$ truecrypt -k "" --protect-hidden=no work.tc workDir Enter password for work.tc: Error: mount: /dev/mapper/truecrypt1: can't read superblock
I do not understand what exactly happened ; maybe unmout was not done properly ? But this is not what this post is about...
As you might know, truecrypt is able to restore headers from a backup located inside the truecrypt volume or from an external backup created with
--backup-headers parameters (which, of course I did not create):$ truecrypt -k "" --protect-hidden=no --restore-headers work.tc workDir Please select the type of volume header backup you want to use: 1) Restore the volume header from the backup embedded in the volume 2) Restore the volume header from an external backup file Select:
Unfortunately, truecrypt was not able to recover at this point.
I googled around, but did not find anything to fix it ; so this is my solution:
First of all, uncipher the truecrypt volume without mounting it:
$ truecrypt -k "" --protect-hidden=no --filesystem=none work.tc Enter password for work.tc: $ ls /dev/mapper/truecrypt1 /dev/mapper/truecrypt1
The truecrypt volume is now unciphered in the device
/dev/mapper/truecrypt1.Then, foremost does a great job at recovering pdf and doc files :
$ foremost -T -t pdf -t doc -t docx /dev/mapper/truecrypt1
Afer a while,
output_### directory contains three subdirectories ( docx, doc and pdf) that contain some recovered files. Of course, having the filesystem broken, file name are mangled.As I mentionned previously, I put a lot of scripts (mostly Python) in this truecrypt container, and I really wanted to recover them.
A tough job would be to
strings the unciphered container and to grep to find interesting files.Having a look at foremost man pages, it appeared that it is possible to define file header and footer. Fortunately, all my Python scripts start with
#!/usr/bin/env pythonline.
Then, it is easy to create a custom configuration file and execute foremost over the truecrypt unciphered volume:
$ cat > foremost.python.conf py y 20000 #!/usr/bin/env #!/usr/bin/env ASCII $ foremost -t py -c foremost.python.conf -T /dev/mapper/truecrypt1
Eventually, the
output_###/py contains a set of recovered python source files. Of course, some cleaning has to be done to remove garbage code, to split merged files and eventually to rename files, but it saved days of work !Have phun !
