Need help in recovering accidentally formatted TrueCrypt partition

Discussion in 'encryption problems' started by AnG, Oct 16, 2014.

  1. AnG

    AnG Registered Member

    Joined:
    Oct 15, 2014
    Posts:
    4
    I’ll try to give as much facts as possible.

    My laptop hard disk had an encrypted Truecrypt volume for data. Windows showed this as an unformatted hard disk and prompted for formatting it. I sent my new laptop for some minor repairs (for installing more RAM), and the mechanic has formatted the encrypted hard disk (of course, I had warned him against touching the encrypted disk, and he denies tampering with this disk). Unfortunately, this was a new laptop, and I had just migrated data from my previous laptop and had not taken any backup as yet. In the meanwhile, I had formatted my previous laptop HD into an encrypted disk, and I presume, no recovery of data is possible from this HD. (Here, the data was unencrypted and the process of creating an encrypted disk would have overwritten the disk).

    The steps I have tried for recovery after reading many threads on this forum are:

    1. The data was in a standard volume as well as a hidden volume. Hidden volume was about 100 GB, and total volume about 360 GB)

    2. When the laptop came back to me, the Truecrypt volume was replaced with an empty NTFS partition of appx. the same size (368 GB).

    3. I tried recovering the volume header through embedded backup header.

    4. Initially, the standard volume mounted through backup header, but hidden volume did not mount.

    5. After mounting the standard volume through backup header, I could not see any files and I got an error message that the volume does not contain a recognized file system.

    6. At this stage, I tried to again recover hidden volume, but the error message said no access.

    7. I restored volume header for standard partition through backup header, and now, volume mounted easily. However, the disk was shown as empty and I got the error message that volume did not contain a recognized file system.

    8. Hidden volume did not mount, and I was unable to recover volume header for hidden volume.

    9. Now, I tried deleting the logical partition, and converted the partition to raw.

    10. Again, I tried mounting the file through backup header.

    11. Now, both hidden and standard volume mounted easily.

    12. I restored volume header for both hidden and standard volume.

    13. After restoring volume header, hidden volume worked like a charm, and I was able to recover ALL data from the hidden disk.

    14. The standard volume continues to mount after restoring volume header, but I’m unable to access it and continue to get the error message that it contains no recognizable file system.

    15. I ran testdisk to check the standard volume, and now, testdisk reads the partition as a disk with 395/368 GB.

    16. I ran photorec on the mounted disk for a couple of minutes, and it recovered about 100 files before I stopped it. Many of the files are perfect, but some files have been split into smaller files and recovered as mp4 files.

    17. I tried mounting the disk on winhex and searching for strings of 0s, but have not found any such strings, which suggests that the volume is not being decrypted properly. However, the recovery of files on photorec was of decrypted files.

    18. In all, the drive contains about 200 GB data, of which about 10 GB data is very important (personal records, scans of documents, bank documents etc. in jpg, pdf, doc and xls format). The remaining data is songs, movies, e-books, photos etc. I already have a backup of my photos, and the remaining bit is not important.

    19. I don’t want to spend too much money on Winhex (the website says that Ex2/Ex3 functionality is with a pro version that costs 200 Euros). I have tried taking backup of 200KB data from 1048576 in winhex and saving it as a file. This did not mount through TC. After restoring volume header, it mounts as a disk of 368 GB, but no files are visible.

    20. I tried searching for the volume header on the disk with an offset of 100000 (1fffff), and copied this string and searched for it again in the disk. If this is the correct header, this should be found again in the beginning of the volume, but this string is not found again.

    21. I don’t know why testdisk is not giving me correct options if photorec is able to read the files. Am I doing something wrong here? BTW, I'm not a computer expert or a technical expert. I'm self-taught as far as tampering with my comp is concerned.

    22. I’m cleaning out a 500GB HD and will use photorec to recover all files to this disk, in the hope that I get the files that I want.

    23. What is the best way to proceed? Should I try photorec? Should I try testdisk again? Or should I purchase winhex, copy entire data on partition (395gb? Or 368gb) on a blank disk, and mount it as a volume. Is this possible on the personal license that costs 40 Euro or only on the specialist license that costs 200 Euro + VAT (Winhex website says Ext2, Ext3 features are only available on Specialist and Forensic License). I’ve run Easeus Data Recovery Wizard but it does not find anything even after mounting.Should I try Testcrypt?

    24. Also, since this question has been asked on other threads, as far as I remember, I first created a partition on the HD, and then created a standard volume on the entire partition (right up to the end of the disk), and then created a 100GB hidden volume.

    Sorry for such a long post.

    TIA
     
  2. AnG

    AnG Registered Member

    Joined:
    Oct 15, 2014
    Posts:
    4
    The standard volume was a FAT volume as far as I remember (created with option of storing files of less than 4GB size)

    Update
    The files recovered by PhotoRec are capped at 100B each
     
    Last edited: Oct 16, 2014
  3. guest

    guest Guest

    I have the same exact problem, can you clarify something for me. When you said you deleted the logical partition, and converted the partition to raw, what did you do? Because you said you were able to recover all of the data from the hidden drive. I am unable to do so, so could you explain to me steps 9-13 because im on step 8. The only thing that will mount is my standard volume and im able to recover only those files useing file recovery software, im unable to recover the files in my hidden volume.
     
  4. AnG

    AnG Registered Member

    Joined:
    Oct 15, 2014
    Posts:
    4
    I found a thread here that said that in case of accidental damage to an encrypted volume, Truecrypt keeps a backup header towards the end of the partition. (The header is towards the beginning of a partition). So, in mount options, select the option "Use backup header embedded in volume if available". I tried this a couple of times, and finally the volume mounted. To load the hidden volume, you have to try this option with the password for the hidden volume.

    Hope this helps.
     
  5. Tedley

    Tedley Registered Member

    Joined:
    Mar 19, 2015
    Posts:
    3
    AnG,

    I know little on how to recover your volume, but on other information....

    photorec will recognize raw drives, but it will also do a raw output, i.e. no file structure at all. I tested a good drive (I also have a true crypt issue right now). Raw output is a lot of files and no link (real file name, extension) to what they were, from what I have seen. It becomes a large pile of information. Keep in mind this is from my limited use.

    A current copy (full) of WinHex from X-ways is about 40 USD (not the forensic version, just get the one man version, so you can copy large files), if converted to the Euro (0.91) as of a week ago.

    If recovering the backup header from internally does not work, I suggest you get WinHex and read all of Dantz and others online posts. Google is your best friend right now. It will help you start out using it, as well as finding information on what may provide information you are not aware of. Such as, how to make a test file to find out the exact size in bytes of your data in TrueCrypt, that the headers surrounding data are 262,144 bytes, etc.

    First thing to do is make a sector by sector copy of the drive (clone). Then using the clone play around or look up how to move around WinHex.

    Some basics which are useful are:

    Firstly use "options", "edit mode" and make sure you are in "read only mode".

    Then move to "tools" and "open disk" for loading a disk. For logical volumes/partitions or physical media.

    Best way to move around is by "Navigation" then "go to offset"(by byte, sector, etc) using options like from beginning, current position and back from.

    Other helpful commands include "search" then "find hex values" for a large block of non zeros (0000000000) to locate the large encrypted block or to identify possible start and stop points of your encrypted data.

    I know it is not much help, but it is all I can do to help. It takes time and patience, but even if you don't get the data back you at least learn something new. I wish you the best of luck.

    Ted
     
  6. AnG

    AnG Registered Member

    Joined:
    Oct 15, 2014
    Posts:
    4
    Too late to do anything now. I gave up on the disk and formatted it. I lost a lot of data, but fortunately, my digital images were backed up on two more disks.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.