I was working on my english research essay, I went to rename it, and of course accidently hit delete instead. (Who's brilliant idea was it to put rename and delete right next to each other?)
This wouldn't be a problem, but I was working inside my XP virtual machine, connecting to a virtual network share with a Linux host. Furthermore, the partition is encrypted with truecrypt.
Because it is encrypted, when I view the partition, even with truecrypt running and the disk mounted, it shows me garbled data. I have not heard of a method for recovering deleted files on an encrypted partition, only imaging it logically.
Any help would be greatly appreciated.
Once mounted you can run any data recovery software over the encrypted volume. It may look like grabled data but I'm sure its not if you search for file headers
I've tried running foremost and photorec, and both of them came up with nothing. I believe this to due to the encryption rather than there being no deleted files on the disk. Trying to use XXD, grep, and strings all return no meaningful text. Am I doing something wrong? Could there be another device, rather than /dev/sda4, that would point to the truecrypt translated partition? I tried /dev/mapper/truecrypt1, but that was all 0's.
All the tools I have in my XP machine won't reach out to network drives, and I am not at home to make an image and put it on a external drive.
Would I be correct if I said that using such tools bypasses the Truecrypt API, and looks directly at the hard drive? That is why I see cyphertext when I look at it?
TrueCrypt uses "on-the-fly" encryption/decryption. In that only what you need is decrypted as you need it. When you look at the partition with a non-native tool TrueCrypt does not recognize that sector as needing to be decrypted, thus all the tool and you see is random characters.
And are there any tools that can help? Either by going through truecrypt, or can decrypt on their own?
Or, is there a way I can copy the partition to a new disk, and unencrypt it? Similiar to when you copy and encrypted file to a non-encrypted disk? Probably not, but worth thinking about I guess.
would not mounting the TC volume then viewing it as a logical evidence show up 'properly', unencrypted?
If I understand your post,
It does show up logical, but in order to recover deleted data I need to view the partition physically and unencrypted. Viewing it physically shows only the encrypted data, and is unless to me.