TrueCrypt - Custom File Signature

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
rootbitch
Posts: 1
Joined: 18 Feb 2014, 08:20

TrueCrypt - Custom File Signature

#1 Post by rootbitch »

Hi,

I have an issue with the following:

I have a truecrypt container on my ext4 drive which somehow vanished. I have no clue how and why and I want to recover it. As TC containers contain random data there is no clear signature, I know that. But I have a backup (which is 3 months old though) where I can make an identification on and that's the result. So I booted a Ubuntu Live CD and this is the result.

Code: Select all

root@ubuntu:/home/ubuntu/Downloads/testdisk-7.0-WIP# hexdump -C /media/ubuntu/bluray/backup/20131107/vmware/share/container | head
00000000  e8 8f 9a 0c c4 df 7e ce  ad 43 87 e8 75 7d 8f 3a  |......~..C..u}.:|
00000010  09 a9 8d a4 d2 b5 b5 4e  78 77 d6 49 d4 cb b2 89  |.......Nxw.I....|
00000020  bc c2 92 9f cb 91 53 d0  f9 25 d3 81 3f 18 58 d9  |......S..%..?.X.|
00000030  7a 20 47 5f 9b 6d 29 60  4f 5f 06 6a 7a f1 11 2a  |z G_.m)`O_.jz..*|
00000040  06 f4 cf 3f c7 a2 6a 51  5d 63 c5 d7 16 e1 fd 37  |...?..jQ]c.....7|
00000050  a5 1a a7 5f 40 cb 52 e3  bb 3e 5a 74 94 93 82 0c  |..._@.R..>Zt....|
00000060  d5 23 b2 36 97 c3 04 3b  a9 b5 33 cd cd ba 32 e2  |.#.6...;..3...2.|
00000070  f8 08 bd 4a 29 e4 73 bd  a0 c9 3c ad 28 e3 22 9b  |...J).s...<.(.".|
00000080  4a d4 6a ec 8d 91 f7 06  1e d8 9f 77 db 21 81 d5  |J.j........w.!..|
00000090  e8 28 46 f0 91 12 7e ae  29 1a 05 aa 68 f4 5d fb  |.(F...~.)...h.].|
There is no real magic string nor should the first bytes of the file change. The file doesn't have any file extenstion and I wanted to know if somebody could help me create a signature for this if even possible?

Thanks a lot for your help in advance,
Alex
checksix
Posts: 3
Joined: 26 Feb 2014, 03:14

Re: TrueCrypt - Custom File Signature

#2 Post by checksix »

I am interested in how you recover the lost container as I also use TC. TestDisk may be a possible solution. As the container can be copied to other media and accessed on the new media, It would seem that it would remain intact IF you can recover the container with all of it file information and if no data has been written to the portions of the drive where the container resided.

I used TestDisk 7.0 on an failed external and was able to recover many very large files intact but there was no TQ container on that drive to see how TD would handle a TQ container. From what I know about TQ it would not be possible to locate and recover individual files within the container.

TD 7.0 might repair the HDD with all files intact. However, even if the HDD cannot be repaired, you might be able to copy the container to another HDD of sufficient size to handle the container. The key it seems is having the ability to list the files on the failed HDD and the container showing up on the list. The copy process is very slow but still very useful.

Good Luck! I'll watch this board for your progress.
User avatar
cgrenier
Site Admin
Posts: 5438
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: TrueCrypt - Custom File Signature

#3 Post by cgrenier »

TrueCrypt header is encrypted, it's design to make identification of TrueCrypt volume impossible without the password.
No signature can be written unless you have an old copy/backup of your truecrypt volume. In this case, you can write a signature using the hexadecimal values of your old truecrypt volume.
jeepintim
Posts: 1
Joined: 15 Mar 2014, 16:18

Re: TrueCrypt - Custom File Signature

#4 Post by jeepintim »

I also am attempting to resurrect a truecypt volume from a flash drive which no longer is responding, so I will be curious to know if either of you have been able to write a custom signature to extract the volume as cgrenier suggested. I've been impressed with the amount of old files photorec has dug up and recovered on the bad flash drive, and I wish I could get it to do the same for my TC volume! I have a backup copy of my old truecrypt volume to create a custom signature, but I have to admit I am a novice when it comes to code and knowing what "hexadecimal values" are and how to place them in a custom signature. Any documentation as to how anyone successfully created a custom TC hexadecimal value signature and then using it to extract a TC volume would be greatly appreciated!!!

Tim
checksix
Posts: 3
Joined: 26 Feb 2014, 03:14

Re: TrueCrypt - Custom File Signature

#5 Post by checksix »

Tim;
If you have a backup copy of the TQ container you should be able to copy that backup to another drive and install the container with the same password used to encrypt the data. After all the TQ container is a file that complies with the same parameters (except for not having an extension) as any other file and the exception that file cannot be read until it is installed but it can be copied to other media and installed from that secondary media Including CD/DVD.

You could install the backup copy BUT I would never mess with any backup file - better to copy the backup and then do your magic to view the data. You might also be able to use TestDisk to find the file and recover the file intact after using the "List" function. It does take time though - a LOT of time. The time can be shortened considerably if you start TestDisk from the drive that you will use to receive copy the TQ file. You could also shorten the time by selecting "No Record". That may be an incorrect 'name' but I have found that, for large files/drives, the record is too large to be of any value to me. I have found that it is easier to restart the TestDisk program than to try to read the very large text file (one was over 30GB when recovering a 2TB failed drive).

I am also a novice and do not yet understand a lot of what goes into TestDisk but it is a very good program and you can end up with full files with all of the data associated with the file recovered. Photorec does a very good job of recovering files BUT the work involved with identifying the recovered files is very tedious as (from my limited experience) you do not recover anything but the file (without a name) and the extension.

Good Luck!
CheckSix
Locked