11

Let's say we have half of a TrueCrypt file container (e.g. download was interrupted). If we know the password, is it possible to open it and get half of the data? The original container has 10 files, so is it possible (in theory) to get 5 files?

That is, I would like to understand how the encrypted data is stored in the file container. Whether the data is stored consistently(file-by-file) or all the data is mixed (with any editing/adding/deleting of internal files)?

Addition. But what if we have only the second part of the file?(I mean we don't have first 128 KiB of file) Am I right that we can not get anything out of this (it will be absolutely useless data)

Alex
  • 113
  • 5
  • 1
    i do not know the answer for the general question that is very interesting, but you can look at the code of TestCrypt to understand if there is a way to recover partial volume. http://testcrypt.sourceforge.net/ – robob Dec 29 '16 at 05:59

1 Answers1

5

Sort of. You can decrypt it as long as you have more than 128 KiB of data downloaded, as that is the end of the header and backup header and where the actual filesystem starts. However, even if you successfully decrypt it, remember that the filesystem will be cut in half too, meaning it will be massively corrupted. Depending on the filesystem, you may be able to recover all the files if they were stored at the beginning of the filesystem (I believe FAT does this), or very few, if they were spread out evenly (like in XFS). Now, the volume won't mount due to the corruption, of course, so you'll have to use recovery tools. But as long as you have the header, and the password, your question becomes "Is it possible to recover half of the files on a filesystem if the other half is missing?".

https://andryou.com/truecrypt_orig/docs/volume-format-specification/

guest
  • 66
  • 1
  • But what if we have only the second part of the file?(I mean we don't have first 128 KiB of file) Am I right that we can not get anything out of this (it will be absolutely useless data) – Alex Dec 29 '16 at 18:56
  • 1
    Some file systems put important metadata right in the middle of the file system (to optimize seek times). If such a file system is used it would make a major difference whether one had 49% of the image or 51%. – kasperd Dec 31 '16 at 11:07
  • 1
    @Alex As far as I recall if you create a TrueCrypt hidden volume the metadata for that will be stored at the end of the container. So it would in theory be possible to recover some data of a hidden volume if you only have the end of the container. – kasperd Dec 31 '16 at 11:10
  • 1
    @kasperd Ok, as I understand this table has useful information https://andryou.com/truecrypt_orig/docs/volume-format-specification/ Am I right that we can not get anything out of cryptocontainer if we don't have first 128 KiB of metadata (up to Area for hidden volume header ) and last 128 KiB (backup header) – Alex Dec 31 '16 at 11:21
  • 1
    @Alex Taking a look on that link I notice there are a few more details to it than I remembered. Both normal header and hidden volume headers are at the start of the media and there is a backup at the end of the media. That means that as long as you have one end of the file you can decrypt the data in the part of the file that you have. But making sense of the data that you have decrypted can be a lot of work if you don't have the corresponding file system metadata. – kasperd Dec 31 '16 at 11:36
  • @kasperd latter clarification. filesize: 1024 KiB; we have part of this file from 129 KiB and up to 896 KiB (in other words: offset 128 KiB, size 768 KiB). Am I right that this part of the file will be absolutely unsuitable for decrypting? – Alex Dec 31 '16 at 15:02
  • 1
    @Alex Sounds like you have all of the encrypted data, but you are missing both the headers from the start of the file and the backup headers from the end of the file. When you are missing both copies of the header it sounds like there is little chance of doing anything useful with the encrypted data between them. The headers you are missing would contain both salt as well as encrypted master keys, which sounds like a showstopper. – kasperd Jan 01 '17 at 02:21
  • @kasperd "When you are missing both copies of the header it sounds like there is little chance of doing anything useful with the encrypted data between them" - LITTLE CHANCE == ALMOST NO CHANCE(in practice)? – Alex Jan 01 '17 at 21:25
  • 1
    @Alex Yes. If I understand the format description correctly there is practically no chance of decrypting anything from the range of data you say is available. – kasperd Jan 01 '17 at 21:27