This project has moved. For the latest updates, please go here.

Recover Deleted VeraCrypt Volume

Topics: Technical Issues
Aug 2, 2015 at 8:34 PM
Edited Aug 2, 2015 at 8:35 PM
I've got an interesting data recovery case I'm looking at for someone. Client accidentally deleted a Veracrypt container from their HDD and wants to recover it. The password is known.

I realize VeraCrypt doesn't have any identifiable file signatures, so it can't be found using file caving like other file types. However I'm wondering if given that the password is known there's a way to recover the file. Perhaps by encrypting the entire dive using the same password, and then scanning for files... I don't know. Or does it use a random key in conjunction with the pass (I assume it does).

Any ideas?
Aug 2, 2015 at 11:29 PM
Try Google searching "deleted truecrypt file container" for ideas. It appears recovering a file container is difficult task.

I would recommend clone the drive using two target drives and perform all of your repair attempts on the one clone. This will allow you to start over by cloning the untouched clone drive to the other clone drive used for recovery.
Aug 2, 2015 at 11:45 PM
We are a professional data recovery lab (www.data-medics.com) so don't need the general advice about data recovery. Thanks!

I was hoping for some more specific details about VeraCrypt as I'm not familiar with it. Is it built on the same basic architecture as Truecrypt? Does it use a randomly generated key stored in the container that is re-encrypted using the password? Is this key stored at the beginning or end of the file? Things like this. I'm just trying to figure out if there's even a possibility of working up a solution to find the lost file.
Aug 3, 2015 at 3:32 AM
Is it built on the same basic architecture as Truecrypt?
.
Yes
.
Does it use a randomly generated key stored in the container that is re-encrypted using the password? Is this key stored at the beginning or end of the file?
.
The password and/or keyfile(s) unlocks the header key which contains the encryption key used for the volume.

For file containers and non-system drives & partitions, the header key is stored in the front of the volume and the embedded backup header key at the end of the volume. Both the primary and backup header keys are not the same but are derived from the same password and/or keyfiles(s).

From the documentation:

https://veracrypt.codeplex.com/wikipage?title=Header%20Key%20Derivation

https://veracrypt.codeplex.com/wikipage?title=Encryption%20Scheme

https://veracrypt.codeplex.com/wikipage?title=Random%20Number%20Generator

https://veracrypt.codeplex.com/wikipage?title=VeraCrypt%20Volume%20Format%20Specification

I hope the above helps answer your questions.
Aug 3, 2015 at 10:34 AM
Thanks! That does answer my overall question. Looks like the amount of work required to recover such a file while "possible" is not financially viable. I appreciate the quick response.

Thanks again.