Accidently overwrote truecrypt MBR, need to recover data

Discussion in 'encryption problems' started by nurow, Jul 4, 2013.

Thread Status:
Not open for further replies.
  1. nurow

    nurow Registered Member

    Joined:
    Jul 4, 2013
    Posts:
    6
    Hello all,

    I have had an awful experience. I installed Ubuntu on a secondary hard drive, not realizing the Ubuntu was installing GRUB over my Windows 7/TrueCrypt MBR on my main hard drive. When I tried to boot back into Windows, I received errors from GRUB complaining of partition not being found.

    I had some sort of awful lapse of judgement, and forgot that this was a TrueCrypt partition. I asked the Ubuntu team for support, and the advised me to try to create a new Intel partition using TestDisk... further overwriting my MBR.

    Shortly after I remembered that this was a TrueCrypt partition and I located my TrueCrypt recovery disc... but I've found two of them (I think for two different computers that I encrypted). The problem is, neither of the two discs are responding to the computers password (responding with Invalid Password), even though I'm 100% certain the password is correct.

    Do the recovery discs have different passwords? Is there any way I can determine which of these recovery discs is the correct disc to recover my partition with?

    Or is there any alternative method I could use to recover the files on this drive?

    I tried mounting the drive from within Ubuntu Live CD after installing TrueCrypt on the Live CD. TrueCrypt couldn't mount it. I also tried restoring the volume header from the embedded backup, but that did not work either.

    I need help, my whole life is on this drive :(
     
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
  3. nurow

    nurow Registered Member

    Joined:
    Jul 4, 2013
    Posts:
    6
    Thanks BlackKnight, but I don't see anything on this site about mounting encrypted images...
     
  4. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    I believed it could read your data. Another idea ( I try...:rolleyes: ): http://sourceforge.net/projects/ophcrack/. Hope someone has suggestions more useful than mine.
     
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    There's a procedure for testing the rescue disks and confirming the password. I'll post it after you reply to my question (below). The procedure needs to be done carefully or you might make things worse.

    In your current situation, normally you would be able to mount the volume from another system using the "mount without preboot authentication" command. However, if your password isn't being accepted then it's possible that the unintended changes overwrote the system's volume header (the "key data").

    Once you figure out which rescue disk is correct you can use it to restore the correct header, and then you should hopefully be able to mount your volume from another system (or by booting to another OS) using that command.

    As far as you can recall, do the rescue disks use different passwords? If not then things will become more complicated, but as long as one of them is the correct disk then you stand a good chance of regaining access to some or all of your data.
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    That aproach will almost certainly fail. If you used a decent password then a dismounted TrueCrypt system volume is extremely hard to crack.
     
  7. nurow

    nurow Registered Member

    Joined:
    Jul 4, 2013
    Posts:
    6
    Thank you for the reply Dantz. Unfortunately, yes, both Rescue Disks use the same password, and I have tried mounting from an Ubuntu Live Cd without pre-boot authentication without success.
     
  8. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Nurow, did you search in the web ?
     
  9. nurow

    nurow Registered Member

    Joined:
    Jul 4, 2013
    Posts:
    6
    Heh.. yes. I've been researching and crying about this for three days.
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    I copied and pasted some of the following from one of my posts on a different forum (and I also edited it a bit):

    Here's a way to use the TC rescue CD to confirm that your password is correct. This procedure doesn't read the header (the "key data") from your hard drive at all, it uses the header data that's stored on the CD, so it's a good way to confirm that you are entering the correct password, even if the header on your hard drive was overwritten or damaged such that it can no longer validate your password:

    1) Boot to the Rescue CD

    2) Select [F8] Repair Options

    3) Choose [3] Restore Key Data (volume header)

    4) At the password prompt, deliberately enter an incorrect password (such as "xxx") and notice that you receive the "Incorrect password" message.

    5) Press escape once in order to get back to the Repair Options menu

    6) Select option [3] again, this time entering the correct password at the prompt. If the password that you entered is validated by the header on the rescue CD then you will advanced to the next prompt: "Modify Drive 0? (y/n)". (You might also get a warning that the hard drive already appears to contain a valid TC header).

    7) At this point (if you get this far) you should carefully press "n" so you don't end up modifying the drive, as this was just a password test and we weren't actually intending to restore the Key Data.

    Results:
    If you can't get past the "Incorrect password" message then you can assume that you are either typing the incorrect password for that particular rescue cd, or for some reason your correctly-typed password is not being passed on to TrueCrypt, possibly due to a keyboard issue or some other miscellaneous cause. In this case you might want to re-try the test using a different computer. If you do, be very careful not to modify the drive. (Make sure you press "N" when asked.)

    If your password works fine when you perform the above-mentioned test but it's not being accepted when you boot to the hard drive then the TC header (key data) on the hard drive most likely needs to be restored from the rescue CD. However, this will probably not be a complete solution to the problem, as whatever damaged the TC header most likely affected other areas of the drive as well, particularly the TrueCrypt bootloader (which can also be restored from the rescue CD if needed).
    *****
    So, in your case, once you confirm the password, the next step will be to use the correct rescue disk to restore the key data. At this point the safest approach is to attempt to mount the volume from another OS, either by slaving the hard disk to another PC or by booting to a live CD, then running TrueCrypt and using the "mount without preboot authentication" command.

    However, since you aren't sure which rescue disk is correct, it gets a little trickier. We will have to try them both (boot to each one and use it to restore the key data, then attempt to mount the volume from another OS). It might also become necessary to inspect the data with a hex editor to see if it is decrypting or not.

    But (and this is important), are you positive that at least one of the rescue disks is correct? If not then the most prudent approach would be to make a backup of Track 0 before proceeding, just in case the volume header on your hard disk is still intact, as it then becomes your only copy and it must be carefully backed up before you overwrite it with another one, otherwise you could permanently lose access to your data.

    Note: Rather than just restoring the key data and then attempting to mount the volume from another OS you could also try restoring the TC bootloader from each rescue disk and then attempting to boot the system, but my focus here has been on recovering your data rather than getting your system running again.
     
  11. nurow

    nurow Registered Member

    Joined:
    Jul 4, 2013
    Posts:
    6
    Dantz, I can't thank you enough for this detailed guide. You asked:

    I have searched everywhere and these are the only two discs I could find, and I had two encrypted computers, so this would make sense.

    But I would like to air on the side of caution... do you have any suggestion for how I should make the backup you are referring to? Is this a backup of the whole drive or just a piece of the voluime?
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    The 512-byte header is typically stored in Sector 62 (counting from zero, so it's actually the 63rd sector), and that's the crucial data that ought to be backed up. However, this is using the old terminology, so if you have one of those new disks that uses 4k sectors then things could be different.

    There are lots of ways to back that data up. I personally just use WinHex to open the physical disk and then save the "Start sectors" as a file.

    RE my previous post, I should have mentioned that once you have used the "restore key data" function you can reboot from the rescue CD, re-enter the password and see what happens. This uses the bootloader that is stored on the rescue CD, so maybe that will get you in. If not, try slaving the disk to another PC or booting from another OS on a LiveCD, as described previously, and then attempt to view or copy your data.

    If you have WinHex installed on the alternate PC, try using it to browse through the contents of the mounted volume to see if it contains any recognizable data. If the entire volume appears to be totally random gibberish then you might have used the wrong rescue CD, but if there are any patterns visible at all (for example, any recognizable text, or any strings of at least 4 or 5 zeros in a row) then you're most likely looking at decrypted data.
     
  13. nurow

    nurow Registered Member

    Joined:
    Jul 4, 2013
    Posts:
    6
    Dantz.. OMG.. IT WORKED!!!!!!!! I can't thank you enough.

    As I expected, both discs actually accepted the password after selecting option 3. I took a guess and used one of the discs to restore the key, booted into Ubuntu Live CD and mounted it successfully. My friend, I literally am crying I am so relieved. Thank you. Thank you. Thank you.

    If you will send me a PM of a bitcoin or paypal address, I would be more than happy to send you a small tip as a token of my gratitude.
     
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    You're very welcome! There's no need for money or anything, but if you'd like to keep it going then please do a favor for somebody else when the opportunity arises.
     
  15. ease

    ease Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    7
    Location:
    United States
    Dantz I've been using the information you've posted here to work on my own problem. Would you mind taking a look at this thread : https://www.wilderssecurity.com/showthread.php?p=2253680#post2253680

    I think I'm almost on the verge of getting my data back but I'm stuck on what to do after I've found the correct block that contain the header information.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.