Hi all,
I'm looking into options to recover a deleted encrypted RAR file, or at least the data contained within.
I've tried every piece of data carving software that I could get my hands on, and come up with zilch in terms of retreiving the actual encrypted rar itself.
However it occurs to me, as i know the password for the RAR file already, it may just be that the header is lost and the data from the rar file is still intact (drives have been pulled for imaging already). There's a good chance the data is there but in encrypted form, so traditional carving tools are unable to find it.
Are there any tools already available which can scan a hard drive, and decrypt & export the data/files that may still be on the drive?
I realise i may be s**t out of luck with this in terms of an already existing tool, not to mention, RAR salt being unique, but its worth a shot to see if anyone has come across anything, or made anything themselves.
I was hoping for at least a script that could read a HDD .img file, and convert to a another img file which has been decrypted with appropriate decryption and password for the RAR file, which would then allow traditional data carving utils to work?
Any ideas/thoughts/comments appreciated. As usual, important data, only copy.. idiot user (myself).
It doesn't work this way, unfortunately. (
A .RAR file (set aside for a moment the encryption) is a kind of file (compressed archive) that has the "least" information possible, its scope is to reduce to the minimum the size on storage, and it does this by "compacting" the information.
The drawback is that it is much more "sensible" to corruption than some other file types where the information is less compacted.
The added layer of encryption doesn't worsen particularly the issue, still it doesn't particularly help with it either.
What you have to find is probably not a "deleted encrypted" file, but more likely a (partially) "corrupted deleted encrypted", the main issue is the (probably) corrupted.
You simply cannot usually extract "partial" data from a "normal" .RAR file that has been corrupted, let alone if it is encrypted.
Essentially you need to have a .RAR file and "repair" it before anything else.
When (large) RAR (but not only) files are sent (and there is a risk of corruption in the transmission) , they are usually accompanied by .PAR files, example
http//
It is not - at least in theory - impossible to repair partially, VERY partially corrupted .RAR files, in the absence of suitable .PAR files, but here you have not even the .RAR file.
You may want to try to create two or three new .rar files out of some different set of files and encrypt them using the same password as the one used for the "lost" file and see if you can find a "common pattern" among these newly created files.
If you find one (which I doubt) then you may try carving for that pattern.
Otherwise (but it depends greatly on which filesystem, size of the file, usage pattern of the device, if it was a OS volume, etc., defragmentation status of the volume, presence of absence of other encrypted .RAR's, and a whole set of other possible situations) there is a (very feeble) chance of using "negative logic", i.e. find each and every "file" (or more accurately each and every sector) and - once found a "justification" for it, i.e. making sure that it does NOT belong to the .RAR in question, zero it out.
What remains cannot but be parts of the .RAR file, but if it wasn't in one extent only (i.e. fragmented) there are very little chances that you can rebuild more than - maybe - a handful of extents in the right order.
In any case it would be an enormous task, to be carried out (for the most part) manually.
jaclaz