| View previous topic :: View next topic |
| Author |
Message |
jagomai
n00b
Joined: 05 Jan 2008
Posts: 38
|
 Posted: Thu Apr 03, 2008 1:25 pm Post subject: Recovering deleted TrueCrypt container from flash drive. |
 |
|
EDIT:
I've succeeded in recovering the container, however... The container can do the password authentication and be mounted, but all the data within it is scrambled, making it useless. :/
Hi,
I've recently moved a very important file into oblivion from my LG KG800 (Chocolate)... The device works as a normal flash pendrive when I plug it in, so I *hope* I can recover the file....
Is this possible, and is there any kind of native (and safe) software for this in Linux/Gentoo (preferebly in portage)?
Thanks for the help! (I'll commit suicide if I don't get that file  )
Last edited by jagomai on Fri Apr 04, 2008 10:28 am; edited 2 times in total |
|
| Back to top |
|
 |
Quincy
Apprentice
Joined: 02 Jun 2005
Posts: 201
Location: Germany
|
| Posted: Thu Apr 03, 2008 3:06 pm Post subject: |
|
|
First you could copy an image using "dd" to your harddrive to save the current state.
I remember i used some sort of good working recovery software under Gentoo, but i don't remember the name.  |
|
| Back to top |
|
|
gnomen
n00b
Joined: 04 Sep 2005
Posts: 48
|
| Posted: Thu Apr 03, 2008 4:05 pm Post subject: |
|
|
I have only good experience using app-forensics/magicrescue
| Quote: | | magicrescue - Scans a block device and extracts known file types by looking at magic bytes |
But how easy it is to use for you depends on what kind of file you need to recover. It uses "recipes" for each filetype. If there is no recipe for your filetype you have to write your own... And as last poster points out it is good advice to do all your work on a copied image and not on the actual device |
|
| Back to top |
|
|
jagomai
n00b
Joined: 05 Jan 2008
Posts: 38
|
| Posted: Thu Apr 03, 2008 9:40 pm Post subject: |
|
|
Thanks a lot for the responses!
I dd:d the drive to my harddrive, but the rest was too complicated. But having dd:d it, I got the courage to unplug it and bring to my XP laptop.
The file I want to recover is a Truecrypt container.
When I try to mount the recovered container, all works well. If I enter the wrong password, I can't mount it - and it mounts fine according to Truecrypt with the correct password.
However, the container contains only garbled stuff. No sensible data what-so-ever. Here's a snippet of what is inside the container when mounted at directory test/ :
ls -al test
| Code: |
ls: cannot access test/têöp]`°w.ú?1: Input/output error
ls: cannot access test/s??-??&.àx¥: Input/output error
ls: cannot access test/û?t??4?î.¿?÷: Input/output error
ls: cannot access test/?f?å?±.w??: Input/output error
ls: cannot access test/{.?n?º.é?!: Input/output error
ls: cannot access test/?gos@à.?o: Input/output error
ls: cannot access test/^tòßéi.âù: Input/output error
... etc, it continues... And then I get these folders:
total 232144399
drwxr-xr-x 132 root root 16384 1970-01-01 01:00 .
drwxr-xr-x 18 local_user local_user 1088 2008-04-03 23:11 ..
-r-xr-xr-x 1 root root 94676759 2025-06-26 04:50 ¼_8??ysö.''?
-rwxr-xr-x 1 root root 3658541572 1954-10-03 00:31 ?"0?a?`?."?à
-r-xr-xr-x 1 root root 3816842437 1965-05-02 04:27 ½>??åc?i.??ü
d????????? ? ? ? ? ? ½?? ?_!.b??
d????????? ? ? ? ? ? ¼?ç?2÷?n.??ñ
-rwxr-xr-x 1 root root 537022258 2012-08-14 05:43 ??0?rö?º.?h?
d????????? ? ? ? ? ? 0(?s????.<~ä
-rwxr-xr-x 1 root root 3119619926 1927-10-14 12:25 ??µ?¼???.?sn
-r-xr-xr-x 1 root root 2338016620 1929-03-21 05:07 0ü|.??t
-r-xr-xr-x 1 root root 3724768159 1986-10-30 23:00 ½xïåæ?ä?.?)
d????????? ? ? ? ? ? £17²g?àï.}??
-rwxr-xr-x 1 root root 4278696019 2028-01-10 03:51 ?1???bÿ?.<?-
d????????? ? ? ? ? ? 1??f???&.4k?
d????????? ? ? ? ? ? ·1l?4?}û.ag\
d????????? ? ? ? ? ? 2¼v~?j?s.?s?
d????????? ? ? ? ? ? ??2£?d\?.z??
-r-xr-xr-x 1 root root 4206730102 1939-12-04 22:10 ?²kó?!i?.?<=
|
etc..
Has the header of the container remained good, while the data is garbled? Why?
Does it have anything to do with the recovery process, or is the file corrupt on the device? - How could I check this?
I tried a couple of Windows apps on a laptop to recover the data, both free and professional ones. They generated the same results, both on Gentoo and XP.
Anybody have ideas? |
|
| Back to top |
|
|
jagomai
n00b
Joined: 05 Jan 2008
Posts: 38
|
| Posted: Sat Apr 05, 2008 9:19 pm Post subject: |
|
|
Alright.
The container file was probably fragmented. The contents of the container were randomly generated keys, so I can't search for them using a HEX editor.
To get the container back I would have to link the parts of the container in the correct order, which is probably impossible - and if not so time-consuming that I wouldn't do anything else until I died.
So - BYE BYE ALL DATA!
Note to future: Don't remove your containers, and have more than one backup, at more than one place! |
|
| Back to top |
|
|
|
Unsupported Software
