Switch to full style
Anything related to computer forensics (new section!)
Post a reply

Newbie Q, truecrypt cock up

May 9th, 2017, 7:13

So I had (have?) a load of audio and video on a 2TB USB HD which was whole drive encrypted with truecrypt. It became full and I decided to reorganise the material, moving some of it to another drive of the same size. I mounted the original drive and then put a new single partition on what I thought was the new destination drive. I proceeded to copy 500GB of data into this partition. Only problem was I had actually copied it onto the original drive. Windows didn't complain (at all). Things became apparent when I tried to copy some other stuff on to the source drive at which point some windows process went full CPU and sat there for ages. I mirrored the drive with dd when I realised I'd made the mistake. I successfully mounted the corrupted volume (I guess truecrypt automatically picked up the backup keys at the end of the drive) and was faced with an unformatted drive. I used Wondershare to scan the drive in two different modes, a partition scan which found 250GB worth of files with filenames, and a raw scan which found 1500GB worth of material but no filenames and questionable boundries. The files on the disk will be a limited set of types (w64,h264,avi (with h264),avi (with mjpeg),flac,mov(with h264),mp4) and all files either very large or huge. How good is Wondershare ? I've used its predecessor (GetBackData) before, with success, but in much simpler scenarios. Is there something with a little more control that would allow me to inspect directory information and enter custom file headers ? As an archive drive, it is very likely that there will be zero fragmentation, can I use this to my advantage ?
Many thanks in advance,
Bruce.
Post a reply