Julius Niezufus - 2025-03-13

Hi everybody

I accidentally installed a linux distribution on my HDD with all my data, which was fully encrypted. The total size of the accidental installation amounted to approx. 500 MB.

My disk contain(s/ed) a visible volume of size n as well as a hidden volume of size m where 500 MB << m < n.
This makes me hope that either the visible or the hidden Volume will still be perfectly fine (content-wise) although I cannot mount it right now. (Correct me if I'm wrong, but do it carefully.)
Both volumes were originally created using TrueCrypt, but later converted to VeraCrypt when backwards compatibility was ditched. Both volumes were formatted NTFS
(I hope this won't make a difference)

I might be able to recover the encryption headers from another computer where i saved them. Now in order to assess the total damage, i need some general information about TrueCrypt/Veracrypt.

Now enumerating the device blocks from 0 ton n-1:
In which block is the header of the visible volume stored?
In which block is the header of the hidden volume stored?
Which headers got deleted?
Where does the actual hidden volume start?
Which of the volumes are most likely damaged? (content-wise)
Which ones will be fine?
Assuming i have copies of the encryption headers, how do i need to proceed to retrieve at least part of my data?

Anything else I need to consider?
Do you need any additional information?

Thanks a 1000 times for your help.