Formatted external with truecrypt volume

I've been running some tests in my spare time. I've also been studying the cluster maps of large TrueCrypt files (like yours) that nearly fill their NTFS partitions. These files are always fragmented, sometimes in unexpected ways. I've had files that begin in the middle of the partition and end near the beginning. It's unpredictable, at least by me. Maybe an NTFS / file recovery expert would have a better grasp of what's going on. Anyway, my conclusion is that it's not going to be easy to recover your entire lost container file.

We've already found the first fragment, and we can recover that one with no sweat. The other fragments are almost certainly still there, and during my testing I can sometimes spot them, but it's tedious work. The problem is that each piece looks the same (just a big blob of random data), so there's no way of knowing which one goes where (aside from the first fragment, which can be tested for the presence of the TC header, and the last fragment, which can be tested for the presence of the embedded backup header). It can also be quite difficult to find the endpoints, as there needs to be a clear transition point (which is not always the case). And finally, the whole thing has to be reassembled exactly right or it won't be decryptable past the first assembly error.

Thus, it's going to be quite a big job to find all of the pieces and put them back together again. I think that reassembling Humpty-dumpty might actually be easier. If this were my data then I'd settle in for a nice long recovery attempt. It might take months.

Anyway, the first fragment is basically ours, and hopefully it will be large enough to contain a meaningful amount of your lost data, although you'll probably have to use data-recovery tools to pull your actual files off the recovered fragment. I'll post some instructions on that soon. I just wanted you to know that I haven't forgotten about you. (I enjoy a technical challenge, otherwise I wouldn't have even gotten this far.)

 

Just a quick request: Please run WinHex, open the partition and then click once on the information pane in order to view the lower half of the information display. (The Info pane is normally found in the bottom right corner of the screen. It has a grey background.) I just need to confirm the "Bytes per cluster" and the "Bytes per sector" so my math will work. Typically they're 4,096 and 512, but I thought I'd better check.

 

Hello dantz. thank you for getting back to me. I'm in this for the long haul so bring it on..lol...Anyway, Here is the screenshot with info you requested. Yes it is 4096 and 512...

 

OK, it's time to carry on. I hope this works.

We're going after the first file fragment, and since it appears to start after the MFT, the simplest and most "hopeful" approach is to begin at that point and then continue on to the very end of the disk (although it probably won't all be usable). So it's going to be a very big chunk. In fact, the target drive needs to contain a formatted partition with at least 1TB of free space. And if the recovery of this big fragment from your lost TrueCrypt container file works as hoped then you're also going to need enough additional free space to hold your recovered data files, as you will most likely want to copy them out of the partially damaged volume. If your target drive is "only" 1TB in size then you can always copy your recovered data files onto another disk (if we get that far). We'll see.

First we'll perform a mini-version of the procedure to make sure that the general concept is working. Here are the WinHex instructions:

(There's no need to open a disk or a partition in WinHex. If one is open, close it by right-clicking on its tab and selecting "Close".)

PART I:
1. Tools: Disk Tools: Clone Disk

2. set Source = Drive J
(if necessary, click the first of the two buttons and select the desired partition if it's not already listed)

3. set Destination = [target partition drive letter]\CC840000 10MB test.tc
(Click the second, "filename" button to set up the pathname. Feel free to choose a different pathname if you like. It's just a small test file.)

4. uncheck the "Copy entire medium" box

5. set "Start sector (source)" = 6,701,568

6. set "Number of sectors to copy" = 20,480 (this should result in a 10MB test file)

7. Click OK

8. Inspect the summary screen. Make sure "0" bad source sectors were encountered, then close the screen. You should then see the message "20,480 sectors successfully copied", and WinHex will display the target file.

9. Right-click on the filename tab and select "Close" to close the test file in WinHex.

10. Now that the 10MB test file has been created, try to select it and mount it in TrueCrypt, as you did with the previous test file. If your password is accepted and the test volume mounts then we've succeeded and we can go on to perform the bigger operation. (I don't think you will be able to view this volume using Explorer, as it's too small to include the file system.)

11. Dismount the TrueCrypt volume. If all went well up to this point then continue to PART II below, otherwise stop here and let me know what happened.

Part II:
Run the WinHex clone disk command just as you did above, but set things up a little differently this time:

12. Tools: Disk Tools: Clone Disk

13. set Source = Drive J

14. set Destination = "[target partition drive letter]\CC840000 to end.tc"
(or whatever pathname you prefer)

15. uncheck the "Copy entire medium" box

16. set "Start sector (source)" = 6,701,568

17. set "Number of sectors to copy" = 1,946,813,944

18. Click OK, then sit back and let it run for a long, long time. It will take approximately 100,000 times longer than it took to create the test file in Part I. (Wow!)

19. When it's done and you've checked the summary screen etc., close WinHex, open TrueCrypt, select the file and then try to mount the volume in the usual fashion. Then see if you can browse its contents (using the drive letter that you mounted it to) using Windows Explorer.

It might just work. And even if Explorer can't browse the volume (because of internal file system damage, which is expected), many of your files might still be recoverable by using various data-recovery programs.

Note: I didn't test PART II because it would have taken far too long, but PART I worked just fine when I tried it.

Also, I can't guarantee that the above instructions are 100% correct, so let me know if anything seems a bit off. Good luck!

 

Doing it now dantz.fingers crossed....

 

Hi dantz. I'm not sure how to do this second instruction..:

1. What is the target partition drive letter? Is it the drive where the testfile is mounted once I tried mounting it on TC? (it is in drive "U" when I mount it on Tc.
2. Should I type \CC840000 10MB test.tc after the drive?
3. Which is the second "filename" button?
4. Where will I write the path name?

Sorry if I am not getting your instruction clearly. i am attaching a screenshot so you can see if I am getting it right...

 

By the way dantz, i got through it successfully with PART 1. Here is the result.. now I'm going to start with PART 2...

 

I'm sitting back dantz.approximately 20 hours for the sector transfer so i think sitting back won't be enough for now. i will just have to sleep this one out. By the way, I set the extra 1Tb external as the destination drive.I hope that's alright...hmmmmmm....anxiously waiting for the result 20 hours from now. Thanks a million times to you dantz for the effort you are giving to help me with this problem....

 

In your recent screenshot I see that the Destination was selected improperly, but I'm glad you figured it out. (The Destination entry should be the full pathname, not just a drive letter, and you should see the words "Raw Image File" right after the word "Destination".)

I'm sorry that my instructions weren't more clear at that point. It's true that the Clone Disk dialog box is somewhat unusual, as is our usage of it, as we are defining the source as a partition and the target as a file. That's one of the reasons why I decided to begin with a test operation rather than plunging right into the full-length procedure.

To restate the instructions differently:

Hopefully that's a bit clearer.

I assume you were able to mount the test file successfully? Good luck with the full-sized operation! I'm looking forward to hearing the outcome.

 

thanks dantz...9 hours left...

 

SUCCESS!!!!! dantz I got 100% of my files back!!! Here is the screenshot showing the external WDJPU1TB2 which was the destination of the clone mounted on drive H. Local Disk (P): is the recovered TC Container with all my files in it, 696gb in size. Dantz I can't thank you enough for helping me recover successfully all my files. I hope a lot of people who are reading this thread we have are able to get ideas whenever they are faced with this similar problem. You are such an expert on this and a genius at what you do. Thank you. Though I do not know you personally, what you have done for me is just amazing and selfless. i do hope that I will be able to get to know you more my friend through social media. Cheers and kudos to you my friend!!!

 

SUCCESS !!!!!!!!!!

 

If the files are truely private, don't forget to re-encrypt them and overwrite the unencrypted copies.

 

Yes J_L...Since my files have been encrypted to another external, then I will have to write over the old external and encrypt it again. I am so relieved by the result. I have old files that I wish to transfer from my old WD My Book. But the transfer rate is so slow. Even opening the folders is such a drag. It's only acting weird now...

 

Hello Dantz. Our file recovery was 100% success. Now is it safe for me to overwrite my old external? the recovered files are in my new external...

 

Dantz is a magician isnt he/she

What is your occupation Dantz if I may ask?

 

Since we only recovered a portion of your TrueCrypt volume, some of your files might not actually be there, or they might be incomplete, even though you are seeing all of the expected filenames and folders.

Thus, I suggest checking every one of your recovered files before you delete or overwrite any of the source material that they were recovered from.

But wow, you have incredible luck! I wasn't expecting this good of an outcome. Congratulations!

 

At the moment I'm kind of a part-time computer nerd, full-time outdoorsman. I've written software in the past, but not much lately.

 

Hello Dantz. Yes I think I just got lucky because I just finished my files and I got every single one of them from A to Z in perfect condition. No errors at all and i can view each one of them perfectly. but aside from luck. most of the credit goes to you because you are very selfless and really went out to assist me even if you have to type every single instruction to me. I don't know how I can repay you for the help you gave me but for strarters, a simple thanks and gratitude from the bottom of my heart.

So i have decided to overwrite my old external (WDJPU1TB1) with my much older files from my other externals. I have this 1TB WD My Book and 2 other 1.5TB WD Elements. I have noticed that opening the My Book and opening the files have suddenly become such a drag compared to the 2 Elements even though i use the same USB 2 cable for all. So i have decided to transfer my files from My Book to WDJPU1TB1. But it is taking forever to open, much more transfering the files. There is something wrong with the My Book. I had no issue with 2 weeks ago when i last accessed it.

Would you have any idea why it's acting like this. Such a drag opening the files viewing the pictures and videos. But when I use the same cable on the other Elements, there is no problem.

I hope you don't mind me asking you for an opinion on this latest problem when you have just helped me so much with my first problem dantz.

Again thank you and thanks again in advance...

 

I don't have any significant insights into why your drive is behaving like that. Guess I'd do some diagnostics such as running a drive fitness test, measuring the file transfer rates, looking at the S.M.A.R.T. data, checking the amount of file fragmentation, running check disk, that sort of thing. It could even be a block of failing sectors that require multiple reads.

Back on-topic for one last thing: I just wanted to mention that the TrueCrypt volume we recovered is incomplete and thus it shouldn't be relied on. For one, the embedded backup headers definitely won't work, as they aren't even there (we didn't recover that portion). Also, TC is reporting a different volume size to the OS than the actual volume takes up. Stuff like that. So I recommend you copy your recovered data to a different location and then, when you're ready, delete the recovered file fragment.

And, you're welcome!

 

Ok dantz. Will Do. Thank you so much again and again. Cheers!!!