Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
402 lines (316 sloc) 23.9 KB

This tutorial explains how to use hunt to locate and recover deleted and/or damaged TrueCrypt containers.

These techniques will help you locate the containers but you will require either the password or a memory dump containing the container keys.

Example #1 – a container in unallocated space

The example was generated by creating an NTFS volume, placing the target TrueCrypt container inside the volume, and then reformatting the volume with NTFS again.

This is a contrived example. There are no other files to cause confusion, there is no fragmentation of the container, and none of the TrueCrypt container has been overwritten. It is possible to simply extract the container just by looking at the image and finding the large section of high entropy data. Nevertheless, this should help provide the basic understanding of the process.

This tutorial talks about sectors and makes the assumption that they are always 512 bytes in size when you see the word sector think 512 bytes of data.

Download the example image here.

MD5 checksum:    f45df1f19969cc9007d11ce742a5f0ad
SHA1 checksum:   c5e66174a9b6930138f0918171bcca51ed0a88ed

How hunt locates the container

Before running hunt it is important to understand how hunt is locating the container.

It provides two options:

  • A brute force approach for testing all sectors of the image. This is extremely slow and is only useful if you have already extracted what you think is a TrueCrypt header.
  • A chain approach where it looks for sequential sectors of high entropy data.

This tutorial only discusses the chain approach.

The diagram below shows the entropy (Shannon entropy) of each sector on the disk. We can see a large section of high entropy data from around sector 27701 to around 48476. This is the container. By looking for sections of continuous high entropy we can target the likely locations of TrueCrypt headers. By checking the sectors around 27701 and 48476 we are able to check a small number of sectors as every check will take some time, particularly on VeraCrypt headers.

entropy-diagram

You are not required to do any of this work yourself. hunt will calculate the entropy and do this targeting for you. This section is just explaining what is happening.

A few warnings. There will, of course, be high other sections of high entropy on a normal disk. Files such as compressed images or zip files will themselves have high entropy. The time wasted by attempting to decrypt these can be avoided by using a high sector chain count. This works because containers are typically quite large and should stand out against these other files.

It is possible to create a container with low entropy and with smaller sections of high entropy. This happens if the ‘dynamic’ option is chosen when creating the container. If this is the case you need to look for the header itself which is only 256 sectors in size. This will cause many more false positives as other files with high entropy may be this small.

Running hunt

For this example hunt is called with the following command:

hunt example.001 password –chain=256

The options are as follows:

  • example.001 – this is the filename of the example dd image
  • password – this is the password for the container
  • chain=256 – this is the minimum size of the chain that hunt will look for

hunt will look like this when it is run. It starts by calculating the entropy of each sector in the image. It will then locate chains of high entropy. Once these chains have been located it will begin testing sectors looking for valid headers.

We can see that it started checking at sector 28152 and found a fully valid header at sector 28160. This whole process took less than a minute and is much faster than trying brute force and test every sector in the image.

cmd-example

The headers that have been located are also saved into a text file named results.txt. In this example, two headers were located. This is expected as each container will have a normal header and a backup header. Looking at the decrypted header we can see that they are identical. Please note that they will appear different on the disk as they are encrypted with different salts.

Sector 28160: Fully valid header found
    Hash Option: ripemd
    Crypto Option: ['aes']
    Password: password

Decrypted Header:
0000  54 52 55 45 00 05 07 00 2e c2 dd d8 00 00 00 00   TRUE............
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 00 00 9c 00 00 00 00 00 00   ................
0030  00 02 00 00 00 00 00 00 00 9c 00 00 00 00 00 00   ................
0040  00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 b1 2d f8 8c   .............-..
00c0  f3 00 d5 78 08 30 66 2f 17 99 08 27 28 17 c2 20   ...x.0f/...'(..
00d0  b7 2e 9a 14 79 da 01 77 63 98 37 af 75 da 95 41   ....y..wc.7.u..A
00e0  93 1f f6 7e 13 d3 b3 c5 de f2 2f cc 00 b5 98 b9   ...~....../.....
00f0  77 55 00 d4 5b b4 e4 7c 77 7e 5e 65 a3 ec 32 c3   wU..[..|w~^e..2.
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

Sector 48384: Fully valid header found
    Hash Option: ripemd
    Crypto Option: ['aes']
    Password: password

Decrypted Header:
0000  54 52 55 45 00 05 07 00 2e c2 dd d8 00 00 00 00   TRUE............
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 00 00 9c 00 00 00 00 00 00   ................
0030  00 02 00 00 00 00 00 00 00 9c 00 00 00 00 00 00   ................
0040  00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 b1 2d f8 8c   .............-..
00c0  f3 00 d5 78 08 30 66 2f 17 99 08 27 28 17 c2 20   ...x.0f/...'(..
00d0  b7 2e 9a 14 79 da 01 77 63 98 37 af 75 da 95 41   ....y..wc.7.u..A
00e0  93 1f f6 7e 13 d3 b3 c5 de f2 2f cc 00 b5 98 b9   ...~....../.....
00f0  77 55 00 d4 5b b4 e4 7c 77 7e 5e 65 a3 ec 32 c3   wU..[..|w~^e..2.
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

At this point will know where the headers are and could simply now export the data. However, it is good practice to parse the header and verify our findings. The simplest way to do this is to use the ‘dump.py’ example. Hunt will extract the sectors that are likely to be headers to separate small dd files, in this case, PS28160.dd and PS48384.dd. The names showing they came from physical sector 28160 and 48384 respectively.

The command is simply dump.py PS28160.dd. You will then be prompted for the password. This will dump the raw header and then they extracted values for convenience.

cmd-dump

The extracted values for this example are:

Magic : TRUE
HdrVersion : 5
MinProgVer : 7
CRC : 784522712
Reserved :                 
HiddenVolSize : 0
VolSize : 10223616
DataStart : 131072
DataSize : 10223616
Flags : 0
SectorSize : 512
Reserved2 :                                                                                                                         
CRC3 : 2972579980
Keys : f300d5780830662f179908272817c220b72e9a1479da0177639837af75da9541931ff67e13d3b3c5def22fcc00b598b9775500d45bb4e47c777e5e65a3ec32c3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

In this example, we are interested in DataStart and DataSize. We will check that the backup header was found in the right location and will help us know that the file is not fragmented.

To check this the formula we need is:

header_location + ((DataStart + DataSize) / 512) = backup_location

Which for this example is:

28160 + ((131072 + 10223616) / 512) = 48384

48384 is the correct location for the backup header that was located. Therefore we can be reasonably confident that we have located the entire container and there is no fragmentation. If this formula does not point to the backup header then further work will be required, this is not covered here. We can now extract the entire container and open it with TrueCrypt. dd is one of the many tools that could do this. The dd command for this example is:

dd if=example.001 of=recovered.tc bs=512 skip=28160 count=20480

cmd-dd

The resulting container can then be opened in TrueCrypt.

cmd-dd

Once mounted we can use the container in the normal way:

tc-mounted

We can see it simply contains a single image file:

file.bmp

Example #2 – a damaged container

This exmaple was created as follows:

  • creating a FAT volume
  • placing the container on it (password is password)
  • reformatting the FAT volume
  • copying some images into the FAT volume

This means that the header of the container has been overwritten by the images. In order to recover this container, we'll need to locate the backup header and work out where the start of the container should have been.

Download the example2 image here.

MD5 checksum:    3ed9e673027fa14719b00a42bfcef141
SHA1 checksum:   a5293105c3fae92168546c493e76ed1547cab117

Locating the backup header

Looking at the FAT volume we can map out the layout of the files. The layout of the first 1024 sectors is shown below. The process for creating this map is not detailed here, it is for explanatory purposes.

diagram-files.png

We can now use hunt to try and locate some headers. hunt is called in exactly the same way as before:

hunt example2.001 password –chain=256

In this instance, only one header was located at sector 20496.

Sector 20496: Fully valid header found
    Hash Option: ripemd
    Crypto Option: ['aes']
    Password: password

Decrypted Header:
0000  54 52 55 45 00 05 07 00 2e c2 dd d8 00 00 00 00   TRUE............
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 00 00 9c 00 00 00 00 00 00   ................
0030  00 02 00 00 00 00 00 00 00 9c 00 00 00 00 00 00   ................
0040  00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 b1 2d f8 8c   .............-..
00c0  f3 00 d5 78 08 30 66 2f 17 99 08 27 28 17 c2 20   ...x.0f/...'(..
00d0  b7 2e 9a 14 79 da 01 77 63 98 37 af 75 da 95 41   ....y..wc.7.u..A
00e0  93 1f f6 7e 13 d3 b3 c5 de f2 2f cc 00 b5 98 b9   ...~....../.....
00f0  77 55 00 d4 5b b4 e4 7c 77 7e 5e 65 a3 ec 32 c3   wU..[..|w~^e..2.
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

At this point, we cannot be sure if this is a normal header or a backup header. A quick check is to look at the sector that would immediately follow the header. This would be 256 sectors after the header. For this example this would be 20496 + 256 = 20752. Looking at sector 20752 we can see that it is not highly random like we would expect from a container. Therefore we can make the assumption that we have located the backup header.

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00A22000   2E 20 20 20 20 20 20 20  20 20 20 10 00 0E 57 38   .             W8
00A22010   67 4C 67 4C 00 00 58 38  67 4C 02 28 00 00 00 00   gLgL  X8gL (    
00A22020   2E 2E 20 20 20 20 20 20  20 20 20 10 00 0E 57 38   ..            W8
00A22030   67 4C 67 4C 00 00 58 38  67 4C 00 00 00 00 00 00   gLgL  X8gL      
00A22040   44 45 53 4B 54 4F 50 20  49 4E 49 26 18 0E 57 38   DESKTOP INI&  W8
00A22050   67 4C 67 4C 00 00 58 38  67 4C 03 28 81 00 00 00   gLgL  X8gL (    
00A22060   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22070   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22080   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A220A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A220B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A220C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A220D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A220E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A220F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22100   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22120   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22130   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22140   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22150   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22160   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22170   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22180   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A22190   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A221A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A221B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A221C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A221D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A221E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00A221F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   

Using dump.py we are able to parse the header that has been located.

Magic : TRUE
HdrVersion : 5
MinProgVer : 7
CRC : 784522712
Reserved :                 
HiddenVolSize : 0
VolSize : 10223616
DataStart : 131072
DataSize : 10223616
Flags : 0
SectorSize : 512
Reserved2 :                                                                                                                         
CRC3 : 2972579980
Keys : f300d5780830662f179908272817c220b72e9a1479da0177639837af75da9541931ff67e13d3b3c5def22fcc00b598b9775500d45bb4e47c777e5e65a3ec32c3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

We can use this to work out where the normal header would have been located using the following formula before.

backup_location - ((DataSize / 512) + 256) = header_location

For our example this is 20496 - ((10223616 / 512) + 256) = 272. If we go to sector 272 we can see the issue, the header has been overwritten by a png. This explains why hunt wansn't able to recover it.

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00022000   89 50 4E 47 0D 0A 1A 0A  00 00 00 0D 49 48 44 52   ‰PNG        IHDR
00022010   00 00 01 72 00 00 01 80  08 06 00 00 00 B0 7E E9      r   €     °~é
00022020   1B 00 00 00 01 73 52 47  42 00 AE CE 1C E9 00 00        sRGB ®Î é  
00022030   00 04 67 41 4D 41 00 00  B1 8F 0B FC 61 05 00 00     gAMA  ±  üa   
00022040   00 09 70 48 59 73 00 00  1D 87 00 00 1D 87 01 8F     pHYs   ‡   ‡  
00022050   E5 F1 65 00 00 2E B6 49  44 41 54 78 5E ED DD 2D   åñe  .¶IDATx^íÝ-
00022060   7B F2 3A 1C C7 F1 BD 8B  4A E4 E4 24 12 89 44 4E   {ò: Çñ½‹Jää$ ‰DN
00022070   22 91 48 5E 02 12 39 89  44 22 91 48 24 12 59 89   "‘H^  9‰D"‘H$ Y‰
00022080   AC AC FC 9F A4 4D FA 98  94 52 38 BB 09 FB 7E AE   ¬¬üŸ¤Mú˜”R8» û~®
00022090   2B D7 B9 0F 5B 47 1F D2  5F D3 34 6D 3F C4 E1 B4   +×¹ [G Ò_Ó4m?Äá´
000220A0   FE 90 8F 8F 0F 99 ED AE  E6 13 00 C0 BF 72 DD CD   þ    ™í®æ  À¿rÝÍ
000220B0   B2 4C FE 58 9F CC 27 75  04 39 00 BC 38 82 1C 00   ²LþXŸÌ'u 9 ¼8‚  
000220C0   02 47 90 03 40 E0 08 72  00 08 DC CD 20 B7 A1 DD    G  @à r  ÜÍ ·¡Ý
000220D0   B7 B4 C2 FD BA 93 99 E3  F7 6C F1 1F 0C AE B2 9B   ·´Âýº“™ã÷lñ  ®²›
000220E0   B9 A7 C9 CA 6C A7 7E C3  AD 7B 9E D7 E2 5E 54 E5   ¹§ÉÊl§~í{ž×â^Tå
000220F0   B4 76 FC 7E 59 3C EB 48  09 68 5E 43 DA 1E 7F A1   ´vü~Y<ëH h^CÚ  ¡
00022100   EE 0C 5E 46 EA CE 5F DD  97 8B D0 EE 5B D4 1F 20   î ^FêÎ_Ý—‹Ðî[Ô  
00022110   C8 2B 25 E4 8D 5F 20 C8  DF 64 7B 50 77 FE EA BE   È+%ä _ Èßd{Pwþê¾
00022120   3C 28 C8 CD B4 35 76 86  BB 2A 19 00 E0 77 D0 47   <(ÈÍ´5v†»*  àwÐG
00022130   0E 00 81 23 C8 01 20 70  04 39 00 04 8E 20 07 80      #È  p 9  Ž  €
00022140   C0 0D 0A 72 00 40 38 08  72 00 08 1C 41 0E 00 81   À  r @8 r   A   
00022150   23 C8 01 20 70 04 39 00  04 8E 20 07 80 C0 11 E4   #È  p 9  Ž  €À ä
00022160   00 10 38 82 1C 00 02 47  90 03 40 E0 08 72 00 08     8‚   G  @à r  
00022170   1C 41 0E 00 81 73 06 B9  BD AF 9F 67 AD 00 C0 0B    A   s ¹½¯Ÿg­ À
00022180   B0 2F A7 B8 E7 59 2B 04  39 00 BC 10 82 1C 00 02   °/§¸çY+ 9 ¼ ‚   
00022190   47 90 03 40 E0 08 72 00  08 1C 41 0E 00 81 23 C8   G  @à r   A   #È
000221A0   01 20 70 04 39 00 04 8E  20 07 80 C0 11 E4 00 10     p 9  Ž  €À ä  
000221B0   38 82 1C 00 02 47 90 03  40 E0 08 72 00 08 1C 41   8‚   G  @à r   A
000221C0   0E 00 81 23 C8 01 20 70  04 39 00 04 8E 20 07 80      #È  p 9  Ž  €
000221D0   C0 11 E4 00 10 38 82 1C  00 02 47 90 03 40 E0 08   À ä  8‚   G  @à
000221E0   72 00 08 1C 41 0E 00 81  23 C8 01 20 70 04 39 00   r   A   #È  p 9
000221F0   04 8E 20 07 80 C0 11 E4  00 10 B8 21 41 0E 00 08    Ž  €À ä  ¸!A   

Based on the information we have now we can map out where the TrueCrypt container would have been on the disk. Note this is just for explanatory purposes. If we compare this to the current mapping we can see that the images have overwritten most of the header but the data is thankfully the volume data is intact.

Note that even if parts of the volume data have been overwritten we are still able to decrypt them. It just makes the recovery of data within the container more difficult.

diagram-truecrypt.png

Using dd we can extract the container, for this example the command is:

dd if=example2.001 of=recovered.tc bs=512 skip=272 count=20480

We can then open the container, however, we need to make sure to specify the backup header. If we do not we will get the following error:

truecrypt-error.png

Choosing to use the backup header in mount options will allow us to open the container.

truecrypt-mount-options.png

One slightly interesting note is that if we add the .png extension to the recovered container most imaging tools will render it a normal image without any issues.

truecrypt-png-header

Example #3 – an unallocated and fragmented container

TBA

Example #4 – deleted container with hidden volume

TBA

You can’t perform that action at this time.