Hi, I had a Veracrypt container file that had important encrypted data, the partition that had the file was formatted by mistake. It is an ordinary file that has no signature, when I tried to recover it I only succeeded to reach its MFT. I cannot understand it.
Please if anyone can help me go to the first sector that contains the file data.
I am seeking its first couple of K Bytes (The container header) so that I can recover the files in it.
an important note that the partition was 400GB and after the re-partitioning it was extended with 50 G Bytes. The 50 G Bytes were added to the beginning of the partition.
the raw data of the MFT record below.
In the link below I uploaded a dump of the MFT of my file and a dump of both first mft of the original partition and the extended one.
https://
any help to recover my data would be much appreciated and if I can re-construct my file again.
Could be the whatever tool you used, could not handle $ATTRIBUTE_LIST. Grab 26 clusters from LCN 15670. That is from volume offset (15670 x cluster size). Then upload those bytes.
Btw, what tool did you use?
Thanks for your reply. The tool I'm using is WinHex.
The begining of my deleted volume on the current volume is on offset 53147697152(decimal)
as I understood from your reply I went to offset (15670 x 4096) = 64184320 (bytes) from the volume begining (offset 53147697152) but all data on the folowwing culusters are filled with zeros.
It could point to the offset from before the format, but have really no idea what may have happened on this volume. If you know exactly how many bytes was "prepended", you could try extract that from offset and see. This does not in any way mean that you will be able to get the data. I am just trying to see if the attribute list can be found. I already saw traces of old entries in the mft record slack.