Truecrypt header corrupted. Will mount, but not show data.

Discussion in 'encryption problems' started by sixr, Jun 17, 2019.

  1. sixr

    sixr Registered Member

    Joined:
    Jun 17, 2019
    Posts:
    3
    Location:
    nz
    Hi all, spend some time going through the various threads both in this forum and around the web trying to solve this problem but without much luck to date.

    A bit of background information. I have 2 x 8TB drives currently under a software (windows) raid setup running windows 10. These were functioning fine and still are (no hardware issues), and it is these drives that were fully encrypted and holding all my data. Everything was fine until a schedule windows reboot (likely installing some random update) and when I came back online I mounted the drive and it said there was a problem with my header file. I restored the file using the backup header and that's when the problems started. I could enter my password and TC would accept, but any ability for me to try and access the files via windows explorer would result in a prompt asking me to format the drive.

    I have seen in various threads those users trying to use the likes of WinHex to view the drive and there is a lot of talk about finding the correct offsets, but I've yet to figure out how to apply this to my own unique situation. Is there someone that can kindly walk me through this process as I am slightly nervous of making things worse. As you can imagine, 8TB is a huge drive and I was under impression that it was already being backed up (via the RAID). How wrong I was!!

    I attach to this message 2 screenshots

    1. The winhex view

    Link: https://drive.google.com/open?id=1KLhSQSgOYPMpxEv1MenqoKPmbe1hPyqf
    2. The details of what it looks like under TC (with properties)

    Link: https://drive.google.com/file/d/1g0NY6DJg7_ZlepAJKNkDYsyZgiuVR6kY/view

    Very odd is that it is mounting the Partition0 (instead of 1). Also off is that it only shows 3.6TB rather than the original 7.3TB I recall from the past.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I sure hope someone will tune in to help you recover it.

    If nothing else I have read time and time again of serious issues dismantling user's encrypted volumes using the likes of TrueCrypt which works excellent on Windows 8 and before but is causing terrible interruptions thanks to Windows 10 destructive behaviors on third part programs.

    Sorry to see yet another problem because of 10 but hopefully you can get help to remedy that issue, because it's bad if there is no way to fix.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    We have seen this time and again, and the only person who was of any help no longer comes here. From what I've seen encrypting a whole drive seems to cause more harm then help. I wish you luck.
     
  4. sixr

    sixr Registered Member

    Joined:
    Jun 17, 2019
    Posts:
    3
    Location:
    nz
    I assume your talking about Dantz. As I read through some of his older posts I must admit, if he is gone, it was a huge loss for this forum. It takes a special someone to dedicate that much time to helping people.

    In the meatime while I wait for some other expertise, I've ordered myself another 8TB drive and will try to extract (via winhex) the entire contents of the previous drive into a single file and then mount again (hoping the screwed up partition table won't matter in such a case). Not sure if that is going to work - I mean - can you have a single file of 8tb in size?
     
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,004
    Location:
    Member state of European Union
    I am not TrueCrypt expert. I would try:
    1. Create backup of drive using sector by sector method (or just dd in Linux) to new 8TB drive.
    2. Try this to permanently decrypt drive https://www.youtube.com/watch?v=EGj1SmtPWNI
    3. Extract content of unencrypted drive by other Windows machine or bootable Windows PE or bootable/livecd/liveusb Linux.

    I would also consider doing "Restore key data" and using TestDisk before steps 2 and 3. More here: https://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume#Corrupted_Standard_Volume_header
     
    Last edited by a moderator: Jun 19, 2019
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.