Thanks for all the advice, very helpful forum!
Unfortunately NTFS has some issues with very large files and the MFT that complicate file recovery. The file shows up as 0 bytes long in any tools that detect it. Preventing a straight deleted file recovery.
Yeah, in hindsight I really should have backed it up. I had planned to and purchased an external hard-drive specifically for this purpose, but as Murphy's law goes the file was deleted prior to the external hdd arriving.
The drive it was on was not the system drive. It did contain other files on the drive prior to the creation of the truecrypt container, and files were written to the drive after the creation of the truecrypt container, so it's likely the drive is fragmented.
OsForensics is actually one of the first tools I used and continue to use, it's quite useful. Unfortunately like the other recovery tools it finds the file but lists it as 0 bytes, which a bit of investigation leads to me believe is due to an issue with very large files and NTFS, not specifically because all the data has been overwritten.
I think people start posts with so because if it was a conversation in RL that's how it would go. We would likely start the conversation with something more light-hearted/small-talk, then segue into the topic at hand with a so. I guess it is entirely vestigial in an online forum post.
Unfortunately Encrypted Disk Detector only detects when entire disks/partitions are encrypted, which I've found a few tools that can do. It is detecting encrypted files from raw disk that is difficult.
Have been giving DDME a shot, it is a very useful tool and I like how it gives a lot of lower-level information. Tried a raw disk carve but wasn't successful, will have to recalculate my sectors and give it another go tonight.
Anyway thanks again for all the help guys!
↧