Access partition as (unencrypted) block device

Topics: Technical Issues, Users Discussion
Jan 5, 2016 at 3:45 AM
Hi all,

Although I thoroughly searched old threads and found nothing for what I'm asking, if I missed something that answers any of my questions, feel free to link it.

Let me describe a scenario and then ask a few questions. These are some off-beat questions, and the scenario is even more so.

Imagine for moment, if you will, a Veracrypt user running Linux Mint who created a large hidden volume, formatted NTFS, left it open for a long, long time, during which time he put a lot of things in it but also forgot the password to it, who decided that making a new volume was easier than remembering the old password, and having done so and having moved all the files to the new volume, found that Linux may not have successfully transferred all the files which are now absent from the first partition, which is now still open but empty. Notice that on the first partition nothing further has been done since the move operation, at which point the operating system simply marked all those files and folders as deleted, so that all the data is still there in the now deallocated space.

Imagine this user tries to use ntfsundelete to get those files back and to compare to find out what's missing and copy over with the other files. Since ntfsundelete uses block device level access, all it gets are the encrypted blocks of the raw /veracrypt1 block device, so it has no effect. It finds nothing, since it can't even recognize an NTFS volume there. (Giving it the mount folder has even less effect. It doesn't even try reading it since it's not a block device.)

Question: Is there a way to provide unencrypted block-level access to a Veracrypt hidden volume to a Linux program that accepts block device names (such as ntfsundelete)?

Question: Is there a way to do that previous task /without/ having to unmount the hidden volume and re-mount it in some other way?

Question: Is there a way to get Veracrypt itself to spit up (say, into a file image) an entire unencrypted volume that is already open and mounted -- the whole, exact image? (Obviously, if the user cares about this data remaining hidden, he'll have to purge the file, and probably the empty space on the volume it was put on, later. But that may just have to be to have something that can have ntfsundelete used on it.)

Much thanks.
Jan 6, 2016 at 12:10 PM
Assuming that what I wrote was too long to read...

Burning question: How does one use ntfsundelete on a Veracrypt NTFS hidden volume under Linux? Or, how could a user with an open Veracrypt NTFS hidden volume even simply view the unencrypted MFT of that volume? (That alone would be enough to solve my problem with some extra work on my part!)

Thanks for any help.
Coordinator
Jan 6, 2016 at 1:14 PM
Hi,

You can access the device associated with a mounted VeraCrypt volume on Linux through /dev/mapper/veracryptX. I think you used the filesystem path /media/veracryptX and that's why ntfsundelete didn't work.

Since VeraCrypt opens the device in exclusive mode, you would need to use the -f switch with ntfsundelete. For example: sudo ntfsundelete -f /dev/mapper/veracrypt6

Voilà voilà...I hope this will help.
Marked as answer by CodexHash on 1/6/2016 at 1:37 PM
Jan 6, 2016 at 8:36 PM
Wow. That did it! I really was afraid that I was asking something impossible. Thanks a million!