fatback will work on the block device, the sdb1 partition in your case, which is encrypted. Because everything here is encryption, fatback will be unable to properly parse the fat32 partition structures and thus will be unable to function properly.
fatback: recovering deleted files from truecrypt encrypted usb flash drive
Hey all! I'm trying to learn several forensics tools that are included with BT5; in this particular instance I am playing with the file carving tool fatback.
I have a USB flash drive that I have encrypted using truecrypt full disk encryption. I added some files and then deleted a couple of them after successfully mounting the drive in truecrypt.
With the drive still mounted I tried to use the command 'fatback /dev/sdb1 -a -o ~/test' (~/test is a folder I created to save the recovered files)
I was watching a youtube video illustrating this process and I performed the same steps as the commentator. The only difference between the two scenarios is that the USB drive on the video was formated using FAT16 (rather than FAT32 which my drive is) and the drive on the video was not encrypted.
However when I ran the command I got an error that read:
"No valid VBR found at offset 440722688
Unable to read Volume Boot Record"
I am wondering whether the fact that I have used full disk encryption might be causing this problem. If this is so, is there another tool that can be used specifically with full disk encrypted usb flash drives or another command formulation I should use?
Thanks for your input : )
n1ll0
Re: fatback: recovering deleted files from truecrypt encrypted usb flash drive
fatback will work on the block device, the sdb1 partition in your case, which is encrypted. Because everything here is encryption, fatback will be unable to properly parse the fat32 partition structures and thus will be unable to function properly.
Posting Permissions