Dear Truecrypt community,
I need help.
I had a truecrypt file of all my passwords (and many other important documents), all private pictures and videos. passport copies, scan of immigration documents, everything. The file is corrupt and I don't have a back up.
Yes I know. Why did I not have a back up? I thought NAS Synology is backing up the file. But with the way it is deleted, it can not be restored normally.
We have tried many things to restore it and spent hours on end, bought X different undelete and byte search softwares, with no success yet. I am looking for an experienced developer to fix this issue and I will gladly pay for it.
Below is a more technical description of the problem.
I hope you will hear me an I am looking forward to hearing from you.
There was a 15GB TrueCrypt Container File on a NAS.
Connected to the NAS remotely using WebDrive (WebDAV Client). Then I wanted to access the TrueCrypt Container File, but noticed the 15GB download you take too long time and therefore canceled the download.
Back from vacation, I wanted to open my TrueCrypt container file but it was missing on the NAS.
I performed a file search on the NAS but could not find the TrueCrypt Container file.
On my laptop, I found a "copy" of the TrueCrypt Container File in the "backup" located in the WebDrive installation directory. I was able to mount this container file, but the content (except for the the root folder) is mostly corrupt / incorrect. (see attached screenshots). Lets call this file "TC_invalid_container"
At this point I removed one of the two harddrives from my NAS (RAID 1 mirroring) and inserted it into a IcyBox USB enclosure.The HD has a size of 6TB, of which about half is filled with data
I then opened "TC_invalid_container" using WinHex and looked at the content. I had the following results:
Bytes 0 to 280'772'607 are non-zero - lets call this "section 1"
Bytes 280'772,608 to 15'872'155'647 are zero - section 2
Bytes 15'872'155'647 to 15'872'156'159 are non zero again - section 3
The header of the TrueCrypt container is 512 bytes long. (https://andryou.com/truecrypt_orig/docs/volume-format-specification/) Using WinHex, I searched the entire HD for the 512 byte long header. This search ended negative.
Next, I searched the last 128 bytes of "section 1" This returned a match on the HD. Unfortunately, also on the HD there is a long section containing only zeros (0) after this byte sequence. Comparing Section 1 to the relative equivalent location on the HD (based on the positive search result), only the last 37'502'975 bytes of section 1 are also on the HD.
Due to the long section filled with zeros, I assume the True Crypt Container File was fragmented on the HD. Is there are feasible way to reconstruct the the fragments or is this information lost when the filesystem deleted the TrueCrypt container file?
I have tried mounting the HD in an ubuntu machine (the filesystem is of type ext4), but this fails, I don't remember the exact error but something along the lines that the RAID drive is active.
In general, the difficulty is that the True Crypt container files just appears as random data, so it is not possible to search for a specific file type. One other option I though of was to search for all known file types, and anything not identified would be part of the True Crypt container. Of course, if these "unknown" parts are in separate segments, it wold be a guessing game to reassemble them in the correct order. Hence, any way to retrieve the fragmentation information from the filesystem would be helpful.