Recovering Data from an encryted Diskcryptor hard drive

I’ve recently been testing drive encryption for external hard drives and a number of USB devices as many of our clients travel around with data on laptops and flash drives.

I came across Diskcryptor which is a free opensource disk encryption program which is actually very effective now the TrueCrypt is no longer available.

I’ve tested it on a number of 2.5″, 3.5″ flash drives and external hard drives, but what I really wanted to see was how secure was the data on the drive after I’d finished with it and decided to wipe it.

For this I’ve used an old laptop hard drive which was around 30% utilised. I formatted the drive, then encrypted it using a combination of AES-Twofish-Serpent encryption with a 40+ character key, which is apparently uncrackable.

Once encrypted (500GB took around 7 hours) I then formatted the drive again and went about trying to recover the data on the drive using a variety of tools.

On the formatted partition, after a number of hours of analysis, most of the tools could see there was something there, but recovery was impossible. Tools used were Yodot Recovery, EaseUS Partition Master, UFS Explorer and Recuva. Some of these I’ve paid for and some are the free versions (Yodot and UFS Explorer I’ve paid for).

I then re-encrypted the drive using the same algorithm and key as before and used Yodot to analyse the drive.  Now given that the data was formatted before encryption and after encryption, and had had a number of files deleted from there over time, Yodot was able to find everything on the drive once it has been re-encrypted using the same key.

Now the caveat.  This was only possible because the drive was encrypted using the same version of Diskcryptor, and using the same key as before.  If a different key was used it would not be able to read the drive. Yodot is a great recovery program, it takes a while to complete especially on large drives, but the results are brilliant on encrypted drives.

The secret however is that if you do encrypt a drive, or device, be very careful what you do with it.  If you wipe the data, be mindful that there is a high probability that you will not be able to get it back unless you are using an encryption program that isn’t that clever (as DiskCryptor creates the key based on the password rather than a unique code plus the password).

Recovery is possible in this instance because the encryption software and recovery software are happy working together once the drive is mounted.  That will not always be the case depending on your encryption software.  Things like Sophos Drive encryption and products which rely on a server or domain key plus a user key are a nightmare to get round but can be done given the right hardware being available (usually another Sophos encrypted machine, an external drive bay, access to the Sophos server and a user account which had access to the drive in the first place)

Hopefully this might give you some assistance in recovering lost files from formatted encrypted hard drives.


Bookmark the permalink.

Comments are closed.