How to recover previous "current state" from VirtualBox *after* restoring from snapshot?
Answer:
It is not possible to completely recover the previous "current state" image, as when the snapshot is restored, VirtualBox appears to copy over the current image file with the snapshot file. This doesn't leave any residual "deleted disk image file" on the disk to be rescued.
However, in my case, since the snapshot was much smaller than the previous "current state," much of the "current state" data was still available to disk slicers / hex editors / recovery programs in the now "free space" on the disk, as the copy-over didn't zero out the disk image file.
So, recommendation: your best bet is to install some program capable of file recovery and/or raw disk scanning, and search the free space for known strings. You won't get the whole VM image back, but you can rescue the data with traditional file recovery means.
Related videos on Youtube
02 : 24
14 : 40
02 : 28
07 : 12
04 : 10
JesseM
Updated on September 18, 2022Comments
-
JesseM almost 2 years
Details:
Win 8.1 (host OS) Laptop running Virtual Box. Ubuntu 10.04 Guest machine inside Virtual box. 6 month old snapshot of guest machine and "current state" in use. User was having problems with "current state" machine loading slowly (maybe hanging) and at one point VirtualBox helpfully asked if they'd rather restore snapshot. Not realizing that this would dump their "current state" machine image, they said yes, and have now lost 6 months of data.
Yes, I know, they should have backups. Not helpful at this juncture. Currently I'm looking for recovery options for them
Is there any way to recover/restore the previous "current state" VM from before they agreed to go to the snapshot?
I've got the machine shut down now, so some sort of data recovery may be possible if it's "just" a deleted file I can get back from the host Windows OS.
Any help appreciated, or recommendations for specific file/data recovery tools, or which
vmd/vdifile to look for.
Edit 1:
Working on the theory that the "current state" was just an other
.vdifile, and that I might find it with generic Windows recovery software, I started looking for possible candidates. A "quick" scan found (and recovered) thevbox-prevfile, but didn't find the.vdifile. However, the "prev" file gave me the filename of the missing.vdifile, so that's some progress. I'm now trying a deep scan.The scan tool I'm using lets me define new file formats to look for in bytes on the disk, but it needs "magic bytes" and an offset and data length. It seems a fine tool, but these advanced search features are not well documented. If anyone has a pointer to the
.vdifile format, that would be great.For those who may find this later, current
.vdifiles all begin with (little endian) bytes that look like this:0000000 < < < O r a c l e V M V i 0000020 r t u a l B o x D i s k I m 0000040 a g e > > > \n \0 \0 \0 \0 \0 \0 \0 \0or
0000000 3c3c 203c 724f 6361 656c 5620 204d 6956 0000020 7472 6175 426c 786f 4420 7369 206b 6d49 0000040 6761 2065 3e3e 0a3e 0000 0000 0000 0000-
Ramhound about 10 yearsThe data was deleted. File recovery would be your only solution. Sounds like you have tried this and the .vdi has already been overwriten.
-
