Recovering Deleted Files from TrueCrypt/VeraCrypt

TL;DR

Generally, recovering files deleted from a TrueCrypt (now VeraCrypt) volume is very difficult and often impossible. Secure deletion features within the software are designed to prevent recovery. However, there are some limited scenarios where partial recovery might be possible, especially if you haven’t used the volume much since deleting the files.

Understanding Why Recovery Is Hard

TrueCrypt/VeraCrypt encrypts your entire volume. When you delete a file:

• The encryption remains in place – you’re not deleting the actual data, just the pointers to it within the filesystem.
• Secure deletion options (like wiping free space) overwrite those remaining data fragments with random characters.
• Even without secure deletion, repeated use of the volume quickly overwrites deleted file fragments as new files are created and modified.

Standard file recovery tools work by finding remnants of file structures on a disk. Encryption makes these structures unreadable, and secure deletion removes them entirely.

Steps to Attempt File Recovery

1. Stop Using the Volume Immediately: This is crucial! Any further writes to the volume significantly reduce your chances of recovery.
2. Mount the Volume: Mount the TrueCrypt/VeraCrypt volume as you normally would. Do not defragment or perform any maintenance on it.
3. Attempt Standard File Recovery Tools (First Attempt – Low Success Rate):
   Tools like PhotoRec, TestDisk, or Recuva might find some fragmented data. They won’t understand the filesystem structure within the encrypted volume, so recovery will be limited to identifying file types based on headers and footers.
   • PhotoRec: A powerful open-source tool for recovering lost files from various storage media. It ignores the filesystem.

     photorec /dev/sdXN

     (Replace /dev/sdXN with your volume’s device path – be very careful to select the correct drive!)

   • TestDisk: Can sometimes rebuild partition tables, but less useful for encrypted volumes.

     testdisk /dev/sdXN

     (Again, replace /dev/sdXN with your volume’s device path.)

   • Recuva: A user-friendly option. Select the mounted drive letter in Recuva.

   Expect mostly fragmented files or incorrect file names if anything is recovered at all.

4. Check for Volume Headers (Advanced – Requires Technical Knowledge): If you know the exact start of the volume header, you might be able to create a raw image and attempt analysis.
   • dd: Use dd to create a bit-by-bit copy of the entire volume.

     sudo dd if=/dev/sdXN of=volume.img bs=4096 status=progress

     (Replace /dev/sdXN with your volume’s device path.)

   • Hex Editor: Open the image in a hex editor and look for known TrueCrypt/VeraCrypt header signatures. This requires understanding the internal structure of these volumes.
5. Forensic Data Recovery Services (Last Resort – Expensive): Professional data recovery services specializing in cyber security may have specialized tools and techniques, but success is not guaranteed and can be very costly.

Important Considerations

• Secure Deletion: If you used secure deletion features within TrueCrypt/VeraCrypt (e.g., wiping free space), recovery is almost certainly impossible.
• Hidden Volumes: Recovery of hidden volumes is even more complex and requires specialized knowledge.
• Encryption Algorithm: The encryption algorithm used can affect the feasibility of recovery, but generally makes it harder.