TrueCrypt volume - how to identify the header?

Discussion in 'privacy technology' started by igalginz, May 30, 2011.

Thread Status:
Not open for further replies.
  1. igalginz

    igalginz Registered Member

    May 29, 2011
    Hi all,

    I am trying to recover my TrueCrypt volume after accidental disk format, with no luck so far. Well, almost no luck.

    Here's what I have:
    - I managed to recover the volume file using testdisk (photorec_win.exe), or at least a huge file (~3.1 GB) that looks like TrueCrypt volume.
    - The original file name had NO extension (the name was "TrueCrypt"), but after recovery it is called "f433484516.swc" and the first bytes in it are "CWS..." (testdisk renames all the recovered files, but keeps the extensions)
    - Apparently, the file is corrupted - when I am trying to mount it, TrueCrypt denies the password twice (incorrect password or not a TrueCrypt volume) and accepts it for the third time with a notice "WARNING! The header of this volume is damaged! TrueCrypt automatically used the backup of the volume header embedded in the volume."
    - At this point the drive is mounted, but Windows says "The disk in drive X is not formatted"
    - TC shows the correct properties of the volume (The backup header is fine)
    - There is a hidden volume, that can be mounted with its backup header as well.

    What I am hoping for is this:
    The TC volume is somewhere in this file, but its header is shifted.
    I wrote a Python script that reads the beginning of the file ( a few KBs ) and saves it as a temporary file. Then it tries to mount this temporary file. If fails, it shifts the data by one byte and tries again.

    This should work if the header is there. The problem is that it is awfully slow and it will take about 20 years to finish.

    Is there any other way to detect the beginning of the header in the file?
    If not, any suggestions to speed up the process?
    Any other suggestions?
Thread Status:
Not open for further replies.