Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alicangnll/pyshadow

Python ShadowCopy Analyzer for Cyber Security Researchers!
https://github.com/alicangnll/pyshadow

Last synced: about 2 months ago
JSON representation

Python ShadowCopy Analyzer for Cyber Security Researchers!

Host: GitHub
URL: https://github.com/alicangnll/pyshadow
Owner: alicangnll
License: gpl-3.0
Created: 2022-11-06T21:24:30.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2023-12-17T02:51:02.000Z (10 months ago)
Last Synced: 2024-02-14T20:37:09.226Z (8 months ago)
Language: Python
Size: 198 KB
Stars: 4
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-forensics - PyShadow - A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies (Tools / Windows Artifacts)

README

#### Python ShadowCopy Analyzer for Cyber Security Researchers!

### Disclaimer

The information provided in this blog post is intended for informational purposes only. It is not intended to encourage or promote any illegal or unethical activities, including hacking, cyberattacks, or any form of unauthorized access to computer systems, networks or data.

### What is the ShadowCopy

ShadowCopy is a technology that allows you to create backup snapshots or copies of computer volumes or files, even if they are in use. It is also known as Volume Shadow Copy Service, Volume Snapshot Service or VSS. You can use ShadowCopy to restore lost files, recover from ransomware or cryptolocker attacks, or revert your system to a previous state using a system restore point.

ShadowCopy is available in Windows 7, 8 and 10, but you need to enable it first. You can also use a program called Shadow Explorer to browse and restore your shadow copies.

### Important

Run CMD with Administrator (need Administrator grant)!

### Abilities

Create Pipe / Symlinks to ShadowCopies

List all ShadowCopies

Create ShadowCopy

Delete ShadowCopy

### Working On

Export ShadowCopy to VHD file

### Installation

PyPi : PyShadowCopy

### Example Code


# List all ShadowCopy

'''

Example Result

ID : {e9a894be-dae7-49cb-9196-b5a22148210b}

Creation Date : 6.11.2022 19:58:20

Shadow Copy Location : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7

'''

list = ReShadowCode.VSS_ListShadows()

for shadowlist in list:

    print("ID : " + shadowlist["id"] + "\nCreation Date : " + shadowlist["creation_time"] + "\nShadow Copy Location : " + shadowlist["shadowcopy"] + "\n")

# Create a ShadowCopy

ReShadowCode.VSS_Create()

# Create a pipe/symlink with ShadowCopy() (Ex. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyid)

ReShadowCode.VSS_Create_Pipe("C:\\Shadow1", "id")

# Get file list from ShadowCopy

'''

Example Result

Ali

Ali Can Gönüllü

Ali_000_vcRuntimeMinimum_x64.log

Ali_000_vcRuntimeMinimum_x86.log

Ali_001_vcRuntimeAdditional_x64.log

Ali_001_vcRuntimeAdditional_x86.log

All Users

Default

Default User

desktop.ini

Public

TEMP

'''

list = ReShadowCode.VSS_Get_FileList("C:\\Shadow1\\Users")

for files in list:

    print(files)

### Images