in short: i stored 1 truecrypt and 1 veracrypt container (or 2 truecrypt or 2 veracrypt containers) on a veracrypt-partition. I dont know what exactly happened to it but i lost the veracrypt partition. But i think i found it and i have backups of all headers. After a bit of research i likely could encrypt the partition without mounting its files system (cause it is damaged) like that:
sudo losetup -o 135266304 --sizelimit 2000263577600 /dev/loop11 /media/veracrypt1/dd_image_of_whole_drive.img
veracrypt -t --filesystem=none -m=headerbak -k “” --pim=0 --protect-hidden=no /dev/loop11
i then examined the content of /tmp/.veracrypt_aux_mnt2/volume and i could see some pattern which indicate that the partition was encrypted successfully. I also tried to restore some files with photorec and this was successfull as well.
There are two more „devices“ which have the same size and content:
so now i wonder if/how autopsy can find and recover the containers. Does anyone have a good „cfg“ which can find those containers? Which kind of data source should i chose? Which „device“ or file? I know the names of the containers and the approximate size.
I use linux mint 20.2 and the file system of the encrypted vc-partition is ntfs.
Before i try to recover the partition (testdisk did not find it, gpt is broken, the beginning of the potential partition is overwritten with 00 etc) i would try to recover these containers.