I have a True Crypt volume that's set as a file. When I mount the volume and delete a file within the container, windows asks if I'd like to send the file to the recycle bin. While the volume is mounted I see the file in the recycle bin but when it is dismounted the file is gone.
Could the file I deleted be recovered by a 3rd party using digital forensic tools if they got hold of my hard drive? If yes, would the file be encrypted?
How does the Recycle Bin work?
When you delete a file from a hard drive the file is moved to a folder named $Recycle.Bin on the same drive. So when you delete the file D:\Work_Files\SuperWeirdPr0n.mp4 it's actually moved to D:\$Recycle.Bin. The main Recycle Bin "folder" is actually just the aggregation of the content from all $Recycle.Bin folders from all the disks you have available.
How does that apply to TrueCrypt volumes?
Well, pretty much the same. When you send a file from a mounted encrypted volume to the Recycle Bin, it won't leave the encrypted volume and it will stay "safe".
If it makes you feel better, just use Shift + Del.
Can your files be recovered by a 3rd-party?
Yes. Regardless of your Recycle Bin situation, it's highly likely that there's still some evidence of the files existence somewhere and enough information to recover it. When you open files inside an encrypted volume, most programs will happily cache it somewhere else in an unencrypted format.
For more information on that, please check both answers in this question.
TrueCrypt encrypts the whole volume, as a big bag of sectors. TrueCrypt does not know what a "file" is, it sees only sectors. It protects your data against people who steal your disk but do not know the password.
The operating system manages the sectors, using some of them as metadata to describe directories and usage of other sectors for containing pieces of files. When a file is deleted, the metadata is first rearranged to make the data appear as part of a file in the special "recycle bin" directory, and then (when the bin is emptied) to mark the sectors as "free", i.e. reusable for other files or directories. TrueCrypt is not aware of these OS games; TrueCrypt encrypts all sectors, regardless of whether they contain file data, metadata, or are free. As such, TrueCrypt protects data from deleted files as well as data from non-deleted files.
If the attacker knows the TrueCrypt volume password, then he can virtually remove it and get back to the non-TrueCrypt situation: the data from a deleted file can be recovered until the sectors containing it are reused. Sector reuse depends on disk usage. File shredders first overwrite the file with junk data (several times, out of tradition from older times), ensuring non-recoverability.
Not unless they can access/successfully mount the volume. Recycle bin is partition-specific.
Practically, the file is renamed inside the recycler which resides on the same drive letter - the one of the mounted volume which is the encrypted container.
Therefore, that file cannot be read outside the container no matter if it's in original form or pseudo-deleted form (moved to bin).
It is possible for a file being deleted in a Truecrypt volume to be recovered as long as you have the volume password / keyfiles.
Truecrypt only does the following, - Secure data by encrypting it before it is written to a disk. - Decrypt encrypted data after it is read from the disk.
The responsibility of file management belongs to file system of your OS but not Truecrypt. Unless you are using file data shredding tools or a file system with data shredding support, any deleted file could be recovered until it is being overwritten. Files in recycle bin does not being overwritten until you empty it. You can find the deleted file in recycle bin again when you mount the Truecrypt volume again.
