Linux content has been lacking on the Anti-Forensics blog, which makes me sad. It happens that there has been an active member of the forum creating encryption tutorials for Ubuntu users. I’ve wanted to bring more attention to KenTheFurry’s hard work and research, as he is a very helpful individual.
KenTheFurry is a member of Team Infection and probably one of the nicest people you’ll ever meet in your entire life. I can only mention the work he has contributed to Anti-Forensics.com but this includes tutorials on creating encrypted CDs and DVDs, flash drives, and more.
Some of the Ubuntu contributions by Ken are listed below. Be sure to check out his YouTube channel for all of his uploaded videos and the anti-forensics forum for further contributions.
Create an Encrypted File System for /var/logs & /tmp Directories
Use an encrypted file system for log file and tmp directories to help prevent snooping when the system is powered down.
Ubuntu CD/DVD Encryption
Using CryptSetup on Ubuntu for optical media encryption.
Using CryptSetup from the Terminal to Encrypt Removable Media
An alternative to using Ubuntu’s device manager to encrypt removable media such as a flash drive.
Full Disk and Unidentifiable Encryption of Flash Drive
Fully encrypt external media such as a flash drive in a way that leaves no discernible header or strings.
No related posts.
Is it possible to recover an encrypted system drive that has been slightly overwritten with dd if=/dev/zero? It was a Windows 7 system encrypted with Truecrypt.
If full disk encryption was in use then at this point that answer is likely no. Using dd and starting with the first sector, all of those bytes will equal 0×00 up until dd was terminated.
The rest of the sectors should contain the remnants of the encrypted data.
Best thing to do in this situation is use grep manually or a script to look for strings. I think WinHex Forensics Edition for Windows has a string parsing function. You can use scalpel and other data recovery methods as well to see if there is any unencrypted data.
Yes, full disk encryption was in use, so there shouldn’t be any unencrypted data. The Truecrypt Rescue Disk can’t find any bootable partition and Testdisk can’t find any partition at all. I tried to restore the bootloader with the Truecrypt Rescue Disk but the right column of a hexeditor clearly states that there is a disk error and that the loader is damaged.
There are a few 00 between line 190 and 1F0 but then there is data up until line 3780 where the 00 return.
I guess this shows how it is even more important to back up your data when using encryption. Thank you Max.
If you have a large enough HDD and can make an image of the encrypted HDD, and you also have the recovery disk it may be possible to recover your data.
If you have a flavor of Linux you can get ddrescue to make an image of that hdd. From there you can try to use TrueCrypt’s built in restore. You say you used dd so the mbr and file headers are more than likely messed up. But if you can find the key in your TC recovery disk and restore it you can go in TrueCrypt and in the advance options select do not mount. In there you can use photorec, testdisk, foremost, etc.