Volume Shadow Copy Analysis
Today let’s talk about the Volume Shadow Copy Service ( “VSS”), like everybody knows, this service is an integral part of the Windows operating system and is essential for analysts. Copy Service (VSS) provides two functions: snapshot (short-term backup of all files NTFS volume) and archiving of files opened or blocked an application like Microsoft SQL Server or Microsoft Exchange. VSS creates shadow copies on a schedule or on demand.
One of the most popular uses Volume Shadow on newer (post-XP) operating systems, system restore points. Very well describe how to restore the system and the installation of VSCs – Live system Matt’s post.
Using the shadow copy volume is only a relatively simple way the complete or partial recovery information encrypted malware. Of course, in addition to recovery from previously created backups, which are almost never available. In most cases, decryption is not possible. With scanty likely to help the specialized software antivirus companies, specially designed to decrypt files.