Truecrypt overwritten deleted files instantly

Discussion in 'encryption problems' started by doveman, Jun 21, 2013.

Thread Status:
Not open for further replies.
  1. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I accidentally deleted a bunch of documents I'd been editing in a folder on a Truecrypt drive. No problem I thought, I'll quickly fire up some file recovery software and recover them to a different drive.

    However, Recuva shows that all the files have been overwritten already by files that are in no way open nor have been since I deleted the files. Some of the files that have overwritten them are Thunderbird Portable's database and I haven't even open Thunderbird.

    So it seems once the files had been deleted, Truecrypt just decided to randomly move other files into the space freed up.

    The weird, not to mention even more annoying, thing is that files in that folder that I deleted a few hours ago (and which I don't wish to recover) are showing as recoverable and not overwritten.
     
  2. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I believe any file moving, would have been done by Windows, not TC.

    PD
     
  3. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    You may be right but I don't have defrag scheduled, so I can't see why Windows would randomly have moved files into the space just vacated either.
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    TrueCrypt does not move your data around within your volume. The OS handles all of those functions. TC is merely an intermediary that encrypts or decrypts on-the-fly as needed.

    How are you able to ascertain that the Thunderbird database file actually overwrote a portion of one of your missing files? It might just be that your missing file was in a fragmented state and a chunk of it was already located next to the Thunderbird database file. Perhaps that's the only piece that Recuva could find (although if your file system is intact, it really should have been able to reassemble the entire file).

    I would try using a different data-recovery tool to see if you can get better results.

    It also might be interesting to look at the raw data using a hex editor, as these can often show file fragmentation, etc.
     
  5. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Well firstly Recuva shows the names of the files that have overwritten the files I wanted to recover and secondly, I recovered them (with both Recuva and another program) to another partition and opened them with a hex editor and the contents of some (not all were overwritten by Thunderbird files, some were overwritten by zip files) were clearly e-mail contents rather than pdf.

    Anyway, although I'd just spent half a day organising and highlighting sections in the pdfs before deleting them, at least I was able to recover the filenames which has helped a lot in reminding me which files, from the hundreds of possibles, I was actually working on so it should be a lot quicker to re-do the work.
     
Loading...
Thread Status:
Not open for further replies.