Recovering deleted Truecrypt volumes (from external hdd)

Hi everyone, well I blew it and deleted my 2 truecrypt volumes off my 465gb ntfs external hdd without thinking about it(they are both 10gb in size). I am not good with computers and new to this winhex so I appreciate any help lol.


I tried getting the volume headers by opening the partition in a separate tab and then ctrl+end but I have a bunch of 00s and readable text (which I read is not good?)

http://i.imgur.com/nQLwtxA.png?1?8190


I found the file name of one volume so far in the master boot record(?) while looking for random chunks if that helps at all (the second volume's name was just a4), but they are surrounded by lots of 00s too http://i.imgur.com/RWmy4o4.png?1


Edit:I am using the method of copying the physical sectors from the partition to the hard disk, defining blocks from there and then copying them into a test file (hopefully that is right), but none of the sectors have been headers yet

 

These are container files, right? Not encrypted partitions? In this case the instructions that I have posted elsewhere for recovering lost TrueCrypt partitions do not quite apply, although there are some similarities.

But let's start at the beginning: Did you look in the Recycle Bin?

Also, if you merely deleted the files then they might be recoverable by running an undelete program.

If you have to recover the files manually using a hex editor then things will get rather involved, as first you must find the files (in your case, two solid 10 GB blocks of random data), and then locate their exact endpoints (if possible), and then test for the volume header. If the files happen to be fragmented, which is quite possible, then the situation becomes even trickier. Recovering lost container files is one of the more difficult tasks. I've done it, but I was lucky each time. If you're not good with computers then you might be in over your head on this one, but I will try to give you some tips.

Anyway, while you are considering what to do next, do NOT write anything to the drive, as the files are in free space and they could very easily be overwritten by new data.

 

Hey dantz thanks for your time! I have been binging on your posts lol, and I just recovered the two 10gb containers completely intact after buying licensed WinHex (it was hell). After reading your post I looked in the $RECYCLE.BIN directory thinking it could narrow my search, but still lots of 00 gaps.



So then I realized the cluster names weren’t anything I’d think the files would be in. I remembered that you mentioned the files were in free space, noticed that was a directory, and found huge 10gb chunks right after some big groups of 00s. Appreciate the help!

 

Wow, congratulations on figuring it out! Well, my work here is done. Maybe I can retire now. That ok with everybody?