How to recover an overwritten file from a mounted VeraCrypt encrypted disk?

How to recover an overwritten file from a mounted VeraCrypt encrypted disk?

When copy and pasting commands with a space at the end it automatically runs the command without requiring the user to press enter.

This is why I overwrote a large text file with a cp ./newfile ./oldfile command.

How can I restore the oldfile after I aborted the command?

The oldfile is on a hard drive encrypted with VeraCrypt which is mounted (an ext4 partition).

The file is not still in use.

I already tried sudo grep -i -a -B100 -A100 'text in oldfile' /dev/sdx1 > ./restored (replace sdx1 with what's displayed with lsblk -f) but it doesn't find anything. Should it work with this command? Is it possible at all?

答案1

The disk is encrypted so there's absolutely no point in looking on the disk for a plain text string. At best you need to search the mounted filesystem, as this is the decrypted layer, but any writes to it whatsoever are likely to overwrite your deleted data.

Look at the output of this command to identify the filesystem device to search (for example /dev/mapper/myhome):

df -h /path/to/oldfile | awk 'NR>1 {print $1}'

You can then attempt to retrieve what remains of the file data with instructions at Recovering accidentally deleted files

相关内容