Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
I have a truecrypt container on my ext4 drive which somehow vanished. I have no clue how and why and I want to recover it. As TC containers contain random data there is no clear signature, I know that. But I have a backup (which is 3 months old though) where I can make an identification on and that's the result. So I booted a Ubuntu Live CD and this is the result.
There is no real magic string nor should the first bytes of the file change. The file doesn't have any file extenstion and I wanted to know if somebody could help me create a signature for this if even possible?
I am interested in how you recover the lost container as I also use TC. TestDisk may be a possible solution. As the container can be copied to other media and accessed on the new media, It would seem that it would remain intact IF you can recover the container with all of it file information and if no data has been written to the portions of the drive where the container resided.
I used TestDisk 7.0 on an failed external and was able to recover many very large files intact but there was no TQ container on that drive to see how TD would handle a TQ container. From what I know about TQ it would not be possible to locate and recover individual files within the container.
TD 7.0 might repair the HDD with all files intact. However, even if the HDD cannot be repaired, you might be able to copy the container to another HDD of sufficient size to handle the container. The key it seems is having the ability to list the files on the failed HDD and the container showing up on the list. The copy process is very slow but still very useful.
Good Luck! I'll watch this board for your progress.
TrueCrypt header is encrypted, it's design to make identification of TrueCrypt volume impossible without the password.
No signature can be written unless you have an old copy/backup of your truecrypt volume. In this case, you can write a signature using the hexadecimal values of your old truecrypt volume.
I also am attempting to resurrect a truecypt volume from a flash drive which no longer is responding, so I will be curious to know if either of you have been able to write a custom signature to extract the volume as cgrenier suggested. I've been impressed with the amount of old files photorec has dug up and recovered on the bad flash drive, and I wish I could get it to do the same for my TC volume! I have a backup copy of my old truecrypt volume to create a custom signature, but I have to admit I am a novice when it comes to code and knowing what "hexadecimal values" are and how to place them in a custom signature. Any documentation as to how anyone successfully created a custom TC hexadecimal value signature and then using it to extract a TC volume would be greatly appreciated!!!
Tim;
If you have a backup copy of the TQ container you should be able to copy that backup to another drive and install the container with the same password used to encrypt the data. After all the TQ container is a file that complies with the same parameters (except for not having an extension) as any other file and the exception that file cannot be read until it is installed but it can be copied to other media and installed from that secondary media Including CD/DVD.
You could install the backup copy BUT I would never mess with any backup file - better to copy the backup and then do your magic to view the data. You might also be able to use TestDisk to find the file and recover the file intact after using the "List" function. It does take time though - a LOT of time. The time can be shortened considerably if you start TestDisk from the drive that you will use to receive copy the TQ file. You could also shorten the time by selecting "No Record". That may be an incorrect 'name' but I have found that, for large files/drives, the record is too large to be of any value to me. I have found that it is easier to restart the TestDisk program than to try to read the very large text file (one was over 30GB when recovering a 2TB failed drive).
I am also a novice and do not yet understand a lot of what goes into TestDisk but it is a very good program and you can end up with full files with all of the data associated with the file recovered. Photorec does a very good job of recovering files BUT the work involved with identifying the recovered files is very tedious as (from my limited experience) you do not recover anything but the file (without a name) and the extension.