Anyone got a bot to...
 
Notifications
Clear all

Anyone got a bot to find deleted truecrypt container header?

46 Posts
7 Users
0 Likes
7,384 Views
(@loonaluna)
Posts: 33
Eminent Member
Topic starter
 

I'm looking to recover a deleted truecrypt container but I don't have any identifying header information. The header could be anywhere on the drive (or it could be deleted of course, and the file could be fragmented, but I'll try). I've learned how to recover deleted containers on other drives, so I know where I'm going this time, but the free space designated as such by winhex that I was hoping would be the beginning of my file and so have my header password, isn't giving any positive results when I create a small file of it and apply the password in truecrypt. So is there a program out there that shifts through this huge amount of data applying a password to every new kb?

Another question, do truecrypt containers have backups of their headers at the end of the file too, like truecrypt partitions do?

 
Posted : 02/03/2018 4:42 pm
(@armresl)
Posts: 1011
Noble Member
 

Hello,

Could you provide some information about yourself please.
Are you working, student, etc.?

 
Posted : 02/03/2018 10:38 pm
(@4144414d)
Posts: 33
Eminent Member
 

If you aren't sure where the header is then hunt.py from pytruecrypt as I explained in your other thread will help locate it.

If you need me to create detailed instructions then let me know and I'll get round to it at some point. I do want to know if you are a student or working in forensics.

 
Posted : 03/03/2018 10:49 am
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Loonaluna,

I'm wondering, did you turn of indexing? This is something like the 5th or 6th post you've made about essentially the same thing.

 
Posted : 03/03/2018 10:58 am
(@loonaluna)
Posts: 33
Eminent Member
Topic starter
 

I made the drive a read-only drive, as I thought that would be sufficient and that indexing only happened on the OS drive. Could be wrong though. I thought about opening a new thread as the first one didn't describe the issue properly, and was full of very noobish statements that distracted from the problem once I'd learned some of the basics.

I don't work in forensics, and I'm not a student. A few months ago I screwed up, I deleted two huge truecrypt containers that could be holding important information. Sometime after (not immediately after), after failing with recuva and other standard software because the files are so big, I unplugged the drive, and a month or so later I made an image of the drive which is what I'm working on right now. After weeks of being angry at my mistakes, I think it's time to at least try to recover the file.

 
Posted : 03/03/2018 11:15 am
(@loonaluna)
Posts: 33
Eminent Member
Topic starter
 

If you aren't sure where the header is then hunt.py from pytruecrypt as I explained in your other thread will help locate it.

If you need me to create detailed instructions then let me know and I'll get round to it at some point. I do want to know if you are a student or working in forensics.

That would be wonderful, thank you very much. In the other thread, about winhex free space, I was pinning my hopes on two big spaces of 'free spaces' that winhex had identified, but it remains to be seen what winhex is doing and whether the drive is telling the truth about this free space. If that's not the free space, I could go through the entire drive, but I would need a script for that too and I'm terrible at reading code, let alone modifying it. I also can't remember if I used AES or one of the other options on truecrypt when creating the containers.

Regardless, I'll try to install python on my pc this weekend and see if I can make head or tail of the script, at least to get it to run once on a smaller sample of data.

 
Posted : 03/03/2018 12:10 pm
(@4144414d)
Posts: 33
Eminent Member
 

It's a bit rough as I put it together on the train but this guide along with some sample data should help you understand how to use hunt.

https://github.com/4144414D/pytruecrypt/blob/master/examples/hunt.md

 
Posted : 06/03/2018 5:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It's a bit rough as I put it together on the train but this guide along with some sample data should help you understand how to use hunt.

https://github.com/4144414D/pytruecrypt/blob/master/examples/hunt.md

Very nice ) though, if I may, there is a "main" link missing

By looking for sections of continuous high entropy we can target the likely locations of TrueCrypt headers. By checking the sectors around 27701 and 48476 we are able to check a small number of sectors as every check will take some time, particularly on VeraCrypt headers.

How (with what tool) is user going to calculate the entropy and get the example diagram (so that he/she can identify likely targets)?

That is "Shannon" Entropy, right?

Something *like* entropie?

https://github.com/dupgit/entropie

with -b 512 ?
or
https://deadhacker.com/2007/05/13/finding-entropy-in-binary-files/

or binwalk?
https://github.com/ReFirmLabs/binwalk/wiki/Usage

jaclaz

 
Posted : 06/03/2018 6:38 pm
(@4144414d)
Posts: 33
Eminent Member
 

How (with what tool) is user going to calculate the entropy and get the example diagram (so that he/she can identify likely targets)?

Ah, that section is just explaining what is happening. You don't need to do any identification yourself the script takes care of all of that for you. It does the entropy calculations and finds the likely places for headers itself. I'll add some words to explain that a little better.

That is "Shannon" Entropy, right?

Yup. Again I'll add that when I get a moment.

Something *like* entropie?

https://github.com/dupgit/entropie

with -b 512 ?
or
https://deadhacker.com/2007/05/13/finding-entropy-in-binary-files/

or binwalk?
https://github.com/ReFirmLabs/binwalk/wiki/Usage

Yes, binwalk is an amazing tool. Truly fantastic.

My personal favourite for visualising entropy is PortEx (https://github.com/katjahahn/PortEx) it's designed for executables but it'll make a nice diagram of basically anything.

Example image from the GitHub here https://camo.githubusercontent.com/dc9408d203ba6bb5a1442249ba68dbf257780a2c/687474703a2f2f692e696d6775722e636f6d2f374e427a65344f2e706e67

 
Posted : 06/03/2018 7:37 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Thanks )

That is clear now, still if you could describe how exactly you managed to create the graphic, it would be useful (notwithstanding the buiilt-in autodetect capabilities of your nice script).

jaclaz

 
Posted : 06/03/2018 8:12 pm
Page 1 / 5
Share: