Truecrypt Missing Partition Table

Discussion in 'encryption problems' started by InterestedParty, Nov 26, 2012.

  1. Brynjard

    Brynjard Registered Member

    Joined:
    Apr 28, 2013
    Posts:
    3
    OK, I was running dual Windows 7 (32&64bit). Using 32 I started encrypting this whole drive (1 partition, and of course no backup of photos gathered over the years). Used 3 pass, estimated time 17hrs but at about 10 hrs (57%) i got an error from TC (smth about bad clusters if I rememeber correctly). After a bit of research, I ended up getting spinrite from grc. Did a level 4 operation on the drive (which is a non-OS drive) but changed it into lvl2 at 20% as it took 20 hrs to that point. After finishing, BOOTMGR missing error on both windows, even when leaving respectively only one OS volume connected at a time. I ended up with numerous failed attemps to repair the version of windows I started my encryption until somehow magically it was repaired and was able to resume encryption from 57%. At around 85% I got another error of 1 bad sector and that TC replaced 512 bytes with 0s but TC managed to continue encryption and it was all done.

    Upon finishing, I removed the letter attributed and tried mounting: "This device does not contain a valid file system". After some hour of reading on forums and researching it appeared a very common cause was altered operating systems. So I got rid of both versions of windows and performed a clean install of 32bit to be left with. (Note during this whole time I left the encrypted drive disconnected, just for caution. For the sake of mentioning, I never connected any drives while the PC was running)

    When I installed TC on the new windows I wasn't getting any of the previous errors upon mounting <-There were about 2-3 different ones I didn't mention, plus I don't remember them, because they most likely were indeed faulty OS issues. Now I am able to mount the drive but Windows Explorer sees it as RAW data and asks me to format it.

    Oh by the way, thanks for deciding to save the day again :D, you rock.

    A little edit as I forgot to mention configuration of my system: DELL XPS 630i prebuilt, 4GB RAM, Intel Core 2 Duo E8500 CPU, IDE RAID HDD (the one in cause), uhm & Nvidia9800gt if that matters in any way. It is a decently fast computer in my opinion as a video editor.
     
    Last edited: Apr 28, 2013
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Sorry it took me so long to get back to you. That's quite a story. What fun! Couple of questions:

    When you select the disk in TrueCrypt using "Select Device", you are selecting a partition, correct? That is, you select the partition (Partition1, I assume) that is listed underneath a disk number such as (in your case) Disk 0?

    If as far as you know your partition structure is unchanged, and if your volume is mountable as always then I suspect that TrueCrypt is not the problem. Most likely your volume's internal file system has somehow become damaged. Have you tried using any data-recovery programs to explore the mounted volume? Try GetDataBack (by runtime.org). They have an evaluation copy you can try. PhotoRec (which comes with TestDisk) might also be useful, especially if the volume's file system is badly trashed. (Note: PhotoRec is a data-carving program, that is, it finds your files by searching the disk for their known file signatures, which means that at least some of your file types must be supported or nothing will be found. Check the support list.)

    I consider the use of the above data-recovery programs as a test. If you are able to recover some data, great! However, if neither of those programs is able to come up with anything recognizable, that is, no results at all, then I would suspect that your volume, though mountable, is not decrypting due to a header problem such as using the wrong header or the header being in the wrong location (usually due to some sort of an improper repartitioning operation or a partition which has been lost entirely), or something like that. In that case you should test the mounted volume with WinHex (use it to search for non-random data, I'll provide details if you need them) to see if it contains any decrypted data, just to confirm that the header is not the problem.

    Also, since I mentioned TestDisk above, I should add that TestDisk might be able to repair the problem, but I suggest you don't try to use it yet, as it is also capable of causing a lot of irrevocable harm to TrueCrypt volumes. We don't know what's wrong yet, so it's too early to try it. Use it only if indicated, and only after making a full backup image of the raw disk.
     
  3. Brynjard

    Brynjard Registered Member

    Joined:
    Apr 28, 2013
    Posts:
    3
    Been extremely busy, simply didn't get around tickling the HDD yet :D , hope it is not a prolem I replied so late. About your questions, yes and yes. I plan on doing all the stuff you suggested tomorrow and edit this post with results.
     
  4. tacohunter

    tacohunter Registered Member

    Joined:
    Jun 23, 2013
    Posts:
    1
    Location:
    USA
    Dantz

    I wanted to thank you for the information! I had a Western Digital 1TB external drive that I was unable to access. I used True Crypt to format and encrypt the entire drive. Following your advice in this forum post I've been able to access the data!

    I'm not sure what went wrong with the drive in the first place. I used the drive transfer large files between three computers. Does opening an external that is encrypted on multiple computers cause damage?

    Thanks again so much for your help - I hope others find this forum if they have issues as well.
     
  5. Superzero

    Superzero Registered Member

    Joined:
    Aug 27, 2013
    Posts:
    3
    Hi everyone!

    First of all, thank you dantz for all of your outstandingly helpfull posts. I too have a volume which I can mount with truecrypt but windows says I can't access it. It happened quite recently too, I had only mounted it a few times and one day it just didn't work anymore. The volume was formated and setup with truecrypt once taken out of the box.

    I could easily follow your instructions but ultimately hit a snag with part 3:

    I checked the mounted volume with winhex and the volume doesn't appear to be decrypting because all I see is random bytes. Nobody seems to have had this problem so you obviously didn't post the steps one would have to take to recover a volume with this particular problem. Any advice on how to proceed?

    Thanks in advance.
     
  6. krushed

    krushed Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    1
    Location:
    United States
    That's interesting. I registered just so I could post to say that I had a very similar problem with a Western Digital 2 TB Elements drive. The entire drive was encrypted and twice now, the partition disappeared. I was able to recover by following Dantz's directions with Computer Management>Disk Management and restoring the header. I wonder if it's coincidence or there's a pattern here. Also, thanks Dantz for saving my data!
     
  7. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    First let's try to clarify a couple of things:

    Did you originally encrypt a partition, or an entire (unpartitioned) disk?

    If it was a partition, is the partition still visible in TrueCrypt's "Select Device" screen? Or did you lose it?

    I ask because I've seen cases where users lost their partition table, then restored their headers to the beginning of the disk instead of the beginning of the partition. This would allow them to (seemingly) mount their volumes (that is, the password would be accepted and the volume would be assigned a drive letter), but nothing would actually decrypt because the header was in the wrong place.

    The same outcome would occur if you restored the wrong header (for example, a header from a different volume) to the right location.
     
  8. Superzero

    Superzero Registered Member

    Joined:
    Aug 27, 2013
    Posts:
    3

    What I did was "encrypt a non-system partition/drive" and "Create encrypted volume and format it" back when I encrypted the drive out of the box. A normal "shipping" partition was setup by WD.

    When I go to the disk select it only shows the HDD, no partition. It's possible that I tried restoring the header when the volume didn't "work" anymore, the "problem" has been sitting around on my shelf for some time now because I didn't have the time to hunt down a fix.

    What I tried as well just now was to copy part of the volume from 1048576 and try to mount it and that actually does mount and decrypt because I start seeing file names (i.e. NTFS headers etc.) in WinHEX. It seems something has been shifted around or something. Still, the MFT seems to be corrupted.

    I assume a partial but correct image would still work and give me errors once I try accessing files which aren't present, am I right?
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Yes, it should still work. You might be able to recover quite a bit, maybe even everything, as it sounds as if you merely lost your partition table. You have two options:

    1) Use Windows to restore the default partition to the disk (which typically begins at 1048576 for Windows 7), being very careful NOT to format it, or

    2) Use WinHex (or similar) to copy all of the data that used to reside in the lost partition, from 1048576 to the end of the disk, to another media, saving it as a file. Then use TrueCrypt to mount the file and copy off your data. This is the safer (if much more tedious) approach. I contributed to a recent thread here that used that approach, so you can look it up and see the various menu commands, etc., there. You'll have to use your own offset numbers, of course.

    Although Option 1 alone has worked for many users, it is definitaly riskier. If you choose to go that route but you'd rather not risk losing or further screwing up your data then I'd recommend making a full sector-by-sector copy of the entire disk before proceeding any further.

    Also, be aware that Option 1 is not guaranteed to work. I don't know what OS you're using, what type of disk you have or any non-standard settings you might be using. And even if I did, I'd still be a bit nervous about it. But yes, it usually works. Be aware that you will most likely need to restore your TC header to the partition right after you create it, so be sure to make a file-based backup copy of the header before you begin, and use that file to restore the header to the newly-created partition. (It's unfortunate, but Windows will probably destroy your existing TrueCrypt header when you use it to recreate the partition, even though the header is there now and it appears to be perfectly fine. Windows hates TrueCrypt, what else can I say?)

    I prefer Option 2, as this doesn't normally affect the original disk at all, so you can go back and try again if something goes wrong.
     
  10. Superzero

    Superzero Registered Member

    Joined:
    Aug 27, 2013
    Posts:
    3
    Thanks dantz, we're good! :thumb:

    What I did first is take a snapshot of the whole data just to be safe. Good thing I had a spare HDD around that was large enough. Mounting that snapshot with truecrypt was no problem and I could backup all the files successfully.

    For fun I also tried the first suggestion on the damaged volume and it worked as well! After initializing and creating a new simple volume I was able to mount the volume again with no problems.

    The question that remains though, is how do I prevent this from happening in the future? If windows simply decides to take "matters in its own hands" and simply alters partition tables, whole volume encryption doesn't sound like a good idea at all. I guess it would be better to make a truecrypt volume file on a normal NTFS partition so windows doesn't see anything RAW.

    p.s. What's positive, I learned a lot about NTFS and file systems in general.
     
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Sounds good! Count yourself among the lucky ones.
    Yes, TrueCrypt can be quite dangerous to your data. This is merely one of many possible pitfalls. Here, I'll quote myself from another thread:
    However, to answer your specific question:
    https://www.wilderssecurity.com/showpost.php?p=2246326&postcount=5
    But be careful! I haven't actually edited my own partition table in this manner, but I've heard some good reports from others who have tried it. Be aware that this solution probably won't apply to every situation.
     
  12. jackster

    jackster Registered Member

    Joined:
    Oct 22, 2013
    Posts:
    6
    Truecrypt Missing Data

    Hi Dantz,

    I ve spent quite some time reading your very detailed posts. Yet, I still seem to be lost. I ll give you the facts (or as much as I can) with the hope that you might assist:
    1) I encrypted an 8gb USB (device not partition)
    2) Not sure why, a couple of days ago as I was trying to mount it, i got a message that the volume header was corrupt and was asking if I wanted to restore.
    3) I responded positively and was asked whether I wanted to restore it from an external source or from the device itself.
    4) I chose the later.
    5) when the restoration finished, I was successful in mounting the device and seeing the logical drive, but when I tried to access it i received a message that it had to be formatted.
    6) I have tried to mount it on another pc and was able to do it, but still face the same problem.
    7) I ve followed the steps with WInHex, and created the Test file on my desktop.
    :cool: doesn t seem to accept password.
    9) I noted that true crypt allows me to mount the device as Device\HardDisk1\Partition1 (default) but also as Partition0 (i have to manually change the 1 to 0), but not as any other partition (not sure whether this is of any use). Both Partitions can be mounted with the same password.
    10) In WinHex I did notice though that both without mounting the device and with mounting, there is a header then a gap and then encrypted data.
    11) since this did not work i tried getdataback (both fat and ntfs) without any luck.

    Not sure where to go from here. Any guidance would be greatly appreciated.

    Best

    J
     
    Last edited: Oct 23, 2013
  13. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Re: Truecrypt Missing Data

    At this point you should be able to use data-recovery software to explore the mounted volume.
    That procedure is mainly for locating lost headers and/or partitions. Not that useful in this situation. But it still should have worked, if you copied the right data that is. Where did you begin the copy at?
    If you used full-disk encryption then the unmounted device would not normally contain any gaps, as it would be fully encrypted from start to finish. Plus, you are mounting it as Partition1. It sounds like you have an encrypted partition, not a fully-encrypted disk.
     
  14. jackster

    jackster Registered Member

    Joined:
    Oct 22, 2013
    Posts:
    6
    Hi,

    I used data recovery software (a number of them) but to no avail.

    Given that nothing could be recovered and that my only option was to format the mounted logical drive, I assumed that it s a lost header partition issue.

    I followed your instructions in previous post and defined the block Beginning = 1048576 [Beginning of block]; end number 1248576.

    As far as to the question whether it is an encrypted disk or partition, I am sure that it is the whole disk (USB device). If the device is not mounted then you cannot see a logical drive. if you try to double click on the physical drive you are asked whether you want to format it. there is no other partition on the disk.

    Not sure whether this additional info is helpful in better understanding my situation.

    thanks once again for your time.
     
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    OK, I read your first post again. It's obviously a USB flash drive, right? Sorry that I missed that the first time. Flash drives are set up differently. Many of the procedures that I've written for disk drives won't work the same way, if at all.

    Try the following procedure. We're going to use WinHex to look for any signs of decrypted data in your mounted TrueCrypt volume. (I'll spell out some of the steps in parentheses to ensure that you're not doing it differently):

    Use TrueCrypt to mount the device to a free drive letter:
    (open TC, select a free drive letter, choose Select Device, choose Removable Disk 1, which should resolve to Device\HardDisk1\Partition1 when you click OK, then click Mount, supply the PW, click OK)

    Open WinHex
    Tools: Open Disk
    Open the logical volume that you just mounted the TC volume to:
    (under Logical Volumes/Partitions, select the mounted volume by choosing the same free drive letter that you selected above, then click OK)

    Look at the WinHex display.
    1) Are there any folder or file names listed in the top portion of the screen (above the hex/text display area)?

    2) Do you see any blocks of zeros (such as 00 00 00 00 00 etc.) in the Hex column?

    3) Do you see any recognizable words or patterns in the Text column? (Such as "MSDOS5", "FAT32", etc.?

    4) Try scrolling the display down a little bit and try questions #2 and #3 again

    If the answers to questions 1, 2, 3 and 4 are all "No" then try the following to search the disk for a very common plaintext pattern:

    In WinHex, click on "Search"
    Select "Find Hex Values"
    type ten zeros ("0000000000") into the search box (don't type the quotes or the parentheses, just ten zeros in a row, with nothing else)
    set "Search: Down" to set the search direction
    Click OK

    You're looking for 00 00 00 00 00 (hex). This is a very common pattern found in almost all volumes. If Search stops on a "hit" then scroll it up into view so you can see what's around it. Large blocks of zeros are very common in formatted partitions, and if you're finding them in your mounted volume then this indicates that your volume is still functioning and TrueCrypt is able to decrypt it.

    We'll get to your missing data later. Are you able to get this far first?
     
  16. jackster

    jackster Registered Member

    Joined:
    Oct 22, 2013
    Posts:
    6
    Hi and apologies for the delay but i was travelling.

    I followed the steps you mention and I do in fact see many blocks of 00000. for instance from Sector 1 and up to Sector 2315, everything is 00 00 00 00 00 00 00 00.There are some more sectors with 0s after that.

    Kindly advise on how to proceed.

    Best

    I
     
  17. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Since you are seeing large blocks of zeros within a mounted TrueCrypt volume you are definitely seeing decrypted data, and this means that as far as TrueCrypt is concerned, your mounted volume is working properly. The actual contents of the volume are irrelevant. TrueCrypt's only job is to encrypt/decrypt your volume on-the-fly, block by block. TrueCrypt doesn't even see the file system or the files, nor does it 'care' whether or not there is a working file system. It just does its job.

    In other words, you don't have a TrueCrypt problem, you have a data-recovery problem. For starters, your volume's file system seems to be gone. Also, some of your data may have been overwritten. Apparently either an accidental overwrite or a hardware failure has occurred.

    I have to warn you that we're leaving my area of expertise. I focus more on actual TrueCrypt problems such as how to find or repair a broken volume so you can mount it again, how to get a password working again, that sort of thing. However, you already have a working volume and you have full access to it. (Unfortunately, your volume's contents seem to be messed up). What you need to do now is recover whatever data you can.

    I'm not a data-recovery specialist. I'll give you a few tips, but for better advice you will probably need to look elsewhere.

    At this point I would try two things:
    1. Use Photorec to explore the mounted volume. Photorec performs 'file carving' such that it does not require a file system to find files; instead, it searches the disk for the known signatures of certain file types. Note: Your file types must be on the "supported file types" list or it won't find them, so make sure you inspect the list. Also, fragmented files will most likely be partially recovered. And file names will almost certainly be lost.

    2. WinHex has a similar feature called "File Recovery by type".

    If either approach produces promising results then you might also want to look into other, more powerful file-carving tools. I also suggest you ask some actual data-recovery experts what they recommend. There are various data-recovery forums out there; some are associated with certain types of data-recovery software, so look around a bit. Sorry I can't be more helpful.
     
  18. jackster

    jackster Registered Member

    Joined:
    Oct 22, 2013
    Posts:
    6
    Thanks for the fast response.

    Just a clarification:
    I mount the device on to a free logical driver letter. in my case N. I open winhex and there I have a logical drive N and a logical drive E, as well as my OS and DATA partition (in the logical drive section). There is also a Physical Drive E which is the USB device that i mounted in the first step. Now, what i previously did was to open winhex, and apparently, due to my mistake, open the logical drive E (and not logical drive N). The 00000 are in the mounted logical E drive. Reading over the instructions again, I went back and after mounting the device through TC, opened in winhex the logical drive N, which i suppose is what i should have done in the first place. The results are different this time and they are consistent with my original post. That is there are no 00000. I checked myself and also did a search as suggested but no luck.

    Apologies for looking in the wrong logical drive.

    Hope there is something that can be done, given the situation.

    Best

    I
     
  19. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    You've allowed WinHex Search to traverse the entire mounted volume looking for 0000000000 (hex) and have found nothing? No other recognizable text or obvious patterns have been found? The entire mounted volume appears to be completely filled with random data?

    Several scenarios come to mind. Take your pick:
    1) You restored the wrong header
    2) You restored the correct header to wrong location (e.g. lost partition etc.)
    3) Your data was overwritten while the TC volume was unmounted
    4) ?

    I haven't really played around with flash drive partitions very much. They're done differently. I'll have to try a few things and get back to you.
     
  20. jackster

    jackster Registered Member

    Joined:
    Oct 22, 2013
    Posts:
    6
    Hi

    The answer to the question you pose is yes.winhex has searched the whole mounted logical drive without finding anything.no random words either.the entire drive seems to be filled in with random data.

    As i mentioned in my original post:

    I got a message that the volume header was corrupt and was asking if I wanted to restore.
    3) I responded positively and was asked whether I wanted to restore it from an external source or from the device itself.
    4) I chose the later.
    5) when the restoration finished, I was successful in mounting the device and seeing the logical drive, but when I tried to access it i received a message that it had to be formatted."

    I ll be waiting to hear from you.

    Thanks again
     
  21. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    An (unmounted) encrypted flash drive normally consists of random data from beginning to end. The functional portion of the TC volume header (the first 512 bytes) is normally stored in Sector 0. The complete volume header, plus the space reserved for the hidden volume header (whether it's used or not) fills the first 131,072 bytes of the drive. So the drive should consist of 131,072 bytes of random-looking TrueCrypt headers, followed by random-looking encrypted data which fills the rest of the drive (with the exception of the random-looking embedded backup headers which are located near the end of the drive).

    However, your (unmounted) flash drive seems to be laid out differently:
    Some process obviously wrote zeros to the beginning of your drive, wiping out both the original TrueCrypt header and the space reserved for the hidden volume header, plus a great deal of additional data.

    Note that Sector 0 currently appears to contain random data. My explanation for this is as follows: When you restored the volume header from the embedded backup header, TrueCrypt wrote a new header "stub" (consisting of 512 bytes) to Sector 0, thus getting your standard volume header working again. However, the remainder of the zeroed out area was unaffected, so it's still there.

    Your drive is obviously missing a lot of data, as is your mounted TC volume, but according to your description, the zeroed-out area that you can see in the unmounted drive eventually stops, and this implies that whatever overwrote your drive was limited in scope. Thus, the area beyond it might contain valid data. In the unmounted drive, note where the zeroed-out area ends, then mount the volume and look in that same approximate area (to be specific, look 256 sectors prior to that spot to account for the space taken up by the volume headers) and see if you can find any non-random data. Ask yourself what type of data you're looking for, as it might not be readily apparent.

    For example, to the naked eye a large zip file or other compressed data can be indistinguishable from random data. There are ways to analyze the data, for example, the Tools: Analyze Block feature can be used on blocks of data (make the blocks at least 20KB or larger for good results) to try to determine whether or not the data is actually random. Random data has a fairly even byte distribution, wheras zip files etc. usually don't. (This is not an 'official' test of randomness, but it often works.)

    Your guess is as good as mine as to what caused all this. Do you have any explanation as to what might have happened to your drive? Zeros don't write themselves, something happened here.
     
  22. angrysquirrel

    angrysquirrel Registered Member

    Joined:
    Nov 14, 2013
    Posts:
    1
    Wondering if anyone might be able to help me with my problem. I just lost about 2tb worth of data. The drive is a Samsung 2tb. I did the “encrypt a non-system partition / drive”Presently running windows 7 64 bit with Truecrypt 7.1a. Was running dual boot xp/windows 7 before I did my motherboard upgrade. After the upgrade I couldn’t read anything on the 2tb drive in XP. Then reloaded windows 7 and truecrypt can’t find the volume.

    Restore volume header gives me the following error message: Incorrect password or not a truecrypt volume. (I didn’t backup the volume header before I ran into this problem).

    I tried backing up the volume header and when I enter the password I get the same “incorrect password or not a truecrypt volume” error.
    Under explorer (computer icon thing) drive is showing up as NTFS with 1.81 TB free space in my computer. It’s not blank like before and if you clicked on it, I’d normally get a message like “do you want to format the hard drive?” In other words it’s showing up like a regular drive with no data on it.

    Disk Management shows the drive as Healthy (Active, Primary Partition).
    Drive: F – (100% free space)
    Disk 3 - online
    Layout simple
    Type: Basic
    File system: NTFS

    I did diskpart when I first noted the problem (it kept asking me for the password) when first tried to use it under windows XP. (I had a dual boot xp and windows system before I upgraded my system). Tried switching the drive between active and not active. Didn’t make a difference as far as mounting the thing under XP. Then tried the drive under Windows 7 and saw it was still blank.

    I did the steps mentioned earlier in this thread. I’m not sure if I needed to click on a certain section in winhex before I created a new header file. But it did export something. Bad news is that it still gives me the same error. “incorrect password or not a truecrypt volume.”

    Is there anything I can do at this point? Do you know what the problem might be? Is there any way to recover the data? Is there a good chance? Someone who is a computer guy said that I need to recover my partition table. Not sure if that’s possible since the drive was encrypted. What are the chances that a computer expert could actually recover this?
    Any help would be greatly appreciated.
     
  23. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Sounds like you started out with an encrypted partition, and then Windows "fixed" it (as it will do sometimes, especially during installations or upgrades). This would almost certainly overwrite the volume header. Have you tried using the mount option "use backup header embedded in volume if available"? If that doesn't work then you may still have a slight chance, but it'll be tricky. If the size of the partition was altered during the accident then TC would not be able to find its embedded backup header, even though it might still be intact. Finding it manually is sometimes doable.
     
  24. jackster

    jackster Registered Member

    Joined:
    Oct 22, 2013
    Posts:
    6
    ----------------------------------------------------------------------------------------------------------------------------------------------------

    Hi Dantz,

    Although the usb stick size was 8gb and it was fully encrypted, the size of the files on it was around 5.5gb
    Two of the files were pst files. One of which was 3.2gb and the other 1.65gb.
    The rest of the files (around 0.7GB):
    the rest of the files were word documentsm (around 300-400mb), pdfs (100-200mb) and other types of files jpeg etc.


    Now following your advice,

    Used space 7.5gb
    Free space 0B


    Winhex unmounted usb
    Sector 0: random data
    Sector1 – sector 2311 (of 15734784): empty
    Sector 2312- Sector 15734783: random data
    Sector 15734784 cannot access but seems to be empty


    Winhex mounted device (\Device\HardDisk1\Partition1) to drive N:
    Logical Volume E:
    Sector 0: random data
    Sector 1- Sector 2311 : empty
    • When I search to find hex values 0000000000 the cursor flashes at different parts in the empty area. Although there don t seem to be any zeros there, the cursor flashes. When I search again it moves further down and flashes again.
    Sector 2312- Sector 15734783: random data
    Sector 15734784 cannot access but seems to be empty



    I tried several times to do what i did before, but I cannot do it now.

    I mount the device on to a free logical driver letter. in my case N. I open winhex and there I have a logical drive N and a logical drive E, as well as my OS and DATA partition (in the logical drive section). There is also a Physical Drive E which is the USB device that i mounted in the first step. Now, what i previously did was to open winhex, and apparently, due to my mistake, open the logical drive E (and not logical drive N). The 00000 are in the mounted logical E drive. Reading over the instructions again, I went back and after mounting the device through TC, opened in winhex the logical drive N, which i suppose is what i should have done in the first place. The results are different this time and they are consistent with my original post. That is there are no 00000. I checked myself and also did a search as suggested but no luck.
     
  25. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    I'm trying to understand your results, but it's more than a little confusing. I'll try again.
    In WinHex, check the View menu. Maybe you have "Text Display Only" turned on. If so, please turn it off. Is that "empty area" now full of zeros? (00 00 00 00 etc.)?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.