Recovery of deleted files on a TrueCrypt volume March 23, 2010 rationallyparanoid.com



Similar documents
Using TrueCrypt to protect data

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

AlienVault. Unified Security Management x Offline Update and Software Restoration Procedures

Introduction to The Sleuth Kit (TSK) By Chris Marko. Rev1 September, Introduction to The Sleuth Kit (TSK) 1

Windows 7 Hard Disk Recovery

Ans.: You can find your activation key for a Recover My Files by logging on to your account.

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

Introduction. This white paper provides technical information on how to approach these steps with Symantec Antivirus Corporate edition.

BackupAssist v6 quickstart guide

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

USB 2.0 Flash Drive User Manual

Practice Exercise March 7, 2016

Installing Ubuntu LTS with full disk encryption

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

1. Scope of Service. 1.1 About Boxcryptor Classic

User Guide Replica Automatic Backup System

MAC/OSX - How to Encrypt Data using TrueCrypt. v

BackupAssist v6 quickstart guide

Crystal Practice Management Encrypting the Database

Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Q&A. DEMO Version

Windows OS File Systems

Encrypting a USB Drive Using TrueCrypt

Backup and Recovery FAQs

Windows Offline Files

SFTP Server User Login Instructions. Open Internet explorer and enter the following url:

How To Restore An Org Server With Anor Backup For Windows (Oracle)

Seagate Manager. User Guide. For Use With Your FreeAgent TM Drive. Seagate Manager User Guide for Use With Your FreeAgent Drive 1

Intelligent disaster recovery. Dell DL backup to Disk Appliance powered by Symantec

2.8.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 16

NovaBACKUP. User Manual. NovaStor / May 2014

introducing COMPUTER ANTI FORENSIC TECHNIQUES

Selected Windows XP Troubleshooting Guide

PGP Portable Quick Start Guide Version 10.2

Acronis Backup & Recovery 11.5 Quick Start Guide

Encrypting the Private Files on Your Computer Presentation by Eric Moore, CUGG June 12, 2010

LAVASOFT FILE SHREDDER FILE SHREDDER

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Data Recovery Cable Quick Start Guide

USER MANUAL. v Windows Client January

TPM. (Trusted Platform Module) Installation Guide V2.1

UltraBac Documentation. UBDR Gold. Administrator Guide UBDR Gold v8.0

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

Verbatim Secure Data USB Drive. User Guide. User Guide Version 2.0 All rights reserved

Wharf T&T Cloud Backup Service User & Installation Guide

USER MANUAL. v January

Windows BitLocker Drive Encryption Step-by-Step Guide

AlienVault Offline Key Activation

F-Secure Messaging Security Gateway. Deployment Guide

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

Guide to Securing Microsoft Windows 2000 Encrypting File System

«Disaster Recovery» A DOM Restore Guide for Thecus NAS

EBSCO MEDIA FILE TRANSFER SOFTWARE INSTALLATION INSTRUCTIONS

AxCrypt File Encryption Software for Windows. Quick Installation Guide. Version January 2008

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Comodo Disk Encryption

Q. If I purchase a product activation key on-line, how long will it take to be sent to me?

User Guide. CTERA Agent. August 2011 Version 3.0

McAfee EETech for Mac 6.2 User Guide

UNDELETE Users Guide

LESSON 4 - FILE MANAGEMENT

Intel NUC. Installing Microsoft Windows* 7 from USB Flash Drives onto USB 3.0 Computers

Practical Methods for Dealing with Full Disk Encryption. Jesse Kornblum

Boot Camp Installation & Setup Guide

Lab: Data Backup and Recovery in Windows XP

How to enable Disk Encryption on a laptop

Tutorial How to upgrade firmware on Phison S8 controller MyDigitalSSD using a Windows PE environment

WinClon 6 User Guide. With Screenshots. A Windows Embedded Partner

How to Install Applications (APK Files) on Your Android Phone

Bare Metal Recovery Quick Start Guide

Retrospect 7.7 User s Guide Addendum

Zmanda Cloud Backup Frequently Asked Questions

Passware Kit User Guide

Encrypt USB Drive to Protect Data

Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide

SPECIALIST PRACTICE MANAGER

Motion Computing Tablet PC

NTFS Undelete User Manual

Clickfree Software User Guide

Solution domain. Cloud PC Backup Startingkit for users. Date 26/05/2015 Sensitivity Unrestricted Our reference V1.0 Contact

HP ProtectTools Embedded Security Guide


NovaBACKUP. User Manual. NovaStor / November 2011

Learn how to create web enabled (browser) forms in InfoPath 2013 and publish them in SharePoint InfoPath 2013 Web Enabled (Browser) forms

Acronis Backup & Recovery: Events in Application Event Log of Windows

Lab - Data Backup and Recovery in Windows XP

Backup and Disaster Recovery Restoration Guide

Puppy Linux Installation To a USB Flash Drive How to install Puppy Linux lupu Lucid to a Flash Drive

Full Disk Encryption Policy Reference

Acronis Backup & Recovery 11

Bellatrix CCM Sales Application User Manual

ScoMIS Encryption Service

Analysis of Evidence in Cloud Storage Client Applications on the Windows Platform

VERITAS NetBackup 6.0 Encryption

Transcription:

Recovery of deleted files on a TrueCrypt volume March 23, 2010 rationallyparanoid.com TrueCrypt is a well-known and widely used open source application used for encryption. However at the bottom of their lengthy FAQ is a very important note that some people may have missed: Do I have to "wipe" free space and/or files on a TrueCrypt volume? If you believe that an adversary will be able to decrypt the volume (for example that he will make you reveal the password), then the answer is yes. Otherwise, it is not necessary, because the volume is entirely encrypted. http://www.truecrypt.org/faq Does this mean that deleted files on an encrypted TrueCrypt volume can be recovered? The answer is yes with the condition that the TrueCrypt volume must be decrypted first. To demonstrate this we will be taking three images of decrypted TrueCrypt volumes: the first will be of an unused TrueCrypt volume, the second will be a TrueCrypt volume after files were copied to it, and the third will be a TrueCrypt volume in which files were deleted. We will then use The Sleuth Kit to see whether we can detect and recover any deleted files. Step I: Creation of TrueCrypt volume & imaging We begin by downloading & installing the latest version of TrueCrypt (currently 6.3a) onto a Windows XP computer. DD for Windows (http://www.chrysocome.net/dd) will be installed as well for acquiring the images. We start the TrueCrypt volume creation wizard and create an encrypted file container. This will be a 10 MB standard TrueCrypt volume using AES with SHA-512, and based on a FAT file system with a cluster size of 512 bytes. With the volume created we mount it to the X: drive by entering the TrueCrypt password for our encrypted volume, and once it is mounted we use dd for Windows to create an image of the entire X: drive called tc_x_unused.dd as shown below: C:\Documents and Settings\User\Desktop>dd.exe if=\\.\x: of=c:\tc_x_unused.dd rawwrite dd for windows version 0.5. Written by John Newbigin <jn@it.swin.edu.au> This program is covered by the GPL. See copying.txt for details 19968+0 records in 19968+0 records out We now have acquired an image of a decrypted, unused TrueCrypt volume (i.e. no files have been copied to it yet). We are doing this simply as a reference to compare against the other two images that we will be taking. The next step will be to copy some test files to the TrueCrypt volume and take an image of it. One will be a folder called Text Files featuring two simple files containing the following data: 1

text1.txt abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ text2.txt 0123456789 The other will be a JPEG image taken from Wikipedia's main page (http://www.wikipedia.org/) which we will rename to wikipedia.jpg before copying it over to the X: drive. Below is the final view of the X: drive after the files have been copied: Once the copying is completed we will unmount the volume and close TrueCrypt to confirm that everything was written to the volume and encrypted. We will now take our second image. We mount the volume again but this time to the Y: drive (this is done simply to distinguish each of our steps) and take another image using dd: C:\Documents and Settings\User\Desktop>dd if=\\.\y: of=c:\tc_y_used.dd rawwrite dd for windows version 0.5. Written by John Newbigin <jn@it.swin.edu.au> This program is covered by the GPL. See copying.txt for details 19968+0 records in 19968+0 records out Once this is done, we proceed to delete the Text Files folder by holding the shift key while pressing the delete key on the keyboard: 2

Note: In the process above, the file Thumbs.db was auto-created by Windows due to viewing the folder with the presence of the image file wikipedia.jpg. This will be shown shortly. We unmount the volume again confirming that the files were deleted and the volume encrypted. Then we mount it one last time to the Z: drive and take the last dd image: C:\Documents and Settings\User\Desktop>dd.exe if=\\.\z: of=c:\tc_z_deleted.dd rawwrite dd for windows version 0.5. Written by John Newbigin <jn@it.swin.edu.au> This program is covered by the GPL. See copying.txt for details 19968+0 records in 19968+0 records out We can now proceed to analyzing the results. Step II: Analysis We have three files to work with: tc_x_unused.dd: tc_y_used.dd: tc_z_deleted.dd: Image of TrueCrypt volume before it was used Image of TrueCrypt volume with Text Files folder and wikipedia.jpg copied to it Image of TrueCrypt volume with Text Files folder deleted Let's begin by using fsstat on tc_x_unused.dd to take a look at the file system information: user@linux:~$ fsstat tc_x_unused.dd FILE SYSTEM INFORMATION File System Type: FAT16 OEM Name: MSDOS5.0 Volume ID: 0xaf66229e Volume Label (Boot Sector): NO NAME Volume Label (Root Directory): File System Type Label: FAT16 Sectors before file system: 0 File System Layout (in sectors) Total Range: 0-19967 3

* Reserved: 0-1 ** Boot Sector: 0 * FAT 0: 2-79 * FAT 1: 80-157 * Data Area: 158-19967 ** Root Directory: 158-189 ** Cluster Area: 190-19967 METADATA INFORMATION Range: 2-316962 Root Directory: 2 CONTENT INFORMATION Sector Size: 512 Cluster Size: 512 Total Cluster Range: 2-19779 FAT CONTENTS (in sectors) This is a FAT16 file system, with the sector and cluster sizes both 512 bytes. The FAT contents show nothing present, and we can confirm that no files exist by using fls: user@linux:~$ fls -r tc_x_unused.dd user@linux:~$ There are no results as should be the case because this is the image of the unused volume. Now let us examine the second image: user@linux:~$ fsstat tc_y_used.dd FILE SYSTEM INFORMATION File System Type: FAT16 OEM Name: MSDOS5.0 Volume ID: 0xaf66229e Volume Label (Boot Sector): NO NAME Volume Label (Root Directory): File System Type Label: FAT16 Sectors before file system: 0 File System Layout (in sectors) Total Range: 0-19967 * Reserved: 0-1 ** Boot Sector: 0 * FAT 0: 2-79 * FAT 1: 80-157 * Data Area: 158-19967 ** Root Directory: 158-189 ** Cluster Area: 190-19967 METADATA INFORMATION Range: 2-316962 4

Root Directory: 2 CONTENT INFORMATION Sector Size: 512 Cluster Size: 512 Total Cluster Range: 2-19779 FAT CONTENTS (in sectors) 190-190 (1) -> EOF 191-191 (1) -> EOF 192-192 (1) -> EOF 193-214 (22) -> EOF The difference is that here we can see in the FAT contents that sectors 190 to 214 are allocated. We'll use fls to see what files and directories exist: user@linux:~$ fls -r tc_y_used.dd d/d 4: Text Files + r/r 517: text1.txt + r/r 518: text2.txt This shows the files and folder that we copied over. Nothing is deleted (nor should anything be deleted). Contrast this with the last volume: user@linux:~$ fls -r tc_z_deleted.dd d/d * 4: Text Files + r/r * 517: text1.txt + r/r * 518: text2.txt r/r 8: Thumbs.db The asterisks above show that the directory Text Files along with the files text1.txt, text2.txt are deleted. Also notice the creation of Thumbs.db which was created as a result of us browsing the drive with Windows explorer. The table below summarizes the results of fls: tc_x_unused.dd tc_y_used.dd tc_z_deleted.dd <no data> d/d 4: Text Files + r/r 517: text1.txt + r/r 518: text2.txt d/d * 4: Text Files + r/r * 517: text1.txt + r/r * 518: text2.txt r/r 8: Thumbs.db So the question is, can we recover the deleted files from tc_z_deleted.dd? The answer is yes, very easily, because the sectors for these deleted files have not been reused yet. We'll use icat to recover the deleted files: user@linux:~$ icat -r tc_z_deleted.dd 517 > text1.txt user@linux:~$ icat -r tc_z_deleted.dd 518 > text2.txt 5

Below we demonstrate that the contents of the files have been recovered: user@linux:~$ cat text1.txt abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ user@linux:~$ cat text2.txt 0123456789 So we can see how deleted files can easily be recovered from a decrypted TrueCrypt volume. Also notice that given the peculiarities of an operating system or application, it is possible for certain artifacts to be created (i.e. the Thumbs.db file) without your knowledge when viewing, creating, or modifying your data. To see a list of various Sleuth Kit commands along with examples of how they are used, see the guide at http://rationallyparanoid.com/articles/sleuth-kit.html 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information