Mounted Truecrypt V...
 
Notifications
Clear all

Mounted Truecrypt Volume Accidentally Quick Formatted

12 Posts
6 Users
0 Likes
1,150 Views
(@pinkshirt)
Posts: 7
Active Member
Topic starter
 

Hello All,

I have an external HDD which has a Truecrypt volume on it. Whilst mounted, the Truecrypt volume was quick formatted by mistake.

I can still mount the volume, and when mounted and viewed in FTK Imager I can find image headers such as FFD8FF in the hex. I am guessing this means that the data is still there, it is just that the files aren't visible because the file table has been written over?

I'm just at home using free tools. Is there a way for me to recover this data?

One post suggested I work out where the data starts, copy it all to another disk, make a new Truecrypt volume, paste the data into it and try and repair the file table.

1) I'm not 100% how to determine where the data starts
2) I'm not sure if this would work…

Any help would be much appreciated!

Pinkshirt.

 
Posted : 08/11/2012 11:50 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

One post suggested I work out where the data starts, copy it all to another disk, make a new Truecrypt volume, paste the data into it and try and repair the file table.

WHICH post?

Which OS are you running?
Which filesystem is the volume?
How big in size is the volume?
Was the volume recently defragged?

jaclaz

 
Posted : 09/11/2012 12:32 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

Forget truecrypt - it's just another volume once mounted, don't let the idea of TC complicate matters.

What was the original filesystem? NTFS?

If the former was NTFS - one approach is to find all MFT records on that volume and use those to retrieve data. This is more reliable than carving since the MFT entries will have the data runs in them.

 
Posted : 09/11/2012 12:37 am
(@pinkshirt)
Posts: 7
Active Member
Topic starter
 

Hi

Thanks for the quick replies!

The original filesystem was NTFS.

The volume is big - nearly 1TB. It wasn't defragged - it was quick formatted. It hasn't been touched since other than when I made a back up dd image with FTK.

Is finding the MFT records equivalent to the 'recover files and folders' function in the full version of EnCase?

Is this feasible with free tools or should I be buttering up friends with access to an EnCase dongle?

Thank you.

 
Posted : 09/11/2012 1:01 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The original filesystem was NTFS.

Good.

The volume is big - nearly 1TB. It wasn't defragged - it was quick formatted.

Bad/good.

It hasn't been touched since other than when I made a back up dd image with FTK.

Good.

Is this feasible with free tools or should I be buttering up friends with access to an EnCase dongle?

Yes. (free or very low cost tools exist)

What you still seem like being confused about is that one thing is Digital forensics and another thing is Data Recovery.

Though they are "contiguous" fields, tools/methods "good enough" for the second might not be acceptable in the first and viceversa.

I have no idea how much the $MFT may be affected by a quick format, in theory a large part of it should have been overwritten, so that only the "last" entries are still there.

The "dd" you took, depending on the specific way you made it may be a "good" dd of the unencrypted data or a (exact copy but still a) meaningless mess of encrypted data (it depends if it was done a "logical" level or at "physical one").

If it is the "right kind" you should be able to mount the dd Volume image without using truecrypt at all.

See these seemingly unrelated thread for some generic tools/techniques
http//www.msfn.org/board/topic/157688-still-no-partition-on-seagate-after-successful-unbrick/
http//www.msfn.org/board/topic/158832-best-ways-to-recover-partition-after-quick-format/

jaclaz

 
Posted : 09/11/2012 4:31 pm
(@pinkshirt)
Posts: 7
Active Member
Topic starter
 

Hi,

I'm not confused between Computer Forensics and Data Recovery. I made reference to EnCase because I have used it previously.

I mounted the Trucrypt volume and imaged the partition using FTK Imager.

I'm struggling to find a tool that will either see the mounted Truecrypt volume or that will mount a DD or E01 image file.

Any suggestions for tools that I could try?

Thanks.

 
Posted : 10/11/2012 11:28 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi,

Any suggestions for tools that I could try?

Thanks.

If you had read the given links, you might have found DMDE
http//softdm.com/

jaclaz

 
Posted : 11/11/2012 12:02 am
(@mscotgrove)
Posts: 938
Prominent Member
 

Your results rely to a big extent on how many file were on the disk in the first place. If it was a systemn disk, with thousands of files, then there is a high chance that the required MFT entry will not have been overwritten by a quick format.

If the disk was an external drive with very few files, then a quick format could have lost all your data run info.

The last quick format I saw on a 1TB drive overwrote the first 256 MFT entries

 
Posted : 11/11/2012 4:21 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The last quick format I saw overwrote (I think) about 100 MFT entries

I seem to remember like it is not a "fixed" number, but proportional to the size of the volume, and consequently of the "initial" $MFT, that may be additionally different on different Windows OS's.
As a quick test in a 128 Mb virtual disk I generated 1000 (one thousand) "random" files, then, after quick formatting, I was able to find the $MFT entries for all files but the first 5 (five). This is XP SP2.

jaclaz

 
Posted : 11/11/2012 7:09 pm
(@pinkshirt)
Posts: 7
Active Member
Topic starter
 

Hi,

Thanks for your replies.

In case anybody else has had this problem, I used File Scavenger

http//www.snapfiles.com/get/filescavenger.html

It cost me $60 for a personal license.

The BIG issue I had when looking at many tools was their inability to recognise a volume that was mounted with Truecrypt - if it wasn't visible in disk manager, it wasn't visible in them.

I think you are both right that I wasn't able to get absolutely everything, but I got the majority which is better than nothing!

 
Posted : 11/11/2012 11:28 pm
Page 1 / 2
Share: