Is there any way to restore corrupted JPG images.

[Peter Jason]

I have Win7 SP1.

These were corrupted in the TrueCrypt "hidden volume" presumably by
other data overflowing onto them. No viewing software seems to be
able to read them, including some utilities such as "Recover My
files", "X-ways forensics", or EnCase V4.0 Enterprise.

The volume of data seems to be there because of the file size which
seems the same as the original. Perhaps there's a way of reclaiming
some of the image in each by manually deleting the damaged parts with
a hex reader?

Would this be possible, and what would be a suitable method.

Desperate; Peter

 

[Paul]

I have Win7 SP1.

These were corrupted in the TrueCrypt "hidden volume" presumably by
other data overflowing onto them. No viewing software seems to be
able to read them, including some utilities such as "Recover My
files", "X-ways forensics", or EnCase V4.0 Enterprise.

The volume of data seems to be there because of the file size which
seems the same as the original. Perhaps there's a way of reclaiming
some of the image in each by manually deleting the damaged parts with
a hex reader?

Would this be possible, and what would be a suitable method.

Desperate; Peter

You could try Photorec. Just for kicks, I gave it a try, by putting
some JPG files on a relatively unused partition, deleted them in the
trash can, and then had it scan the drive. And it found them OK.
Presumably it looks for recognizable headers.

http://www.cgsecurity.org/wiki/PhotoRec

To understand the damage, you'd almost need a disk editor to look
at them. If the volume was fragmented, and the file content wasn't
contiguous, that might make recovery more difficult. With my crappy
tools here, I can use "dd" to "snip" out a manageable small section
of disk, like 1GB worth of contiguous data, then feed that to my
hex editor for a look. And then I might get some idea what happened.
(I.e. Looking for headers, or seeing a scrambling pattern of some sort.)

The thing is, when a drive is encrypted, if the decryptor was using
the wrong key, I suppose all the data that comes out, will be
"noise". That's why you encrypt in the first place, so the disk
content looks like "noise". Depending on the algorithm,
there can be error multiplication, such that attempts to recovery
even partial damage could be futile. It's up to the designer of
the encryption method, to limit damage, by design. For example, if
each file is encrypted separately in some way, you might limit damage
to just the one file affected. But if the encryptor works at the
sector level, some issue with the encryption might effectively
destroy all the data. (Say for example, you have malware on board,
and some critical key is overwritten.) Even a bug in the software,
could corrupt things. And with TrueCrypt, there are probably
plenty of situations that require decrypting the entire volume
and encrypting it again, so more opportunities for mischief one
way or another.

What you need to find, is people familiar with the quirks of
Truecrypt, like say, a Truecrypt user forum... I somehow doubt
simple minded forensic techniques, are going to be good enough.

Paul

 

[Wolf K]

I have Win7 SP1.

These were corrupted in the TrueCrypt "hidden volume" presumably by
other data overflowing onto them. No viewing software seems to be
able to read them, including some utilities such as "Recover My
files", "X-ways forensics", or EnCase V4.0 Enterprise.

The volume of data seems to be there because of the file size which
seems the same as the original. Perhaps there's a way of reclaiming
some of the image in each by manually deleting the damaged parts with
a hex reader?

Would this be possible, and what would be a suitable method.

Desperate; Peter

Unclear. If the encrypted files were corrupted within the encrypted
volume, then there's no method I know of (even theoretically) to
retrieve the original data. The corruption is like a second layer of
encryption, but you don't have the key to it.

HTH
Wolf K.

 

[Peter Jason]

You could try Photorec. Just for kicks, I gave it a try, by putting
some JPG files on a relatively unused partition, deleted them in the
trash can, and then had it scan the drive. And it found them OK.
Presumably it looks for recognizable headers.

http://www.cgsecurity.org/wiki/PhotoRec

To understand the damage, you'd almost need a disk editor to look
at them. If the volume was fragmented, and the file content wasn't
contiguous, that might make recovery more difficult. With my crappy
tools here, I can use "dd" to "snip" out a manageable small section
of disk, like 1GB worth of contiguous data, then feed that to my
hex editor for a look. And then I might get some idea what happened.
(I.e. Looking for headers, or seeing a scrambling pattern of some sort.)

The thing is, when a drive is encrypted, if the decryptor was using
the wrong key, I suppose all the data that comes out, will be
"noise". That's why you encrypt in the first place, so the disk
content looks like "noise". Depending on the algorithm,
there can be error multiplication, such that attempts to recovery
even partial damage could be futile. It's up to the designer of
the encryption method, to limit damage, by design. For example, if
each file is encrypted separately in some way, you might limit damage
to just the one file affected. But if the encryptor works at the
sector level, some issue with the encryption might effectively
destroy all the data. (Say for example, you have malware on board,
and some critical key is overwritten.) Even a bug in the software,
could corrupt things. And with TrueCrypt, there are probably
plenty of situations that require decrypting the entire volume
and encrypting it again, so more opportunities for mischief one
way or another.

What you need to find, is people familiar with the quirks of
Truecrypt, like say, a Truecrypt user forum... I somehow doubt
simple minded forensic techniques, are going to be good enough.

Paul

Thanks, I tried the PhotoRec and this works from a small DOS window.
It did recover one image only - so I used it correctly. The rest
stubbornly refuse to display.