How to Recover Deleted Files on a LUKS Encrypted System Drive?

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
hachiroku
Posts: 2
Joined: 12 Jan 2019, 15:15

How to Recover Deleted Files on a LUKS Encrypted System Drive?

#1 Post by hachiroku »

Hello everyone,

I am trying to recover some photos and videos that I accidentally deleted, which were in /home/user/downloads and /home/user/ locations on my encrypted Linux system SSD.

As illustrated in the linked picture below there are a number of different media options to choose for the same drive in PhotoRec.

Image

I have tried every one of those media options, and I tried recovering from all of their presented partition options as well (including Unknown ... [Whole disk]). I also tried both [ ext2/ext3 ] and [ Other ] filesystem options for each. All of the attempted file recoveries were saved to /dev/sda HDD, with separate folders for each.

For all of the above I tried [Options ] set to "Keep corrupted files : Yes" with all else left at default, and for [File Opt] I chose various image and video file types for the first series of recovery attempts and then all file types for the second. None of these recovery attempts have returned any of the files I'm after, despite them only being deleted a few days ago (10+GB worth and very little has written to the SSD since AFAIK).

I should mention that I've also tried TestDisk as well with no luck, and I've tried Google'ing for hours in search of a solution. I'm at wit's end now. :(

Any help at all would be immensely appreciated. Thanks guys!

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: How to Recover Deleted Files on a LUKS Encrypted System Drive?

#2 Post by cgrenier »

There should be a /dev/mapper/XXX device corresponding to your unlocked LUKS volume. Run PhotoRec, select it, Search, Free...

hachiroku
Posts: 2
Joined: 12 Jan 2019, 15:15

Re: How to Recover Deleted Files on a LUKS Encrypted System Drive?

#3 Post by hachiroku »

cgrenier wrote: 13 Jan 2019, 15:34 There should be a /dev/mapper/XXX device corresponding to your unlocked LUKS volume. Run PhotoRec, select it, Search, Free...

Hi cgrenier, thank you very much for the response! Impressive website too. :)

My apologies for messing up the image file post in the OP. Just to reiterate what I said in the OP more clearly, here's a link to that image showing all the media options I tired: https://imgur.com/DuZh3ug

Here's what I get in testdisk when I try to do: media "/dev/mapper/mint--vg-root" -> partition table type "None" -> "Avanced" filesystem utils -> "List" list & copy files: https://imgur.com/nPOvsmn (I tried copying a few of these files and saving them to folder on another drive but nothing seemed to appear on the drive).

A couple more screenshots of other folders in same scan results: https://imgur.com/XAYQac5 , https://imgur.com/qWBJrAg

And here are some screenshots from a data recovery program called "UFS Explorer": https://imgur.com/EXZASJP , https://imgur.com/ZIZitXG , https://imgur.com/aWj6fp4

After searching google for solutions and asking for help on freenode's ##linux, it seems that because I unwittingly opted for extra file-level ecryptfs encryption during Linux Mint install, I'm unable to access and recover files in the normal way using TestDisk, PhotoRec or similar software. Could you please advise how a clumsy linux noob like myself should go about accessing and recovering this data? :P Any help is very much appreciated! Cheers! ^_^

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: How to Recover Deleted Files on a LUKS Encrypted System Drive?

#4 Post by cgrenier »

Run PhotoRec, select /dev/mapper/sda5_crypt, Search.
Be careful to store the recovered files on another disk (not /home) to avoid overwritting your lost data.

Locked