Recover KeePass key file with PhotoRec

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Message
Author
Deleted User 14816

Recover KeePass key file with PhotoRec

#1 Post by Deleted User 14816 »

Salut and hello! :)

I have successfully recovered my KeePass database "Database.kdbx" from a deleted NTFS partition using PhotoRec.

The problem is that I didn't use a master password to open the KeePass database but a key file: https://keepass.info/help/base/keys.html#keyfiles .

How can I recover this file with PhotoRec? I've read that one can add own extensions to PhotoRec, but I'm not that technical to write that on my own.

I would be really grateful if someone could help me create this extension or add this file format to PhotoRec so that I may recover the lost key file with PhotoRec.

The file itself does not look complicated, here's the content of an example file, the file ending is ".key" as in this example file "Database.key":

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<KeyFile>
	<Meta>
		<Version>1.00</Version>
	</Meta>
	<Key>
		<Data>RAvYjYrAr0HQSLfl5ZIWWnQya8OGGKDBZipbJVkeYMQ=</Data>
	</Key>
</KeyFile>
Thank you very, very much and have a great weekend!

Deleted User 14816

Re: Recover KeePass key file with PhotoRec

#2 Post by Deleted User 14816 »

I've now created the extension myself, but it doesn't work:

File: photorec.sig

Code: Select all

key 41 "KeyFile"
I have placed the file in the same folder as the PhotoRec executabe "photorec_win.exe" file and also in the directory C:\Users\Mediax\, but when I run the command

Code: Select all

C:\Users\Mediax\Downloads\testdisk-7.2-WIP.win\testdisk-7.2-WIP>fidentify_win C:\Users\Mediax\Desktop\Database.key
then the output is

Code: Select all

C:\Users\Mediax\Desktop\Database.key: xml
.
I would have expected the output to be

Code: Select all

C:\Users\Mediax\Desktop\Database.key: key
, but that's not the case. Is there no way that PhotoRec recovers files including the string "KeyFile" only? When I run PhotoRec it finds numerous xml files, but I haven't found one containing the "KeyFile" string, at least Windows Explorer didn't. I would highly appreciate some advice.

Please be so kind and take care! :)

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Recover KeePass key file with PhotoRec

#3 Post by recuperation »

Please post your signature file and create a defined testing environment to test it:

Use a USB stick p.e., format it, write a Keepass key file onto it.
See what the test gives.

There is no use in testing the key file on a drive where you can't be sure that a corresponding key file exists!
You should do that after testing that the newly generated fingerprint file works fine.

Deleted User 14816

Re: Recover KeePass key file with PhotoRec

#4 Post by Deleted User 14816 »

Great idea! Thank you! (Danke Dir!)

I've now finished all the tests using a 4 GB USB flash drive, first formatted as NTFS, during later tests as FAT32.
My steps were always to first copy the Database.key and for testing purposes a jpg file to the drive, then running PhotoRec, secondly to quick format the drive and then running PhotoRec again. The results were always the same, no matter if NTFS or FAT32, before formatting or after:

The original files that I copied to the drive were: "Database.key" and "Mountains.jpg". After file recovery in PhotoRec I always got both files back, but as "f0018528.xml" and "f0018536.jpg". No files were corrupted, the picture files opened and the key file and the recovered xml files look identical.

I am not sure if the signature file worked because the key file has always been restored as xml file, but maybe the xml file is dominant in the recovery process of PhotoRec so that it won't ever recover it as key file?

That's my signature file I used during my tests:

photorec.sig

Code: Select all

key 41 "KeyFile"
And that's the key file I used for testing:

Database.key

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<KeyFile>
	<Meta>
		<Version>1.00</Version>
	</Meta>
	<Key>
		<Data>RAvYjYrAr0HQSLfl5ZIWWnQya8OGGKDBZipbJVkeYMQ=</Data>
	</Key>
</KeyFile>
Theoretically, it would be enough if the data between <Data> and </Data> would be recovered as the key can be found between these two operators. Don't know if there is any way to recover my key file now. I had saved it several times on the drive, and I was able to recover my database with ease. I'm a bit afraid that the key file is recovered as a file other than xml so that I would have to search thousands of files manually using a hex editor. Do you have any idea what I should try next?

Thank you very much again and have a great weekend! :D

--
Device running PhotoRec: Asus Zenbook UM425 (Windows 10 64-bit)
Formatted drive: Samsung Portable SSD T5 (1 Terabyte, external drive)
Reason for formatting: Windows MediaCreationTool20H2.exe deleted whole drive instead of a separate partition only
Software: PhotoRec 7.2-WIP, Data Recovery Utility, February 2021

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Recover KeePass key file with PhotoRec

#5 Post by recuperation »

Try disabling the "text file with header"-family that is labeled "tx?" in Photorec.
See what that gives on the stick.
For a live run I would rather leave all options enabled except for "tx?".
That will produce a bunch of unwanted files for you, but that should prevent your key file from becoming artificially long.

Deleted User 14816

Re: Recover KeePass key file with PhotoRec

#6 Post by Deleted User 14816 »

Thank you again! But I had no success. I've tried again both, the testing environment and my lost drive. I haven't received any *.key files from both tests. Instead, I got a *.txt file from the testing environment instead of an *.xml from my previous testing. Looks like my signature file isn't working at all. I do have the option "custom: Own custom signatures" checked" enabled, by the way. I've placed the signature file here

Code: Select all

C:\Users\Mediax\Downloads\testdisk-7.2-WIP.win\testdisk-7.2-WIP
and there

Code: Select all

C:\Users\Mediax\
. Are the file locations incorrect?

Maybe my signature file is just wrong? Here it is:

photorec.sig

Code: Select all

key 41 "KeyFile"
I'm really confused and would love to catch some more ideas. Thank you very much! :)

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Recover KeePass key file with PhotoRec

#7 Post by recuperation »

mediax wrote: 28 Mar 2021, 12:03 Thank you again! But I had no success. I've tried again both, the testing environment and my lost drive. I haven't received any *.key files from both tests. Instead, I got a *.txt file from the testing environment instead of an *.xml from my previous testing. Looks like my signature file isn't working at all. I do have the option "custom: Own custom signatures" checked" enabled, by the way. I've placed the signature file here

Code: Select all

C:\Users\Mediax\Downloads\testdisk-7.2-WIP.win\testdisk-7.2-WIP
and there

Code: Select all

C:\Users\Mediax\
. Are the file locations incorrect?

Maybe my signature file is just wrong? Here it is:

photorec.sig

Code: Select all

key 41 "KeyFile"
I'm really confused and would love to catch some more ideas. Thank you very much! :)
Please use a hex editor (HxD p.e.) to check the exakt position in bytes of the string "KeyFile". Is that coded in ASCII? If it is coded in UTF-8 p.e. you would need to use hex figures to desribe the string because the UTF-encoding uses the highest bit in a byte, and ASCII symbols only use ab the decimal values of a byte up to 127.

Keep in mind that the first position in a file corresponds to position zero!
Use a hexeditor to verify that your key file is ASCII only as described in the manual!

Deleted User 14816

Re: Recover KeePass key file with PhotoRec

#8 Post by Deleted User 14816 »

Okay, so I used Far Manager hex editor to check the position and 41 is correct, but you're right it's coded in UTF-8, so the new signature file was:

photorec.sig

Code: Select all

key 41 0x4b657946696c65
. Is that the correct syntax?

So, I was continuing the testing on the USB drive with "tx?" file option unchecked and then got a txt file out of PhotoRec instead of an xml file from my previous tests. The txt file included a successful recovery of my test file, though.

One thing I didn't understand is when I set the offset position to 0, I didn't get any file recovered from my USB drive. I would have expected that I would get a file that starts off with the "keyfile" string and all the data that follows after it, so that just everything before the string "keyfile" would be ignored. But that was not the case. Any idea why is that?

Then, I decided to also uncheck the "txt" file option, and finally I successfully got a file named "f0018528.key". I opened it up and found an exact copy of the test file that I deleted on that drive. As it seemed to work, I started another recovery attempt on my actually deleted SSD drive but had no success with finding any key file in the recovery folders. I got thousands of files and several copies of my KeyPass database back but no single key file to it. I also got a 103 GB pdf file which I checked in my hex editor for the string "keyfile", without success, though.

I'm afraid there won't be anything left I could do, right?

Many thanks again for you being so patient with me! :D

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recover KeePass key file with PhotoRec

#9 Post by cgrenier »

It may be more efficient to search in the files recovered by PhotoRec for an xml file containing the string "<Key>".

Deleted User 14816

Re: Recover KeePass key file with PhotoRec

#10 Post by Deleted User 14816 »

Merci beaucoup, Christophe ! :D

If my key file does not exist as an xml file after running PhotoRec with the default settings, then it is lost, right? Please let me know so that I can stop any further unnecessary recovery attempts.

Windows Explorer seems to be unreliable to scan file contents, as I've found out. My approach would be to merge all the files into one using the command prompt (cmd) and then typing:

Code: Select all

Type *.xml > Combined.txt
. Then I would use a hex editor (Far Manager) to search the combined file for the string "<Key".

Do you think that's a good idea, or would you recommend any other tool to search the folders for the string "<Key>"?

Thank you so much!

Locked