Partialy recovered Truecrypt files but not accessible

Discussion in 'encryption problems' started by pic16f876, Jul 13, 2014.

  1. pic16f876

    pic16f876 Registered Member

    Joined:
    Jul 13, 2014
    Posts:
    4
    Hello, I've been working with TrueCrypt for the lasts years and I haven't had any problem since I recently installed Windows 8.1 64bit.

    After installing it, the files I used to encrypt and hide important company data (mainly client privacy data) were deleted. They were .tib extension, so they could be deleted by the Windows OS or maybe by the new version of Acronis Trueimage which uses .tib extension.

    When I discovered that the files weren't on its place, I searched and recovered them using Testdisk, but I discovered through WinHex that they had small amount of non encrypted data embedded on it (I suppose pdf files) what I saved after the disappearance.

    When I try to decrypt them using Truecrypt I get the following error :
    - Incorrect password or not a truecrypt volume

    So I tried to mount it choosing use backup embedded headers embedded in volume if available option. All the options tested results in Incorrect password or not a truecrypt volume. I don't have any header backup for these volumes.

    Is it possible to partialy recover data from these encrypted files?

    This is very important for my company and also for me beacuse I am responsible for its security. Your help will be greatly appreciated.
     
  2. pic16f876

    pic16f876 Registered Member

    Joined:
    Jul 13, 2014
    Posts:
    4
    So is it everything lost? No ideas?
     
  3. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Sorry, I've been very busy and have been away from the forum for about a week. Let's start at the beginning. I don't see why either Windows or ATI would delete any ".tib-extension" files. Windows has no reason to delete a .tib file. ATI might complain about it being corrupted if you tried to use ATI to mount it or read it, but if you didn't do this then we have no reasonable explanation for the loss of the files.

    It's also kind of odd that TestDisk was able to recover all of the files, and yet none of them work any longer. TrueCrypt container files have no known signatures and can't be identified on disk, so TestDisk apparently used the data in your MFT to undelete the files. And apparently the files were partially overwritten with plaintext. How many files are we talking about here?

    You definitely need to find either the headers or the embedded backup headers, otherwise there is no chance. Here's a long shot: Did any of these TrueCrypt container files originate as copies of one another? In that case they would share the same headers and embedded backup headers, even though the data stored within might be different. You could perform a search for a (suspected) header string to see if it turns up in another file.
     
  4. pic16f876

    pic16f876 Registered Member

    Joined:
    Jul 13, 2014
    Posts:
    4
    Thank you for your reply. I suppose that when I installed the new ATI, it scanned the entire system, so maybe it detected corrupted data and deleted it. It is the only explanation that I have found.

    There are 3 files of 4 Gb each, created independently, so they don't share headers. Could you advice me on how to perform a search for a suspected header string? There is plenty of encrypted data and when I modify the size of the file (extracting with WinHex), Truecryt indicates me that the size of the container is not the correct. Thank you very much.
     
  5. pic16f876

    pic16f876 Registered Member

    Joined:
    Jul 13, 2014
    Posts:
    4
    Any idea on how to perform a suspected header string? I have tested different methods (found through internet) but anyone worked...
     
  6. Bmcjames

    Bmcjames Registered Member

    Joined:
    Nov 3, 2015
    Posts:
    1
    @dantz

    I am just arriving on this forum where I discovered so many people you have helped. I have elementary knowledge in cryptology, and no knowledge at all working with binary data. However, I can learn whatever necessary.
    I hope you and other women and gentlemen here will be able to help me.

    I had a truecrypt file container in my 3rd local hard disk partition. Accidentally, I erased all the data on this partition.

    So, I tried to undelete data through Recuva and other ecovery tools, and finally I succeded to restore the file container with R-Studio.
    Unfortunately, the file is corrupted and can no longer be accessed so far. It still has the same size as my previous backup dating from January and June, but the last accessed in October has crashed, while I didn't backup data for 6 months.

    I really need to access the file container and retrieve back the crucial data stored in it.

    I have copies of the same file container, with the same password and keyfiles. They are still opening with no problem. I even tried to save the header from these old copies, then backup the header from the corrupted file. I got it mounted, but I got the message prompting me to format the mounted disk.

    Please help me.

    Thank you all,
    James
     
Loading...