Folder / Shadow Copy with no permission at all

nv3 · 2018-05-23T19:00:01.000Z

So, first thing first, we had some trouble with a ransomware getting into our file server, encrypting everything. The shadow copy was on a different drive, and crypto missed that, so we have a copy from everything.

We have copied the infected server to a sandbox for further testing, and restored the server from a previous backup.

Since the guys who have configured the servers left the company in a “hurry”, and we didnt really had the time to get familiar to this system, we kinda missed the check the permissions part. That was a huge mistake.

There is a shared folder, lets call it A, with only 1 AD group permission, everything else is removed, including SYSTEM. Owner is BultIn Administrators.

The data we restored from the backup is missing files ( because of the insufficient permissions… )

We have to restore the shadow copy from the infected server, (we cleaned the executeable parts of the ransomware, so it is not running anymore, theoretically)

What we tried is:

Mounting the VSS in every way

Restoring with a local user in Administrators group

Restoring the shadow copy as Builtin Administrator and System

Copying a DC under the Sandbox and desperately trying to force the Fileserver to communicate with it ( no luck )

We are still trying to somehow mount VSS under linux

Is there any way to remove the permissions, or restore the files?

DragonsRule · 2018-05-24T13:48:21.000Z

Have you tried ShadowExplorer?

shadowexplorer.com

ShadowExplorer.com - About

ShadowExplorer is a graphical front end for the Windows Vista Volume Shadow Copy Service (VSS). Easily restore previous versions of deleted files. It works with all editions of Windows Vista.

nv3 · 2018-05-26T07:56:56.000Z

I did, no luck. Copied no folders n files

DragonsRule · 2018-05-26T09:08:34.000Z

Are you actually getting permissions errors? It’s sounding more and more like the data may just not be there.

nv3 · 2018-05-26T09:43:13.000Z

Quick update:

I’ve been able to verify the files, a cached account had read rights, so the data is there. I am trying to figure if i can use this account to somehow restore the data.

DragonsRule · 2018-05-26T09:52:12.000Z

Have you tried duping this drive (to keep the original safe) then taking full ownership of the VSS folders with an admin account?

nv3 · 2018-05-26T10:11:49.000Z

Yea.

But since the cached admin and SYSTEM accounts are a no go since they were removed from the security tab, and were not members of the group that had full access, it failed when i tried to take control over it.

DragonsRule · 2018-05-26T10:34:59.000Z

nv3:

Yea.

But since the cached admin and SYSTEM accounts are a no go since they were removed from the security tab, and were not members of the group that had full access, it failed when i tried to take control over it.

Taking ownership should override whatever the current permissions are, though. That’s kind of the point of it.