Is it possible to recover a deleted truecrypt container inside a truecrypt drive, with winhex?

Discussion in 'privacy technology' started by jlt, Dec 22, 2017.

  1. jlt

    jlt Registered Member

    Joined:
    Dec 22, 2017
    Posts:
    2
    Location:
    spain
    I've read around and it seems it isn't possible or at least very hard. Normal recovery programs like recuva can't seem to see it because it's a super big file of 75gb, or because it's an encrypted container not sure. But I did download winhex and it's showing the empty space. Shouldn't I be able to select the start of this massive empty space all the way to the end and rebuild the container from there, or is it not possible because it's a truecrypt encrypted drive?
     
    Last edited: Dec 22, 2017
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,026
    Location:
    Hawaii
    It's going to require a combination of skill, perseverance and luck, but yes, it is theoretically possible to recover a deleted TrueCrypt container file (or at least the first and last fragment, if the file happens to be fragmented), even under the circumstances that you have described. The fact that your lost/deleted container file is stored within another TrueCrypt volume should not be much of an impediment as long as you are able to mount the volume that it is stored in.

    Wilders has a number of threads on this topic. I assume that you have looked through some of them, but if not then please do a search on "recover deleted truecrypt container file" or similar.

    Recuva and most other file recovery tools will probably not be of much help. One of their primary recovery techniques is to search the disk for known file signatures (i.e. headers, footers, etc. that are unique for each file type). By design, TrueCrypt container files don't have any recognizable signatures. The only known "signature" of an unmounted TrueCrypt container file is that it looks like a big block of random data, and the only way to confirm it is to test it out to see if it can be mounted using the known password.

    I'm quite rusty on all of this, as it's been quite awhile since I tried anything of this sort. If I wanted to help you then the first thing I would have to do would be to read through all of my old posts so I could relearn the techniques.

    The first step is to try to locate the exact beginning of the lost file. Have you spotted a promising-looking location in WinHex? If so you will probably want to test it by creating a small (i.e. under 1MB) test file to see if it can be mounted in TrueCrypt with your password. There's no point in copying the whole 75GB file unless you have already successfully mounted the test file, otherwise you will just be wasting a lot of time, not to mention storage space.

    By the way, a lost container file does not look like "empty space", as you mentioned in your post. In WinHex, empty space looks like "00 00 00 00 00 00" etc. A container file looks like a huge block of random data with no recognizable patterns or significant repetitions.

    Before you get started I recommend that you make a forensic copy of the disk containing your lost file, and perform all of your recovery efforts on the copy. This will leave you with a safe fall-back position in case you screw up and ruin your chances, which is entirely possible. You should also stop all writes to the disk. This includes indexing, optimizing, SSD Trim, etc.

    Do you have a copy, even a very old copy, of your lost file? If so then you might be able to use the first five or six bytes of its header as a search string to search for the beginning of your lost/deleted file.

    PS: Have you already done the obvious, i.e. looked in the recycle bin in both Windows and WinHex?

    If you want to post some details then I will try to give further advice.
     
  3. jlt

    jlt Registered Member

    Joined:
    Dec 22, 2017
    Posts:
    2
    Location:
    spain
    Yes there's some very useful info but it does seem to be a bit of a lost art and the people with the issues there know more than me.

    Another issue is they can't seem to recover files larger than 4gb for some reason to do with file labels or something.

    Thank you so much for your help man

    Well they are two massive files, I will probably be fine if I recover at least one of them, of about 60 to 80gb each can't remember. And scrolling through the winhex when I had the drive mounted, I could see two pretty big chunks of ''empty space''. The drive only has right now 190gb of actual empty space, so am I correct to assume that's where the containers were at before? Will the headers be sitting at the beginning of the empty space, and if so, how do I go about selecting it if the scroll vertical is too slow and too fast depending on what part of the scroll is clicked? Or will the headers be anywhere in the ''empty space'' and I'm doomed to having to learn to make a python script to write the volume password to go through it all 1mb by 1mb? Btw, if I do do this do I have to find the exact beginning of the header as the beginning of the file, or does a truecrypt container open if the password is contained anywhere in the file?

    Sure, when I was looking at it, it wasn't 00 00, it was all sorts of letters and numbers iirc together with a description of ''empty space''. Could this be it?

    How would I go about cloning this, with hobocopy or robocopy, or something else? It's an HDD thankfully so no SSD Trim, however it was used for a bit after the deletion, so I'm not sure if I'll be successful. Very small amounts of data may have been written on, if so, you think ntfs or windows obsessively writes on the beginning of empty spaces where the headers were probably sitting or if it just goes for random empty space, if the latter my chances of success are far greater even if it would be a slightly damaged container right?

    Nope no copy, but they are two containers with very similar data. And a scroll down in winhex shows precisely that, two very large areas of ''empty space''. Unfortunately I can't remember if I copied the container or the contents into a second container as it was a long time ago :/

    It was a massive container and windows recycle bin avoids them and told me to bypass the recycle bin iirc. Windows may have even told me to 'securely delete' in doing so, but hopefully it didn't mean overwrite and it merely meant bypass the bin. I can't seem to find the recycle bin in winhex, does it have one?
     
  4. Riaz Ali

    Riaz Ali Registered Member

    Joined:
    Dec 29, 2017
    Posts:
    2
    Location:
    Kohat, Pakistan
    Hi Dear Dantz.

    I was created Truecrypt Drive of 200GB in 500GB external Hard Drive. After 2 years one day it shows message for disk scaning. After that my TC Drive size become 0kb instead 200GB. I read your pervious posts and i used winhex. I tried alot but i am not finding my TC Header. Is there any way that i send pictures of my data in winhex to you and you will guide me?

    Thanks
     
  5. Riaz Ali

    Riaz Ali Registered Member

    Joined:
    Dec 29, 2017
    Posts:
    2
    Location:
    Kohat, Pakistan
    Hi Dear Dantz.

    I was created Truecrypt Drive of 200GB in 500GB external Hard Drive. After 2 years one day it shows message for disk scaning. After that my TC Drive size become 0kb instead 200GB. I read your pervious posts and i used winhex. I tried alot but i am not finding my TC Header. Is there any way that i send pictures of my data in winhex to you and you will guide me?

    Thanks
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.