik
    Commented Jun 8, 2015 at 15:35
  • @DonZoomik Good luck, hopefully they will help get it figured out. Looking forward to hearing the results.
    – drew010
    Commented Jun 9, 2015 at 17:26

1 Answer 1

Reset to default
0

Microsoft Professional Support confirmed the issue (previously unknown by Microsoft). No workarounds but there will very likely be a public hotfix in the future (currently there is no timeline).

Improve this answer
1
  • For anyone wishing to contact MS Support, please reference my support incident 115060812822144 to increase visibility. The issue remains unsolved (but confirmed).
    – Don Zoomik
    Commented Nov 23, 2015 at 15:48

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .