Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/alicangnll/pyshadow
Python ShadowCopy Analyzer for Cyber Security Researchers!
https://github.com/alicangnll/pyshadow
Last synced: about 1 month ago
JSON representation
Python ShadowCopy Analyzer for Cyber Security Researchers!
- Host: GitHub
- URL: https://github.com/alicangnll/pyshadow
- Owner: alicangnll
- License: gpl-3.0
- Created: 2022-11-06T21:24:30.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2023-12-17T02:51:02.000Z (about 1 year ago)
- Last Synced: 2024-02-14T20:37:09.226Z (10 months ago)
- Language: Python
- Size: 198 KB
- Stars: 4
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-forensics - PyShadow - A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies (Tools / Windows Artifacts)
README
#### Python ShadowCopy Analyzer for Cyber Security Researchers!
### Disclaimer
The information provided in this blog post is intended for informational purposes only. It is not intended to encourage or promote any illegal or unethical activities, including hacking, cyberattacks, or any form of unauthorized access to computer systems, networks or data.
### What is the ShadowCopy
ShadowCopy is a technology that allows you to create backup snapshots or copies of computer volumes or files, even if they are in use. It is also known as Volume Shadow Copy Service, Volume Snapshot Service or VSS. You can use ShadowCopy to restore lost files, recover from ransomware or cryptolocker attacks, or revert your system to a previous state using a system restore point.
ShadowCopy is available in Windows 7, 8 and 10, but you need to enable it first.### Important
Run CMD with Administrator (need Administrator grant)!
### Abilities
- Recover deleted files from ShadowCopies
- Create Pipe / Symlinks to ShadowCopies
- List all ShadowCopies
- Create ShadowCopy
- Delete ShadowCopy
### Working On
- Export ShadowCopy to VHD file
### Installation
PyPi : PyShadowCopy
### Example Code
# List all ShadowCopy'''
Example Result
ID : {e9a894be-dae7-49cb-9196-b5a22148210b}
Creation Date : 6.11.2022 19:58:20
Shadow Copy Location : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7
'''list = ReShadowCode.VSS_ListShadows()
for shadowlist in list:
print("ID : " + shadowlist["id"] + "\nCreation Date : " + shadowlist["creation_time"] + "\nShadow Copy Location : " + shadowlist["shadowcopy"] + "\n")# Create a ShadowCopy
ReShadowCode.VSS_Create()# Create a pipe/symlink with ShadowCopy() (Ex. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyid)
ReShadowCode.VSS_Create_Pipe("C:\\Shadow1", "id")
# Get file list from ShadowCopy
'''
Example Result
Ali
Ali Can Gönüllü
Ali_000_vcRuntimeMinimum_x64.log
Ali_000_vcRuntimeMinimum_x86.log
Ali_001_vcRuntimeAdditional_x64.log
Ali_001_vcRuntimeAdditional_x86.log
All Users
Default
Default User
desktop.ini
Public
TEMP
'''
list = ReShadowCode.VSS_Get_FileList("C:\\Shadow1\\Users")
for files in list:
print(files)
### Images