Decrypting A Hard Drive that was encrypted with Truecrypt

Discussion in 'privacy technology' started by johndoe3815, Dec 31, 2011.

Thread Status:
Not open for further replies.
  1. johndoe3815
    Offline

    johndoe3815 Registered Member

    I hope someone here can help me. I decided to encrypt my Hard Drive with Truecrypt a couple weeks ago. My intentions at the time were to encrypt the drive then wipe it with DBAN before selling my computer. Well because of Christmas and all I did not get right to it and even ended up using the computer again. Now I thought I knew the password but I have it seem to have forgotten it. Now the problem is that I never got a chance to backup the new files. Normally this would not be a problem as I leave my computer running 24/7. Unfortunately the power was interupted today and now I can't get back into my Hard Drive.

    I definitely know part of the password. I actually remember the 1st 37 characters. I also think I know some of the words I used in the rest of the password.

    I have downloaded true.crypt.brute and OTFBrutusGUI, niether program can access the drive. Actually true.crypt.brute can see the drive but OTFBrutusGUI cannot. When I try to click on the encrypted Drive I keep getting the same message, that the drive needs to be formatted.

    My question is, how do I get these programs to see and decrypt the drive?
  2. kupo
    Offline

    kupo Registered Member

    AFAIK, once you lost your password, you can't recover the files, and you are using a very long password.
  3. johndoe3815
    Offline

    johndoe3815 Registered Member

    From what I can see it is still possible to recover or crack the password. I do know quite a bit of it and I know the rest of it was a short list of words and numbers that meant something to me. SO if I could put in the first part that I do know and then feed it the few possible words and numbers, it should quickly reduce the time to locate it.

    Still the problem is, so far I cant get any of the programs to even bring the drive into them to decode. Instead I get a popup telling me that the drive needs to be formatted.
  4. johndoe3815
    Offline

    johndoe3815 Registered Member

    Doesn't anyone out there have an answer for me? I am desperate!
  5. tateu
    Offline

    tateu Registered Member

    Why don't you start by being more helpful to those you want help from. I hate having to ask questions just so I can answer some.

    Where are you clicking on the drive? In Windows Explorer? Why would you do that?

    Is it an internal drive or an external drive? How many partitions are on the drive? Did you encrypt the entire drive or just a single partition (which one)? In true.crypt.brute, when you click "Select Partition," what do you see? What do you do next that makes you think it cannot access the drive? In OTFBrutusGUI, when you click "Select Device," what do you see?


    Maybe something like the following:
    I am using a 250GB external USB drive. The drive has one partition and I used partition encryption.
    In true.crypt.brute, when I click "Select Parition," I see:
    C:\
    D:\
    E:\

    The D:\ drive is the partition on my drive that is encrypted and in true.crypt.brute, I get an error message that says: "ERROR..."

    In OTFBrutusGUI, when I click "Select Device," I see::
    \\?\GLOBALROOT\Device\Harddisk0\Partition0
    \\?\GLOBALROOT\Device\Harddisk0\Partition1
    \\?\GLOBALROOT\Device\Harddisk1\Partition0
    \\?\GLOBALROOT\Device\Harddisk1\Partition1

    \\?\GLOBALROOT\Device\Harddisk1\Partition1 is my partition that is encrypted. I didn't know that, so I never tried selecting it.
  6. johndoe3815
    Offline

    johndoe3815 Registered Member

    I am sorry, but this is an area that I don't know much about, which is why I am here. Again I am sorry I didn't realize I hadn't given you enough information. Any way I wouldn't known exactly what to give anyway, so I do appreciate you asking the questions.


    Okay yes at first I tried to click on it in Windows explorer as I was going to see if I could put the password in through windows.

    It is an it is a 250 GB SATA Seagate internal drive. I encrypted the whole system drive as I intended on then using DBAN to wipe it before selling my computer. A friend of mine suggested this as I originally was going to format the drive. I guess he scared me into thinking someone was going to steal my bank account information. Anyway long story short I ended up using the drive more and then my power went out and because I forgot part of the password I wasn't able to get back into the drive. So I got another drive, loaded up windows and hoped that maybe somebody could help me.

    Anyway it has 1 partition and 101MB of unallocated space.

    When I go to true.crypt.brute I don't see my partition listed. It opens to a screen which says Truecrypt not detected on your System. Now on the right side of that message is a button and when I push it it looks like it is looking for a folder encrypted or something. When I try to select the drive it warns me that I need to format it first. The partition drive choices is G:\ to Z:\ and I dont have anything mounted to them. My drive letter is E.

    In OTFBrutusGUI I see there is a button to push "select device" when I push it, the only device it sees is my external hard drive it doesn't even see the system drive it is on. I am not sure what to do here. I was wondering if any one similar issues and knew what I needed to do. And before you ask, only the 250 GB SATA drive has Truecrypt on it. Anyway the encrypted drive partition is my E drive.

    I don't get any error messages since it cant see the drive. Well other then I need to reformat it.
  7. johndoe3815
    Offline

    johndoe3815 Registered Member

    I was hoping that Tateu would have gotten back to me by now.
  8. AF1X
    Offline

    AF1X Registered Member

    Sorry to be the bearer of bad news, but you're not going to be able to recover the password unless you can remember it.

    If you used a 10 character random password comprised of letters and digits, you might have to try up to 62^10 = 839,299,365,868,340,224 passwords. At 500,000 passwords per second (not feasible on anything a desktop user owns) this would take more than 53,228 years. At 15 characters it would exceed 48,763,933,596,446 years.
  9. johndoe3815
    Offline

    johndoe3815 Registered Member


    We are not talking about characters, we are talking words. For instance lets take the example below.

    For a 64 character password and the first 37 characters known. So now all I have to do is get the last 27 characters. Now if I had to actually do that there would be no way. Foutunately I know the remaining characters were made up of a combination of passwords I already know. This is why I did not record this part as I figured I would remember it. Because of this, it limits the amount of possible combinations I am not sure how much it is reduced by but I would think it would be a much shorter list. Now so far I myself have tried several different combinations, it would be a lot easier if I had a program that I could stick certain words or number strings that would make a list of the last 27 character possibilities.

    So lets say you have a list like this

    George
    Betty
    RedSkelton
    Cosby
    Newhart
    BradyBunch
    5789456
    2654789614
    5756942647
    562456278
    15637892
    452748
    1452

    Now you have this wordlist so out of only these words can my 27 character password can come from. Now this is a made up list but you should get the point.
  10. AF1X
    Offline

    AF1X Registered Member

    I can not think of any program where such functions exist, that is, entering the password partially and attacking the rest of the phrase with a word list. I'll keep my eye out though. If it comes down to it, it shouldn't be that hard to program such an algorithm in python.
  11. TheMozart
    Offline

    TheMozart Former Poster

    Kiss your data goodbye and learn from the experience.

    If TC was crackable, then everyone would stop using it.
  12. addi6584
    Offline

    addi6584 Registered Member

    slightly related, Only use TrueCrypt if you make the rescue disk and put it in a safe.

    I've had the below issue happen numerous times on various machines (the worst being right ahead of 2010yr taxes) which is why I no longer use TrueCrypt.

    http://www.truecrypt.org/docs/?s=rescue-disk

  13. dantz
    Offline

    dantz Registered Member

    You're getting some unnecessarily negative advice from AF1X and TheMozart. Your partially-forgotten password might be crackable if there aren't too many possibilities to test. Your sample wordlist, combined with the remembered portion of your password, is quite doable if that's all there is. The real problem is that for some reason you can't get OTFBrutusGUI to work. I suggest you create a small TC container file and test OTFBrutusGUI on that to see if you are able to figure out how to use it in this sort of situation. Then try it on another encrypted system partition. Keep the test passwords short and easy until you get things working.
  14. Hungry Man
    Offline

    Hungry Man Registered Member

    You just use a dictionary attack and add your own custom words to it
  15. johndoe3815
    Offline

    johndoe3815 Registered Member

    The thing I am curious about is this, if one goes ahead and encrypts a whole system drive, because of this you have to use another Hard Drive and put an operating system on that one. Is this a normal or abnormal thing for OTFBrutusGUI to not see it. Or do I have to have True Crypt downloaded on my new system drive. I am just lost as to why these programs cant either see the drive or don't recognize them as Truecrypt drives. All I can think is I must be doing something wrong.

    The other thing I cant help but wonder, why is it that OTFBrutusGUI, only sees my ecternal drive. It does not see my Truecrypt drive or my main system drive. Shouldn't it be abl to at least see my system drive?

    well I just tried something else that I hadn't considered before. When I set up the new Hard Drive, I didn't bother to activate the hidden Administrator account. So I decided to do that and now when I go into OTFBrutusGUI I can now see all my drives, though I am curious about something else. When I look at the list of drives available they each have a partition 0 and a partition 1, the funny thing is, both of the partitions are the same size. So which one do I need to look in?I am guessing it is partition 1.

    Now that I have gotten this far I was hoping someone here could help me understand how to create a wordlist. I have looked at a few sites, but they are way over my head and need someone to dumb it down for me. As I stated before I know for sure the first 34 characters and I am pretty sure I know the next 3 as well, so now all I need to do is make this wordlist with my known passwords and number strings. Parts of the password are capitalize and other parts are not.

    Thank you for any help you can give me.
    Last edited: Jan 7, 2012
  16. dantz
    Offline

    dantz Registered Member

    Sounds like you encrypted your system partition, not the entire drive.

    I have not tested OTFBrutusGUI against an encrypted system partition, nor do I have the time to try this, but I assume you have to slave the targeted system drive to another system first. There would be no point in trying to crack the system password of a running operating system, as the password would already have to be correct or you wouldn't be able to use that system in the first place.

    Of course you should install the TC program on whatever operating system you're using. Just install the program. You don't have to encrypt anything. Then you can use TC to try to mount the volume. In your case you are trying to mount a slaved system drive, so you would select the "mount without preboot authentication" option. Your only error should be 'incorrect password etc.'; any other error means you're making some sort of mistake.

    Your explanations are still lacking, which is probably part of the reason why you aren't getting more help. What OS? What version of TC? How are you attempting to mount the volume? Do you have the TC rescue disk? (I believe that you can run OTFBrutusGUI directly against the TC rescue disk, thus making it unnecessary to slave the system drive to another PC.) What are the exact error messages that are blocking you from proceeding? Have you tried any small-scale testing to see if you can get TC and OTFBrutusGUI to work as expected?
  17. dantz
    Offline

    dantz Registered Member

    I don't know about OTFBrutus, but in TrueCrypt, partition 0 refers to the entire drive and partition 1 refers to the drive's first partition. If you encrypted the entire drive, choose partition 0, if you encrypted only the system partition (as I believe you did) go for partition 1.
  18. dantz
    Offline

    dantz Registered Member

    I may be mistaken about that. I believe it can access the .iso file that's used to make the rescue disk, but I'm not sure about the rescue disk itself.
  19. johndoe3815
    Offline

    johndoe3815 Registered Member

    Okay I have made these request on other boards so I forget what I say at times.

    Anyway I am running a home built system with a pentium 4 Quad core duo processor.

    I have windows 7 Home Premium 32 bit as my OS
    I am using Truecrypt 7.1
    I do have the rescue Disk

    I have no idea about mounting the Hard Drive. As far as I knew the Hard Drive is already mounted. Partition 0 is actually the partition the Windows creates when formating a Hard Drive.

    The main thing now is that I would like to find out how to create my own word list? I have been trouble understanding what I have found online so far.
  20. johndoe3815
    Offline

    johndoe3815 Registered Member

    I was still hoping someone would reply to this. I added the information that was asked.
  21. tateu
    Offline

    tateu Registered Member

    Of course you have to make sure to run an app like OTFBrutusGUI with administrator privileges. That seems to be why it couldn't see your system drive.

    Partition0 is the entire drive. Parition1 is the 1st partition, Partition2 is the 2nd partition, etc. If you encrypted the entire drive, select Partition0. If you encrypted a single partition, select that Partition#.

    Are you familiar with regular expressions? The password builder in OTFBrutusGUI works in a similar fashion. Change the drop down for "Word List" to "Password Pattern."

    a pattern of:
    known_characters(word1|word2|word3){2}

    would result in 9 passwords:
    known_charactersword1word1
    known_charactersword1word2
    known_charactersword1word3
    known_charactersword2word1
    known_charactersword2word2
    known_charactersword2word3
    known_charactersword3word1
    known_charactersword3word2
    known_charactersword3word3


    You can also try and limit duplicates

    a pattern of:
    known_characters(word1|word2|word3){2:1}

    would result in 6 passwords:
    known_charactersword1word2
    known_charactersword1word3
    known_charactersword2word1
    known_charactersword2word3
    known_charactersword3word1
    known_charactersword3word2

    Once you've entered your password pattern you can press the "Save Word List" button and then view it in Notepad to see if it looks like you expect it to.

    Read through OTFBrutusGUI.txt for more details. You might want to create a small (1 or 2 MB will suffice) test TrueCrypt container with a similar but less complex password that you actually know and use that to test your understanding of how OTFBrutusGUI works.


    Also, and this cannot be stressed enough...

    Backup your data. If you can't afford to lose it, you can't afford not to have a backup or three. Even for non-encrypted data. Do it now or, I guess in your current situation, do it after (if?) you ever recover your data.
  22. wearetheborg
    Offline

    wearetheborg Registered Member


    What is the difference between a rescue disk and a volume header backup?
    I dont see a rescue disk menu in my truecrypt, only volume header backups.
Thread Status:
Not open for further replies.