I have a vague idea that very little writing happened after the deletion date. I've gone over various times looking at the file dates and such. However I'm not sure of the depth of the file writing, it may be a lot, and if it writes in a fragmented way then I'm screwed. Most of the danger will come from a steam game update that happened and maybe an accidental install that I didn't turn off on time. I have a mental picture of this timestamp, but I can't go in perfect detail with winhex as it doesn't have an easier GUI to spot the free space, something like a graphical depiction like defraggler does. Something with the graphical free space identifier of a defraggler and the actual sector number identifier in winhex would be the perfect combination. Do you know of such a tool? or am I condemned to having to go through winhex every few thousand sectors spotting the free spaces in theiir specific sectors? If so I'm up for a very tedious affair what with there being a gazillion sectors. Winhex has a great feature named gather free space that is so close to being great but not quite, as I'm back in square one and all I have is a homogenous chunk that's terribly hard to deal with and it saves in the form of pages, not sectors, and it saves all the supposed free space, you can't go selecting parts of the free space to extract, and you can't select part of the homogenous chunk as you'll end up selecting in the middle of a sector and that'll give nothing but index out of range errors.
A couple things about what you say too, are you saying that if a file is created but already fragmented before the deletion, if it modifies after the deletion it will just skip willy nilly into the a huge portion of the free space? Or are you merely saying that if they're modified a ton and increase in size a lot, they'll fragment further and spill into the free space?
You got it right I did recover the backup header, and this 52gb does start to seem like the end of the first container. There's a fair amount of ''free space'' on winhex before it but it's in a fragmented manner, but in a large style, consisting of fairly large continuous extents each, in keeping in tone with the tendency of the drive to have lots of large files, like a massive virtual machine image that's all over the drive in a fragmented manner but in a large way. Most of the occupied filespace belongs to large files that were there before the deletion. Are you saying DMDE (or Photorec) will recover the filenames better if the container is the full size truecrypt claims it is, even if it's just empty data added before the 52gb chunk? And that if I just added empty data to fill up to truecrypt's advertised data size, DMDE would have a better chance of identifying the files successfully? Not that I want to reach that level yet, as I hope I can add actual free space on the drive instead, and if not, I want to have a go at the second container. Or maybe it has to be a perfect container, and the slightest of damage means the file reconstruction will always be jumbled up garbage? Maybe the container stores its MFT data, the ones that I understand would give shape or form to the file reconstruction, at a specific place of the container that must never be deleted, maybe they're stored at the beginning of the container?
@loonaloona
Imagine that you have a file using exactly 8 sectors, where F is the file, 0 is empty (unallocated) space and S is Something_else, if the situation on disk is
… 0000FFFFFFFF000000SSSSS …
when you add a sector worth of data the result will be N being the new data added to F
… 0000FFFFFFFFN00000SSSSS …
the file remains contiguous, BUT IF the situation before was
… 0000FFFFFFFFSSS000SSSSS …
the result will be a non-contiguous file
… 0000FFFFFFFFSSSN00SSSSS …
Now, on how to proceed, I would do it analytically, not graphically.
As said anything that has both created and modified date before the deletion is "safe", in the sense that it cannot possibly be (unless of course a defrag has been run) occupying the space where the container was.
I would use a DIR command (or similar) to make a list of all files with their created and modified times.
Then I would make a list for each file of its extents on disk (now) as clusters and put everything in a spreadsheet.
Extents of files that
1) were created and modified before the deletion can be removed form the map
2) were created before but modified after the deletion can be removed from the map (only if contiguous
3) belong to the NTFS structures can be removed from the map
What remains is either
a. files created after deletion or modified after deletion AND fragmented
b. your deleted truecrypt container extents
DMDE can create a "cluster map" (Tools->Cluster map) but it is - while easier to navigate than the actual sector view, still IMHO not suitable as you will have a zillion files.
Making a map with cluster numbers in a spreadsheet will allow to better navigate it.
Now, the issue might be which specific tools to use for creating the base of data to insert in the spreadsheet.
Most probably the nice tools by Joachim Schicht can be of use
https://
MFT2CSV
https://
And USNJRNL2CSV
https://
being the first ones I would try.
Then I would try running via batch *something like* the myfragmenter.exe, that you can find here (part of Mydefrag 4.31)
http//
A sample batch (that I call myfragi.cmd) follows
@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
Set InitialLBA=63
Set clusterSize=8
Set File=%~dpnx1
Set Timestamp=%~t1
IF NOT EXIST myfragi.log ECHO Ext Lcn LBAstart Sects Date File>myfragi.log
ECHO Ext Lcn LBAstart Sects File
FOR /F "tokens=2,4,6,8,9 delims==, " %%A IN ('myfragmenter.exe -i "%File%" ^| FIND "="') DO (
CALL convert_LBA %%A %%B %%C %%D
ECHO !Extent! !Lcn! !LBAstart! !Sectors! %Timestamp% %File%
ECHO !Extent! !Lcn! !LBAstart! !Sectors! %Timestamp% %File%>>myfragi.log
)
ECHO.>>myfragi.log
GOTO EOF
convert_LBA
SET /A Extent=%1
SET /A Lcn=%2
SET /A LBAstart=%InitialLBA%+%2*%clusterSize%
SET /A Sectors=%clusterSize%*(%4-%3)
CALL set_length Extent 4
CALL set_length Lcn 11
CALL set_length LBAstart 12
CALL set_length Sectors 7
GOTO EOF
set_length
SET %1= !%1!
SET %1=!%1~-%2,%2!
GOTO EOF
jaclaz
Â
Hi. I lost my 150gb truecrypt file container after windows automatically ran a scan and repair thing. I'm banging my head against the wall trying to research all these things but can't seem to find a solution. I tried brute forcing it via winhex to no avail. I saw your post about py.hunt? I'd really want to try that before I completely lose my files. Please help.
@4144414d hi. i'd like detailed instructions on how to run this pytruecrypt script please? thank you very much.
I'm extremely late to this but I've been trying to run the script on my windows 11 laptop and this is what i get:
C:\rescue\pytruecrypt-master\pytruecrypt-master\examples>python hunt.py password --chain=256
File "C:\rescue\pytruecrypt-master\pytruecrypt-master\examples\hunt.py", line 69
print 'Sector {}: Fully valid header found'.format(sector_num)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?
Â
I could really use some help. thank you very much in advance.
