±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 2
New Yesterday: 8
Overall: 26810
Visitors: 48

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Mounted Truecrypt Volume Accidentally Quick Formatted

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Mounted Truecrypt Volume Accidentally Quick Formatted

Post Posted: Sat Nov 10, 2012 6:21 pm

Your results rely to a big extent on how many file were on the disk in the first place. If it was a systemn disk, with thousands of files, then there is a high chance that the required MFT entry will not have been overwritten by a quick format.

If the disk was an external drive with very few files, then a quick format could have lost all your data run info.

The last quick format I saw on a 1TB drive overwrote the first 256 MFT entries
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 


Last edited by mscotgrove on Sun Nov 11, 2012 9:54 am; edited 1 time in total

mscotgrove
Senior Member
 
 
  

Re: Mounted Truecrypt Volume Accidentally Quick Formatted

Post Posted: Sun Nov 11, 2012 9:09 am

- mscotgrove

The last quick format I saw overwrote (I think) about 100 MFT entries

I seem to remember like it is not a "fixed" number, but proportional to the size of the volume, and consequently of the "initial" $MFT, that may be additionally different on different Windows OS's.
As a quick test in a 128 Mb virtual disk I generated 1000 (one thousand) "random" files, then, after quick formatting, I was able to find the $MFT entries for all files but the first 5 (five). This is XP SP2.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Mounted Truecrypt Volume Accidentally Quick Formatted

Post Posted: Sun Nov 11, 2012 1:28 pm

Hi,

Thanks for your replies.

In case anybody else has had this problem, I used File Scavenger:

www.snapfiles.com/get/...enger.html

It cost me $60 for a personal license.

The BIG issue I had when looking at many tools was their inability to recognise a volume that was mounted with Truecrypt - if it wasn't visible in disk manager, it wasn't visible in them.

I think you are both right that I wasn't able to get absolutely everything, but I got the majority which is better than nothing!  

pinkshirt
Newbie
 
 
  

Re: Mounted Truecrypt Volume Accidentally Quick Formatted

Post Posted: Mon Nov 12, 2012 6:10 am

I used to use tools by www.diskinternals.com, they were OK for the task (extracting files from a quick-formatted disk). In this case, I'd try DiskInternals Partition Recovery. It includes algorithms that can carve data (they call it "PowerSearch" if I'm not mistaken) if the file system is empty or unavailable. AFAIK, it supports mounted volumes such as TrueCrypt; just make sure to engage the "partition scan" mode as opposed to recovering a "physical disk" (terms may be different, but you get the idea). Not the cheapest tool though.

Also, I had *very* limited success with some freeware tools, as they normally don't look beyond the file system itself. No file system - no recovery.
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
  

Re: Mounted Truecrypt Volume Accidentally Quick Formatted

Post Posted: Mon Nov 19, 2012 5:26 am

FTK imager also works as an image mounting tool, so you should be able to mount it.

EDIT: damn i always miss the second page.  

Rampage
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 2 of 2
Go to page Previous  1, 2