Truecrypt - undelete?

Discussion in 'privacy technology' started by CustomHVAC, Feb 5, 2009.

Thread Status:
Not open for further replies.
  1. CustomHVAC

    CustomHVAC Registered Member

    Joined:
    Mar 10, 2007
    Posts:
    57
    Once again I must turn to the EXPERTS for help.

    I accidently deleted a truecrypt volume & the container was "too big for recycling bin".

    I tried to recover the volume using RECUVA..........it found a bunch of IGNORED (I assume unrecoverable files), I checked the all the boxes to recover EVERYTHING, but this didn't work.

    Is there any hope with any other freeware?
    I can waste time, but unfortunately not $.

    ANY HELP would be GREATLY APPRECIATED (& yes I already know what a moron I am)
    THANKS!!
     
  2. traxx75

    traxx75 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    106
    I think Recuva ignores files it thinks are "securely deleted", which the TrueCrypt container might look like.

    Skip using the Wizard and check under Options -> Actions and check "Show securely deleted files", "Deep Scan", and maybe "Scan for non-deleted files".
     
  3. CustomHVAC

    CustomHVAC Registered Member

    Joined:
    Mar 10, 2007
    Posts:
    57
    Thats the way I tried to recover the file; "Show securely deleted files", "Deep Scan", "hidden" & "non-deleted" - NOTHING :(

    I do however appreciate the response!
    I'll keep trying - Thanks
     
  4. box750

    box750 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    260
    You can try PCInspector which is freeware:

    http://pcinspector.de/

    I have used it in the past to recover small deleted files from thumbdrives (jpegs,MP3s,etc) and it worked very well, I am not sure about recovering a big file, but nothing to lose for trying.
     
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Quite a few people have done this, and sometimes they are able to recover their entire container file intact. I don't have time to go into detail right now, so I'm going to suggest that you go to the TrueCrypt forums and use the Search feature to read about what people have done in similar situations. Meanwhile, don't write anything to the drive that contains the deleted file or you might overwrite portions of it. If you overwrite a piece of the header and you don't have a backup then you will be completely screwed.

    Briefly, there are three approaches:
    1) Undelete software, which you have already tried but should probably try further.

    2) Use a hex editor to search for a string taken from either a backup header or a backup copy of the file (if you have either one) in order to find the exact beginning of the lost file, then block an area the size of your container file, save it as a file and see if it works.

    3) Manual search with a hex editor - this is long and tedious, but it can sometimes be successful. Based on the size of your file compared to the size of your drive, this may or may not be worth doing. Rather than manually scrolling through the whole drive until your eyeballs fall out of their sockets, there are search strategies you can use to make it go a bit quicker, but it's still going to be quite a grind. You can make your job much easier by wiping all existing files on the drive and replacing them with zeros, as long as you don't delete anything that is already in freespace. After this you merely go through the drive looking for large areas of completely random data, hopefully finding one of the correct size that you can save as a file. If you get it exactly right, especially the beginning of the file, it might mount (unless the header was damaged). If you used TC version 6 or higher you might be OK if you can find the exact endpoint of the file, even if the beginning is a little uncertain. (If your container file was fragmented then this method probably won't work. Also, for backup purposes I would take a image of the drive before undertaking this).

    If you manage to mount the file then this shows that the header is fully intact, which is great. However, if the body of the container file was damaged or is incomplete then you might have to use data recovery software on the mounted volume.

    The above notes apply only to container files. If you lost a partition or a device then the advice would be somewhat different.
     
  6. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Also you shouldnt be using the computer with the deleted container at all. Regular use will overwrite the sectors.
     
  7. CustomHVAC

    CustomHVAC Registered Member

    Joined:
    Mar 10, 2007
    Posts:
    57
    Thanks again for the replies
    & yes I have already read what Others tried, with NO LUCK

    Not really sure if it was overwritten before I realized it, the container was 140 gig on a 300 gig drive.

    I have officially given up!

    Not the end of world, just another learning experience (atleast it wasn't a stack of $50 bills I deleted)

    Again thank you very much to the posters !!
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    That's almost half the drive! It should be relatively easy to find a deleted container file that large. You can use a hex editor such as WinHex to scroll through your drive looking for a large (140GB) block of purely random data which contains no gaps. Find the beginning, mark the start of the block, find the endpoint approx 140 GB beyond that point (this assumes a contiguous, unfragmented container file), select the block and save it as a file. You can do most of this with the evaluation version of WinHex. However, the evaluation version won't let you save a large block as a file, so you'll have to buy a license if you want to finish the procedure, or find a freeware hex editor that can save a very large block as a file.

    The trick is to locate the exact beginning point of the deleted file. If you're lucky it will be adjacent to some plaintext or a string of zeros so you can easily spot the discontinuity between the two dissimilar types of data. (If necessary you can use a wiping tool to replace all existing files with zeros in order to make this part go easier). If you're unlucky the starting point will be adjacent to other random-appearing data that is also in freespace. In this case you will be unable to find the exact starting point of the lost file, which means that your header will be incorrect and your password won't be able to mount the volume. If you can't find the exact starting point, and if the file was created using TrueCrypt v6 or higher, then you might still have a chance of recovery if you can locate the exact endpoint of the file. In this case, after saving the block as a file you must enter the password three times. On the third attempt TrueCrypt will automatically use the embedded backup header, which is located near the end of the file. (It measures a specific distance back from the end of the file and assumes that this will be the embedded backup header). After it mounts you might need to use data-recovery tools if the filesystem is broken because of an incorrect file size or overwritten data.

    It sounds as though you've given up, so I'm including these details for others who may need to know about these procedures.
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  10. CustomHVAC

    CustomHVAC Registered Member

    Joined:
    Mar 10, 2007
    Posts:
    57
    I'll try to go into a little more detail...........
    This all began when I accidentally deleted a truecrypt container (aprox 135 GB) which DID contain a hidden volume (aprox 7GB)(the hidden one is the only one I actually cared about getting back).

    The 300 GB drive contained 2 containers; 1) aprox 135 GB with a hidden volume of aprox 7 GB (this is the deleted one - 135 with 7 hidden).
    I still have another trucrypt container (aprox 145 GB) on that same drive.

    1. I have tried several "undelete" type programs - NO LUCK
    2. I do NOT have any backups / images of that container
    3. I downloaded the winhex program (thanks danz) - But, I know NOTHING about hex editors, I will however try to learn what it is & how to use it.

    If I do learn about the Hex editor, am I correct in assuming I will still need;
    1. To buy a license to recover it
    2. To buy another Hard drive (I don't have ANOTHER 130 GB free for a backup / image or even a safe place to try & recover 130 GB

    Is there anyway for me to look for the "hidden" volume (7gig) as this is the only one I actually care about.
    Thanks again - Sorry Pedro I have no backup, that solution won't work.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    As Pedro suggested: live CD, TestDisk sounds a good idea.
    Stop using the hard disk, so you don't overwrite the sectors used by TC.
    Always create a backup of TC volume headers and be careful :)
    Mrk
     
Loading...
Thread Status:
Not open for further replies.