TrueCrypt Hidden Volume: Data Recovery

Discussion in 'encryption problems' started by r3_f3e5, Jul 25, 2012.

Thread Status:
Not open for further replies.
  1. r3_f3e5

    r3_f3e5 Registered Member

    Joined:
    Jul 25, 2012
    Posts:
    2
    Hi,

    I recently discovered this forum and thought it'd be a good place to get some advice. I'd appreciate any inputs you guys may have.

    I have a 500 GB Seagate Freeagent disk, which I encrypted using TrueCrypt 6.0 on Windows XP a long time back. A hidden volume was created underneath the outer volume. The file system was FAT32. I'm currently using TrueCrypt 7.0a on Windows 7.

    Unfortunately I was not aware of the need to protect the hidden volume while writing in the outer volume. While I'd gotten off lightly on several occasions, this one time I did not :(

    While TrueCrypt still mounts the hidden volume, the file system has been damaged and Windows cannot read it. From what I can understand, this means that the header is not damaged.

    What I did next follows (in sequential order):

    1) I took a backup of the damaged hidden volume using TestDisk. I know I should have backed up the entire disk but I had storage space constraints.

    2) Don't ask me how but I managed to write some more data in the outer volume without protection. Yes, I know :oops:

    3) I let TestDisk do its thing on the hidden volume. It did not fix the damaged file system.

    4) I then used PhotoRec for recovery. It did recover a fair bit of data. The problem is that directory structures and file names were lost, which is a complete bummer and does not really help :( . Some data was not recovered.

    5) I also used the demo version of GetDataBack. However I did not purchase the product because I could not read files displayed in its preview option.


    So my questions now are:

    1) I can mount the backed up hidden volume (a .dd file) using OSF Mount. However TrueCrypt does not mount it further. If I can mount the backed up hidden volume using TrueCrypt, I might have a chance of recovering more data. How can I do this?

    2) Is there a tool that can recover the directory structure? Freeware is desirable but I will consider paying for a product that has a high success rate.

    3) Is it possible to work some magic and fix the damaged file system itself? This is not terribly important though. The primary objective is to get the data out.


    The official TrueCrypt forum has some discussions on this subject. However I must confess I haven't been able to figure out how they could be used in my case. A couple of requests haven't helped either.

    It'd be great if you guys could suggest a solution. Thanks for your time.
     
    Last edited: Jul 25, 2012
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    992
    Location:
    Hawaii
    You backed up the contents of the hidden volume while the volume was mounted, right? It had to be, otherwise you wouldn't have been able to find or select the hidden volume without engaging in some very tricky copy/paste operations requiring highly technical TrueCrypt skills.

    What I'm getting at is, when you copy the contents of any mounted TrueCrypt volume its contents are copied in a decrypted state. Thus, your backup copy of the hidden volume is already decrypted, so you should already be able to access its contents without needing to mount it in TC.

    Have you tried running photorec on the OSFmounted backup? Or examining it with a hex editor? Look for non-random data such as recognizable words, or obvious patterns such as 00 00 00 00. If you find even one or two words or a clearly recognizable pattern then this confirms that your .dd copy of volume is not encrypted.

    Sorry, I can't really address the rest of your post. Data recovery can be tedious and tricky and every case is different. You can probably get better advice on a data-recovery forum.
     
  3. r3_f3e5

    r3_f3e5 Registered Member

    Joined:
    Jul 25, 2012
    Posts:
    2
    Thanks for your response, Dantz.

    Yes, I backed up the hidden volume while it was mounted by TrueCrypt. In fact, I had a look at the logical drive created by OSFMount before my original post. Since the hex dump was garbled, I had assumed the backup was still encrypted and was trying to further mount it using TrueCrypt.

    I did run PhotoRec again, as you suggested. It seems to be retrieving data from the logical drive. So I don't really understand the hex dump but PhotoRec works.

    I understand your point on data recovery and will take my problem to a more appropriate forum. Based on your experience, if you could suggest a starting point, it would help. Thanks again.
     
Loading...
Thread Status:
Not open for further replies.