±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34714
New Yesterday: 0 Visitors: 302

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Anyone got a bot to find deleted truecrypt container header?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4, 5, 6  Next 
  

Anyone got a bot to find deleted truecrypt container header?

Post Posted: Fri Mar 02, 2018 10:42 am

I'm looking to recover a deleted truecrypt container but I don't have any identifying header information. The header could be anywhere on the drive (or it could be deleted of course, and the file could be fragmented, but I'll try). I've learned how to recover deleted containers on other drives, so I know where I'm going this time, but the free space designated as such by winhex that I was hoping would be the beginning of my file and so have my header password, isn't giving any positive results when I create a small file of it and apply the password in truecrypt. So is there a program out there that shifts through this huge amount of data applying a password to every new kb?

Another question, do truecrypt containers have backups of their headers at the end of the file too, like truecrypt partitions do?  

loonaluna
Member
 
 
  

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Fri Mar 02, 2018 4:38 pm

Hello,

Could you provide some information about yourself please.
Are you working, student, etc.?
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 

armresl
Senior Member
 
 
  

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Sat Mar 03, 2018 4:49 am

If you aren't sure where the header is then hunt.py from pytruecrypt as I explained in your other thread will help locate it.

If you need me to create detailed instructions then let me know and I'll get round to it at some point. I do want to know if you are a student or working in forensics.  

4144414D
Member
 
 
  

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Sat Mar 03, 2018 4:58 am

Loonaluna,

I'm wondering, did you turn of indexing? This is something like the 5th or 6th post you've made about essentially the same thing.  

AmNe5iA
Senior Member
 
 
  

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Sat Mar 03, 2018 5:15 am

I made the drive a read-only drive, as I thought that would be sufficient and that indexing only happened on the OS drive. Could be wrong though. I thought about opening a new thread as the first one didn't describe the issue properly, and was full of very noobish statements that distracted from the problem once I'd learned some of the basics.

I don't work in forensics, and I'm not a student. A few months ago I screwed up, I deleted two huge truecrypt containers that could be holding important information. Sometime after (not immediately after), after failing with recuva and other standard software because the files are so big, I unplugged the drive, and a month or so later I made an image of the drive which is what I'm working on right now. After weeks of being angry at my mistakes, I think it's time to at least try to recover the file.  

Last edited by loonaluna on Sat Mar 03, 2018 6:11 am; edited 1 time in total

loonaluna
Member
 
 
  

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Sat Mar 03, 2018 6:10 am

- 4144414D
If you aren't sure where the header is then hunt.py from pytruecrypt as I explained in your other thread will help locate it.

If you need me to create detailed instructions then let me know and I'll get round to it at some point. I do want to know if you are a student or working in forensics.


That would be wonderful, thank you very much. In the other thread, about winhex free space, I was pinning my hopes on two big spaces of 'free spaces' that winhex had identified, but it remains to be seen what winhex is doing and whether the drive is telling the truth about this free space. If that's not the free space, I could go through the entire drive, but I would need a script for that too and I'm terrible at reading code, let alone modifying it. I also can't remember if I used AES or one of the other options on truecrypt when creating the containers.

Regardless, I'll try to install python on my pc this weekend and see if I can make head or tail of the script, at least to get it to run once on a smaller sample of data.  

loonaluna
Member
 
 
  

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Tue Mar 06, 2018 11:49 am

It's a bit rough as I put it together on the train but this guide along with some sample data should help you understand how to use hunt.

github.com/4144414D/py...es/hunt.md  

4144414D
Member
 
 

Page 1 of 6
Go to page 1, 2, 3, 4, 5, 6  Next