±Your Account
Membership:
New Today: 1
New Yesterday: 3
Overall: 24197
Visitors: 54±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2 Next
WHICH post?
Which OS are you running?
Which filesystem is the volume?
How big in size is the volume?
Was the volume recently defragged?
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
Good.
Bad/good.
Good.
Yes. (free or very low cost tools exist)
What you still seem like being confused about is that one thing is Digital forensics and another thing is Data Recovery.
Though they are "contiguous" fields, tools/methods "good enough" for the second might not be acceptable in the first and viceversa.
I have no idea how much the $MFT may be affected by a quick format, in theory a large part of it should have been overwritten, so that only the "last" entries are still there.
The "dd" you took, depending on the specific way you made it may be a "good" dd of the unencrypted data or a (exact copy but still a) meaningless mess of encrypted data (it depends if it was done a "logical" level or at "physical one").
If it is the "right kind" you should be able to mount the dd Volume image without using truecrypt at all.
See these seemingly unrelated thread for some generic tools/techniques:
www.msfn.org/board/top...l-unbrick/
www.msfn.org/board/top...ck-format/
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
If you had read the given links, you might have found DMDE:
softdm.com/
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
Mounted Truecrypt Volume Accidentally Quick Formatted
Mounted Truecrypt Volume Accidentally Quick Formatted
Posted: Thu Nov 08, 2012 1:50 pm
Hello All,
I have an external HDD which has a Truecrypt volume on it. Whilst mounted, the Truecrypt volume was quick formatted by mistake.
I can still mount the volume, and when mounted and viewed in FTK Imager I can find image headers such as FFD8FF in the hex. I am guessing this means that the data is still there, it is just that the files aren't visible because the file table has been written over?
I'm just at home using free tools. Is there a way for me to recover this data?
One post suggested I work out where the data starts, copy it all to another disk, make a new Truecrypt volume, paste the data into it and try and repair the file table.
1) I'm not 100% how to determine where the data starts
2) I'm not sure if this would work...
Any help would be much appreciated!
Pinkshirt.
I have an external HDD which has a Truecrypt volume on it. Whilst mounted, the Truecrypt volume was quick formatted by mistake.
I can still mount the volume, and when mounted and viewed in FTK Imager I can find image headers such as FFD8FF in the hex. I am guessing this means that the data is still there, it is just that the files aren't visible because the file table has been written over?
I'm just at home using free tools. Is there a way for me to recover this data?
One post suggested I work out where the data starts, copy it all to another disk, make a new Truecrypt volume, paste the data into it and try and repair the file table.
1) I'm not 100% how to determine where the data starts
2) I'm not sure if this would work...
Any help would be much appreciated!
Pinkshirt.
-
pinkshirt - Newbie
Re: Mounted Truecrypt Volume Accidentally Quick Formatted
Posted: Thu Nov 08, 2012 2:32 pm
- pinkshirt
One post suggested I work out where the data starts, copy it all to another disk, make a new Truecrypt volume, paste the data into it and try and repair the file table.
WHICH post?
Which OS are you running?
Which filesystem is the volume?
How big in size is the volume?
Was the volume recently defragged?
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: Mounted Truecrypt Volume Accidentally Quick Formatted
Posted: Thu Nov 08, 2012 2:37 pm
Forget truecrypt - it's just another volume once mounted, don't let the idea of TC complicate matters.
What was the original filesystem? NTFS?
If the former was NTFS - one approach is to find all MFT records on that volume and use those to retrieve data. This is more reliable than carving since the MFT entries will have the data runs in them.
_________________
Blog: secureartisan.wordpress.com
What was the original filesystem? NTFS?
If the former was NTFS - one approach is to find all MFT records on that volume and use those to retrieve data. This is more reliable than carving since the MFT entries will have the data runs in them.
_________________
Blog: secureartisan.wordpress.com
-
pbobby - Senior Member
Re: Mounted Truecrypt Volume Accidentally Quick Formatted
Posted: Thu Nov 08, 2012 3:01 pm
Hi
Thanks for the quick replies!
The original filesystem was NTFS.
The volume is big - nearly 1TB. It wasn't defragged - it was quick formatted. It hasn't been touched since other than when I made a back up dd image with FTK.
Is finding the MFT records equivalent to the 'recover files and folders' function in the full version of EnCase?
Is this feasible with free tools or should I be buttering up friends with access to an EnCase dongle?
Thank you.
Thanks for the quick replies!
The original filesystem was NTFS.
The volume is big - nearly 1TB. It wasn't defragged - it was quick formatted. It hasn't been touched since other than when I made a back up dd image with FTK.
Is finding the MFT records equivalent to the 'recover files and folders' function in the full version of EnCase?
Is this feasible with free tools or should I be buttering up friends with access to an EnCase dongle?
Thank you.
-
pinkshirt - Newbie
Re: Mounted Truecrypt Volume Accidentally Quick Formatted
Posted: Fri Nov 09, 2012 6:31 am
- pinkshirt
The original filesystem was NTFS.
Good.
- pinkshirt
The volume is big - nearly 1TB. It wasn't defragged - it was quick formatted.
Bad/good.
- pinkshirt
It hasn't been touched since other than when I made a back up dd image with FTK.
Good.
- pinkshirt
Is this feasible with free tools or should I be buttering up friends with access to an EnCase dongle?
Yes. (free or very low cost tools exist)
What you still seem like being confused about is that one thing is Digital forensics and another thing is Data Recovery.
Though they are "contiguous" fields, tools/methods "good enough" for the second might not be acceptable in the first and viceversa.
I have no idea how much the $MFT may be affected by a quick format, in theory a large part of it should have been overwritten, so that only the "last" entries are still there.
The "dd" you took, depending on the specific way you made it may be a "good" dd of the unencrypted data or a (exact copy but still a) meaningless mess of encrypted data (it depends if it was done a "logical" level or at "physical one").
If it is the "right kind" you should be able to mount the dd Volume image without using truecrypt at all.
See these seemingly unrelated thread for some generic tools/techniques:
www.msfn.org/board/top...l-unbrick/
www.msfn.org/board/top...ck-format/
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: Mounted Truecrypt Volume Accidentally Quick Formatted
Posted: Sat Nov 10, 2012 1:28 pm
Hi,
I'm not confused between Computer Forensics and Data Recovery. I made reference to EnCase because I have used it previously.
I mounted the Trucrypt volume and imaged the partition using FTK Imager.
I'm struggling to find a tool that will either see the mounted Truecrypt volume or that will mount a DD or E01 image file.
Any suggestions for tools that I could try?
Thanks.
I'm not confused between Computer Forensics and Data Recovery. I made reference to EnCase because I have used it previously.
I mounted the Trucrypt volume and imaged the partition using FTK Imager.
I'm struggling to find a tool that will either see the mounted Truecrypt volume or that will mount a DD or E01 image file.
Any suggestions for tools that I could try?
Thanks.
-
pinkshirt - Newbie
Re: Mounted Truecrypt Volume Accidentally Quick Formatted
Posted: Sat Nov 10, 2012 2:02 pm
- pinkshirtHi,
Any suggestions for tools that I could try?
Thanks.
If you had read the given links, you might have found DMDE:
softdm.com/
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member