Forensics Help Request

[AJ@PR]

Hello guys,

I come to you now with a special situation.
I hope we can give it our best... I would be very much in debt with everyone here.

Yesterday, I finally headed over to CompUSA and bought an external enclosure for a 320GB hard disk I had around. New hard disk, btw.

So I installed the hard disk (hardware-wise), then did the partition thing, format, and we're off...

So, I started backing-up my computer stuff into this external hdd.
I'm currently using a laptop, with a 80GB hdd... so, everything should more than fit into this new 320 one.

Now, for various files and stuff, I've been using TrueCrypt, to keep everything "extra" secure.
((TrueCrypt primer::: It creates an encrypted file, which it then 'mounts' as another hard disk drive in your computer. You then dump whatever it is into this new drive, and 'un-mount' the drive. For 'mounting' the drive, you need the password.))

MY PROBLEM:::
I created a TrueCrypt drive for all my pictures
(yes guys, I know you're urging for the pr0n joke... but, really, it's my personal pictures folder. If it was pr0n, I wouldn't be in this mental distress state).
I had apoximately 10gb of pictures... so I created a 15gb TrueCrypt file.

Now, I can't open the folder. (!!!)
SPECIFICS:::
I take my newly created pictures' TrueCrypt file...
I 'mount' this file... and a new drive appears (let's say, N: drive)
I go over to N: drive, and there's only one folder; Photos.
When I try to open Photos, it gives me an error.
Properties for the folder show 0 bytes.

When I did the transfer, Lord, I was waiting for like 20 minutes as all the pictures got transfered.
Yes, the file names where changing and the progress bar was moving 0%--100%, 0%--100%, ...

When I did this, I *moved* the 'Photos' folder from my desktop, to this N: drive.
I should have *copied* them.

So, I ask you people::: Is *move* something similar to *delete*, where stuff can be 'undeleted'?

Do you guys have any idea if I can find the pictures' remnants in my computer?
This was yesterday, and I bumped into this problem today morning.
I haven't installed/copied anything to my computer... so I hope that the damage, if any, is minimal.

Sorry for this super long post... but as I said, if this where pr0n or something I could live without, I would.
I *can* live without those pictures... but there are lots of memories in there.

Thanks for reading this, and thanks for trying to help. I really appreciate it.

Peace guys, and many, many thanks,

-AJ

[jdbnsn]

I have never used the encryption stuff you are using, but I was once able to recover lost files from a hard drive I had accidentally quick formatted using File Scavenger, so I would guess it would work on "moved files" as well. It's worth a try anyway.

[AJ@PR]

I have never used the encryption stuff you are using, but I was once able to recover lost files from a hard drive I had accidentally quick formatted using File Scavenger, so I would guess it would work on "moved files" as well. It's worth a try anyway.

I'm going to try File Scavenger as soon as I get home.

THANK YOU for a ray of hope!!!!
THANKS!

I've uploaded a picture of me:::

[Airbozo]

You _should_ be able to recover the files if you have not installed anything on your system since you _moved_ the files. One thing I remember about some of the encrypt programs is that if you try and copy or move the encrypted file it will become unusable. Check with the documentation on this. Try File Scavenger and see if you can get your data back.

[ESX]

I know that you can move your files back, but IMO whenever you encrypt them, their structure changes. (I think)
If you can mount that drive, try doing CTRL+Z to move the files back and then see what happens.
Otherwise you could try and contact the people that made that piece of software and ask them if theres a way out of your situation.

Good luck!

[AJ@PR]

Thanks guys!!!

I'm having more hope now... yeah!

I'm going to try that, and update.
I'll do it in 'bout 6 hours, cause I'm going to be away from the computer.

Thanks for reading through the long post and trying to help.
I'll let you guys know how it goes.

Again, many thanks.

AJ

[jdbnsn]

One thing that's really important is like Airbozo said, don't install anything more than absolutely necessary on the computer because if the "moved" files are tagged as if they were deleted they will be overwritten. I'm not positive this will make a difference, but when you install file scavenger or whatever, try installing it in an already existant folder instead of making a new one, or if you can run it from the external drive (not sure this is possible).

[Airbozo]

Installing something in an existent folder will not help, since it does not matter where you install it, windows will grab the next available space in that partition to install to, whether it is a new slice or one where data _was_. So do not install _anything_ on that HD until you get the data you need. It would be better to install it to a new drive or floppy if you can.

[jdbnsn]

That's what I was afraid of, wasn't sure though.

[AJ@PR]

w00t w00t!!! !!1! one!! 11!

IT FREAKING WORKED!!!

I couldn't wait, so I ditched my agenda for the rest of the day, and came straight to try and get it to work.

Booted up. Closed/disabled all programs that run at startup.
Unplugged the net (just in case).
No WinAmp.
No nothing.

I used another computer to download File Scavenger.
And it worked!!!

I first ran it in my laptop's 80gb hdd... without pluging in the external one.
I ran a search for *.jpg images, completely forgetting two or three videos.

Anyways, took 52 minutes, and returned like 7.5gb worth of images.
I WAS HAPPY WITH THAT!

So I restored everything to a second (120gb) external hdd.

Now that I've got as much as possible of those files, I plugged in the 320gb external that contains the TrueCrypt pictures file, and 'Mounted' the pictures drive.

Now check this out:::
I ran File Scavenger's Quick Search, on the virtual TrueCrypt drive, and it found nothing.
So I ran the 'Long Search' and used *.* (as I knew that only my Photos folder was in there).
Automatically, it started displaying file names... with a better structure than the ones taken from my laptop's hdd!!!

Wow. I . Am. One. HAPPY. Kid. !!! w00t!!!


Thank you to EVERYONE that helped out!
I am really really grateful.
Thank you jdbnsn (& AirBozo) for suggesting File Scavenger! I owe you! Thanks!!!

Well, she still hasn't finished the Long Search of the virtual drive, so I'll wait for it to finish and Restore everything to yet another folder (non-TrueCrypt for now :p), and later compare with NoClone.

Wow. Thank you guys!!!!!!!!
Many memories have been saved.
THAAaaanNKSSS!!!



AJ