Decrypting TrueCrypt locked Files
Posted: October 31st, 2024, 11:09
My sister had all her PSD files backed up with OneDrive. She deleted them from OneDrive and then found that they were no longer on her PC either. She had Bitlocker on and before contacting me decided to try her own recovery in which she decrypted the whole drive first.
She has an M.2 drive that comes up as WDC PC SN730 SDBPNTY-512G-1101. The actual drive showed a bunch of fragmented partitions before creating an image. I ended up creating a byte-to-byte in R-Studio and giving her back to her drive a few days after I found her files. (DMDE partitions image attached).
I found them coming up as having just been recent Recycle Bin deletions, file integrity looking great. The issue is that the files that got recovered didn't decrypt with the rest of the drive and show as having TrueCrypt on them. I tried her drive in Hasleo and got prompted for her Bitlocker key (we have it), but then nothing came up after scanning for hours. ChatGPT suggested that we re-encrypt the drive and then try the first key on unlocking the drive before attempting to decrypt the whole drive again... The issue is that just trying to put back the target recovery files back on her drive in an attempt to do that just has them just disappear. I read this might be due to metadata from OneDrive or that they might come up as hidden system files but neither of these cases let them reappear on her machine after removing OneDrive and editing the view permissions.
It's a strange case for me and I feel like I'm really tip-toeing around hoping to not do something that'll make the situation worse. I figured there has to be a solution somehow to maybe just encrypt the image with her old key and then try to decrypt it since apparently hoping to decrypt the files rather than a whole volume is out of the question. I'm not really trusting ChatGPT on this. If anyone knows of any such solution it would be greatly appreciated and I'm more than happy to provide additional information that may be needed in getting this figured out.
She has an M.2 drive that comes up as WDC PC SN730 SDBPNTY-512G-1101. The actual drive showed a bunch of fragmented partitions before creating an image. I ended up creating a byte-to-byte in R-Studio and giving her back to her drive a few days after I found her files. (DMDE partitions image attached).
I found them coming up as having just been recent Recycle Bin deletions, file integrity looking great. The issue is that the files that got recovered didn't decrypt with the rest of the drive and show as having TrueCrypt on them. I tried her drive in Hasleo and got prompted for her Bitlocker key (we have it), but then nothing came up after scanning for hours. ChatGPT suggested that we re-encrypt the drive and then try the first key on unlocking the drive before attempting to decrypt the whole drive again... The issue is that just trying to put back the target recovery files back on her drive in an attempt to do that just has them just disappear. I read this might be due to metadata from OneDrive or that they might come up as hidden system files but neither of these cases let them reappear on her machine after removing OneDrive and editing the view permissions.
It's a strange case for me and I feel like I'm really tip-toeing around hoping to not do something that'll make the situation worse. I figured there has to be a solution somehow to maybe just encrypt the image with her old key and then try to decrypt it since apparently hoping to decrypt the files rather than a whole volume is out of the question. I'm not really trusting ChatGPT on this. If anyone knows of any such solution it would be greatly appreciated and I'm more than happy to provide additional information that may be needed in getting this figured out.