Using PhotoRec to recover lost data
- Posts: 1
- Joined: 18 Feb 2014, 08:20
I have an issue with the following:
I have a truecrypt container on my ext4 drive which somehow vanished. I have no clue how and why and I want to recover it. As TC containers contain random data there is no clear signature, I know that. But I have a backup (which is 3 months old though) where I can make an identification on and that's the result. So I booted a Ubuntu Live CD and this is the result.
Code: Select all
root@ubuntu:/home/ubuntu/Downloads/testdisk-7.0-WIP# hexdump -C /media/ubuntu/bluray/backup/20131107/vmware/share/container | head
00000000 e8 8f 9a 0c c4 df 7e ce ad 43 87 e8 75 7d 8f 3a |......~..C..u}.:|
00000010 09 a9 8d a4 d2 b5 b5 4e 78 77 d6 49 d4 cb b2 89 |.......Nxw.I....|
00000020 bc c2 92 9f cb 91 53 d0 f9 25 d3 81 3f 18 58 d9 |......S..%..?.X.|
00000030 7a 20 47 5f 9b 6d 29 60 4f 5f 06 6a 7a f1 11 2a |z G_.m)`O_.jz..*|
00000040 06 f4 cf 3f c7 a2 6a 51 5d 63 c5 d7 16 e1 fd 37 |...?..jQ]c.....7|
00000050 a5 1a a7 5f 40 cb 52 e3 bb 3e 5a 74 94 93 82 0c |..._@.R..>Zt....|
00000060 d5 23 b2 36 97 c3 04 3b a9 b5 33 cd cd ba 32 e2 |.#.6...;..3...2.|
00000070 f8 08 bd 4a 29 e4 73 bd a0 c9 3c ad 28 e3 22 9b |...J).s...<.(.".|
00000080 4a d4 6a ec 8d 91 f7 06 1e d8 9f 77 db 21 81 d5 |J.j........w.!..|
00000090 e8 28 46 f0 91 12 7e ae 29 1a 05 aa 68 f4 5d fb |.(F...~.)...h.].|
There is no real magic string nor should the first bytes of the file change. The file doesn't have any file extenstion and I wanted to know if somebody could help me create a signature for this if even possible?
Thanks a lot for your help in advance,
- Posts: 3
- Joined: 26 Feb 2014, 03:14
I am interested in how you recover the lost container as I also use TC. TestDisk may be a possible solution. As the container can be copied to other media and accessed on the new media, It would seem that it would remain intact IF you can recover the container with all of it file information and if no data has been written to the portions of the drive where the container resided.
I used TestDisk 7.0 on an failed external and was able to recover many very large files intact but there was no TQ container on that drive to see how TD would handle a TQ container. From what I know about TQ it would not be possible to locate and recover individual files within the container.
TD 7.0 might repair the HDD with all files intact. However, even if the HDD cannot be repaired, you might be able to copy the container to another HDD of sufficient size to handle the container. The key it seems is having the ability to list the files on the failed HDD and the container showing up on the list. The copy process is very slow but still very useful.
Good Luck! I'll watch this board for your progress.
- Site Admin
- Posts: 4049
- Joined: 18 Feb 2012, 15:08
- Location: Le Perreux Sur Marne, France
TrueCrypt header is encrypted, it's design to make identification of TrueCrypt volume impossible without the password.
No signature can be written unless you have an old copy/backup of your truecrypt volume. In this case, you can write a signature using the hexadecimal values of your old truecrypt volume.
- Posts: 1
- Joined: 15 Mar 2014, 16:18
I also am attempting to resurrect a truecypt volume from a flash drive which no longer is responding, so I will be curious to know if either of you have been able to write a custom signature to extract the volume as cgrenier suggested. I've been impressed with the amount of old files photorec has dug up and recovered on the bad flash drive, and I wish I could get it to do the same for my TC volume! I have a backup copy of my old truecrypt volume to create a custom signature, but I have to admit I am a novice when it comes to code and knowing what "hexadecimal values" are and how to place them in a custom signature. Any documentation as to how anyone successfully created a custom TC hexadecimal value signature and then using it to extract a TC volume would be greatly appreciated!!!
- Posts: 3
- Joined: 26 Feb 2014, 03:14
If you have a backup copy of the TQ container you should be able to copy that backup to another drive and install the container with the same password used to encrypt the data. After all the TQ container is a file that complies with the same parameters (except for not having an extension) as any other file and the exception that file cannot be read until it is installed but it can be copied to other media and installed from that secondary media Including CD/DVD.
You could install the backup copy BUT I would never mess with any backup file - better to copy the backup and then do your magic to view the data. You might also be able to use TestDisk to find the file and recover the file intact after using the "List" function. It does take time though - a LOT of time. The time can be shortened considerably if you start TestDisk from the drive that you will use to receive copy the TQ file. You could also shorten the time by selecting "No Record". That may be an incorrect 'name' but I have found that, for large files/drives, the record is too large to be of any value to me. I have found that it is easier to restart the TestDisk program than to try to read the very large text file (one was over 30GB when recovering a 2TB failed drive).
I am also a novice and do not yet understand a lot of what goes into TestDisk but it is a very good program and you can end up with full files with all of the data associated with the file recovered. Photorec does a very good job of recovering files BUT the work involved with identifying the recovered files is very tedious as (from my limited experience) you do not recover anything but the file (without a name) and the extension.
Who is online
Users browsing this forum: No registered users and 2 guests