Deleted Truecrypt volume

bdust,

Notwithstanding the fact that there is no standard header or footer there are a few features of truecrypt volumes that you can use to provide a bit of an indication

1) The GUI only accepts integer values for sizes. As the smallest value is KB it follows that the file must be in at least 1024 byte chunks. It is also likely therefore that the tail end of the file stops on a sector boundary (provided 512 byte sectors).

2) It is human nature to enter recognizable and easy values for the size so for example you are more likely to find a 50MB file than a 53MB file or to find a 1GB file than a 1023MB file.

3) The whole file will have a high entropy (the values 0 to 255 will be evenly distributed across all the bytes)

Also have a look at when the Truecrypt executable was last run and look for files that fit the above criteria with similar accessed, written or modified dates. (to be honest I haven't tested whether this will work - it's just an idea)

HTH

Paul

Also have a look at when the Truecrypt executable was last run and look for files that fit the above criteria with similar accessed, written or modified dates. (to be honest I haven't tested whether this will work - it's just an idea)

Unfortunately, with the default settings, it won't. TrueCrypt preserves timestamps unless specifically disabled.

-(

Unfortunately, with the default settings, it won't. TrueCrypt preserves timestamps unless specifically disabled.

Makes sense 8)

The registry should also help you, if you look for mounted devices and volumes you should also be able to determine the volume size.

consider that if an idden volume is stored in an outer volume then the size of the mounted volume in the registry may differ, but is smaller for sure.

the bad thing is that if a file was deleted, the bigger the volume was, the harder it will be to recover it due to overwritten portions of it.