Hello All,
I have an external HDD which has a Truecrypt volume on it. Whilst mounted, the Truecrypt volume was quick formatted by mistake.
I can still mount the volume, and when mounted and viewed in FTK Imager I can find image headers such as FFD8FF in the hex. I am guessing this means that the data is still there, it is just that the files aren't visible because the file table has been written over?
I'm just at home using free tools. Is there a way for me to recover this data?
One post suggested I work out where the data starts, copy it all to another disk, make a new Truecrypt volume, paste the data into it and try and repair the file table.
1) I'm not 100% how to determine where the data starts
2) I'm not sure if this would work…
Any help would be much appreciated!
Pinkshirt.
One post suggested I work out where the data starts, copy it all to another disk, make a new Truecrypt volume, paste the data into it and try and repair the file table.
WHICH post?
Which OS are you running?
Which filesystem is the volume?
How big in size is the volume?
Was the volume recently defragged?
jaclaz
Forget truecrypt - it's just another volume once mounted, don't let the idea of TC complicate matters.
What was the original filesystem? NTFS?
If the former was NTFS - one approach is to find all MFT records on that volume and use those to retrieve data. This is more reliable than carving since the MFT entries will have the data runs in them.
Hi
Thanks for the quick replies!
The original filesystem was NTFS.
The volume is big - nearly 1TB. It wasn't defragged - it was quick formatted. It hasn't been touched since other than when I made a back up dd image with FTK.
Is finding the MFT records equivalent to the 'recover files and folders' function in the full version of EnCase?
Is this feasible with free tools or should I be buttering up friends with access to an EnCase dongle?
Thank you.
The original filesystem was NTFS.
Good.
The volume is big - nearly 1TB. It wasn't defragged - it was quick formatted.
Bad/good.
It hasn't been touched since other than when I made a back up dd image with FTK.
Good.
Is this feasible with free tools or should I be buttering up friends with access to an EnCase dongle?
Yes. (free or very low cost tools exist)
What you still seem like being confused about is that one thing is Digital forensics and another thing is Data Recovery.
Though they are "contiguous" fields, tools/methods "good enough" for the second might not be acceptable in the first and viceversa.
I have no idea how much the $MFT may be affected by a quick format, in theory a large part of it should have been overwritten, so that only the "last" entries are still there.
The "dd" you took, depending on the specific way you made it may be a "good" dd of the unencrypted data or a (exact copy but still a) meaningless mess of encrypted data (it depends if it was done a "logical" level or at "physical one").
If it is the "right kind" you should be able to mount the dd Volume image without using truecrypt at all.
See these seemingly unrelated thread for some generic tools/techniques
http//
http//
jaclaz
Hi,
I'm not confused between Computer Forensics and Data Recovery. I made reference to EnCase because I have used it previously.
I mounted the Trucrypt volume and imaged the partition using FTK Imager.
I'm struggling to find a tool that will either see the mounted Truecrypt volume or that will mount a DD or E01 image file.
Any suggestions for tools that I could try?
Thanks.
Hi,
Any suggestions for tools that I could try?
Thanks.
If you had read the given links, you might have found DMDE
http//softdm.com/
jaclaz
Your results rely to a big extent on how many file were on the disk in the first place. If it was a systemn disk, with thousands of files, then there is a high chance that the required MFT entry will not have been overwritten by a quick format.
If the disk was an external drive with very few files, then a quick format could have lost all your data run info.
The last quick format I saw on a 1TB drive overwrote the first 256 MFT entries
The last quick format I saw overwrote (I think) about 100 MFT entries
I seem to remember like it is not a "fixed" number, but proportional to the size of the volume, and consequently of the "initial" $MFT, that may be additionally different on different Windows OS's.
As a quick test in a 128 Mb virtual disk I generated 1000 (one thousand) "random" files, then, after quick formatting, I was able to find the $MFT entries for all files but the first 5 (five). This is XP SP2.
jaclaz
Hi,
Thanks for your replies.
In case anybody else has had this problem, I used File Scavenger
http//
It cost me $60 for a personal license.
The BIG issue I had when looking at many tools was their inability to recognise a volume that was mounted with Truecrypt - if it wasn't visible in disk manager, it wasn't visible in them.
I think you are both right that I wasn't able to get absolutely everything, but I got the majority which is better than nothing!