11-03-2018, 12:40 PM
(11-03-2018, 11:56 AM)lapwing Wrote: To pinpoint the header of your Veracrypt file you can calculate the Shannon entropy on all the sectors (or better clusters) of the filesystem. High entropy files are easily recognizable in this way (shannon entropy very close to eight, e.g. 7.999). This gives you an indication of where the Veracrypt header might start in the corrupted filesystem. Assuming the file was initialized on a not heavily fragmented filesystem it should be a continues block of high entropy. By plotting the entropy gives you a nice overview. A tools capable of doing this is e.g. is binwalk but you can also use rdd (https://sourceforge.net/projects/rdd/) which writes block entropy's to a file that can be plotted with gnuplot using an included pythonscript.
Good luck
Yeah I was looking into calculating the entropy and plotting it, but since I'm not the sharpest marshmallow stick on a campfire I didn't get very far with it. Thanks for letting me know about those tools, I will surely try them out!