truecrypt volume error

I have two truecrypt volumes which are no longer operational. They are entire hard drives/partitions as opposed to file containers. The first one is a jetflash ssd. I was able to follow the advice in:
https://www.wilderssecurity.com/showthread.php?t=336671
and the volume now mounts, yet it does not contain a recognized file system according to windows. I am on windows 7 64 bit if that makes a difference.
I made sure to do everything in read only mode, so I hope I haven't done anything irreversible.

 

The recovery approach varies based upon the type of volume. Your description isn't quite clear enough.

Were these partition-hosted volumes, or entire-device based volumes? That is, if you clicked on Select Device and selected the volume manually, which would you choose, a partition listed under a disk, or a disk that has no partitions listed under it?

And while the volume was mounted, would it be listed in the TC screen as \device\harddisk1\partition0, or was it \device\harddisk1\partition1 (or higher)? (The disk number can vary, but what matters is the partition number. "0" represents a disk with no partitions. "1" or higher is an actual partition.

Also, why would two volumes go bad at once? What happened?

 

the first volume reads as device/harddisk1/partition0 when mounted. The entire disk is encrypted as a volume as far as I can tell.

the second volume is another external hdd which fails to mount, but I haven't tried to fix it yet.

 

I don't know why they went bad at the same time. I did try to defragment the HDD volume while it was mounted, and I think that was a bad idea.
The first one, which I've described above was working fine earlier on the same day, and now it doesn't.

 

Yes, it probably says Partition0 now, but did it used to? That was my question. A lot of users "break" their partition tables, which breaks their partition-hosted TrueCrypt volumes. Once the partition table is gone the volume can only be mounted as Partition0 (if at all).

It's been my experience that many TC users are uncertain whether they've encrypted a large partition that almost fills their entire disk, or an entire unpartitioned disk.

If you encrypted an entire disk then you had to begin with no partitions on the disk at all. It would have been completely RAW. Was this the case?

If you plug in a fully-encrypted external disk and try to look at it in Disk Management, you will often be prompted to initialize the disk (and of course, you should say no). Did this ever happen?

If you have ever been prompted to format the disk after clicking on the drive letter of the unmounted volume (in Windows Explorer, for example) then you probably encrypted a partition.

If you encrypted your data "in-place" without having to copy it back on after finishing the encryption, then you encrypted a partition.

Does any of the above ring a bell? If not, there might be other ways to tell. You could also just describe how closely you followed my instructions in the other thread, and what it was you did that made it possible to mount the volume. Did you successfully create a test file? If so, what offset numbers did you use? Sorry to be asking this question so annoyingly, but it really does matter. I need to understand where we're starting from.

 

to the best of my knowledge, there was no partition and no assigned drive letter.

 

In this instance the volume was formed and then the data was copied from another place.

The format prompt is familiar to me. In fact I disabled the drive letter and paths (in windows) so it would stop prompting that.

 

I'm kind of busy, so I can't reply properly right now. Sorry. I'll try to get back to you soon.

 

That's fine, I appreciate your help all the same.

 

I'm wondering if I should use TestDisk and PhotoRec on them.

 

I still think that you probably encrypted a partition, not a disk, and then you lost the partition table, but you're saying that you think there never was a partition table and that you encrypted the entire disk. I've had this same conversation so many times that you wouldn't believe it. A lot of users think that they have encrypted their entire disk when (in many cases) they haven't.

But ok, let's try to figure this thing out, as we need to know what's going on before we can design the recovery. Try this:

Mount the volume in TC, click on Volume Properties, and write down the Size in bytes. This information is stored in the header and it doesn't ever change, so it represents the size of your original volume, even if you've altered things the meantime.

Dismount the TC volume.

Open WinHex

"Tools: Open Disk", select the correct Physical media and click "OK"
(assuming there were no partitons listed on the disk that you're going to open)

Does the WinHex "Directory Browser" near the top of the screen list any partitions, file, folders, anything like that? (I expect not).

Look in the "Information pane" and find the "Total Capacity". Write down the number in bytes (or right-click and copy it if you can.)

Also, what is the "Bytes per Sector"? Is it 512?

While you have the disk open, have a look at the data. The first 512 bytes might look like a block of random data. Scroll down slowly and examine the following sectors. Do you see any blocks of zeros? Or is it all random-looking? Look in both the hex and the text columns. If you saw any blocks of zeros then please scroll (or PgDn, or whatever) all the way to 1,048,576 (decimal). Is there any sort of a visible transition point there? A block of zeros that suddenly changes into random-looking data? (Just guessing. Please tell me what you see).

OK, it's math time: Take the "Size in bytes" (from TrueCrypt) and add 262,144 to it to account for the four 64KB headers that surround every TC volume. The resulting number is the total size of your TrueCrypt container.

If you encrypted your entire disk then the total size of your TC container should be exactly the same as the disk's "Total Capacity" (from WinHex).

If you encrypted a partition on the disk then the numbers will be different. The disk will be larger. Subtract the smaller number from the larger one. What is the result?

After you report this then we can try examining the mounted volume to see if there's any data visible. If there is visible, non-random data then yes, certain data-recovery tools would be useful. Start with GetDataBack, then switch to PhotoRec if GetDataBack is unable to recover anything. I wouldn't try running TestDisk, though, or at least, I wouldn't let it write to the disk. Not until we know whether or not the volume is decrypting.

 

WinHex lists 'unpartitioned space' 56.9 GB

64022960640 bytes


total capacity: 64,023,255,040 bytes
bytes per sector: 512

sector 0 is random characters
sectors 1 to 62 are clear

sector 63 and onwards contain characters, but no conspicuous zeros.


total size in bytes (TC) 64022960640 + 244,144 = 64023222784

size in WinHeX: 64023255040



TC: 64022960640

WH: 64023222784

64023222784 - 64022960640 = 244,144
These numbers don't match, so I guess it's an encrypted partition and not a drive.

 

Let's try that again:

(WinHex) total capacity in bytes = 64,023,255,040

(TrueCrypt) volume size in bytes = 64,022,960,640
add 262,144 = TC container size = 64,023,222,784

64,023,255,040 - 64,023,222,784 = 32,256

Conclusion: Your lost partition probably started at 32,256, a very common location for XP-formatted disks. Were these old disks?

And since you're currently able to "mount" your volume, but you are doing it without selecting the partition where your data resides, you're apparently using a header that was restored to the wrong location, and as a result the misplaced header cannot decrypt your data. The header needs to be in exactly the right place, otherwise TrueCrypt can't make it work.

Incidentally, so far we're getting the same sort of results as zombielove (in the other thread I am working on), and he can't do math either. Are you the same person?

OK, whatever. Let's create a test file to see if your old header is still intact in its original location. It might be. Try this:

In WinHex, place your cursor at 32256 (decimal). No, wait, let's just make sure you get it right. Do this instead:

Open WinHex
"Tools: Open Disk", select the Physical media, click "OK"

"Edit: Define Block"

Under "Beginning" type in 32256

under "End" type in 52256

click "OK"

Now we save the contents as a 20KB test file:

"Edit: Copy Block: Into New file"

In the dialog box, choose a location on a different disk, name the file "HeaderTest1.tc", and click "Save"

Close the "HeaderTest1.tc" tab in WinHex by right-clicking on the tab, then "Close"

Close WinHex

Open TrueCrypt

Click on "Select file", then find and choose "HeaderTest1.tc"

Click on a free drive letter (doesn't matter which one, it's just temporary)

Click "Mount", enter your password, and see if your password is accepted (that is, you don't see the "Incorrect password etc." prompt from TrueCrypt.)

We don't care about the contents of the test volume, we're just testing to see if the header still works. If this succeeds then the data recovery will come next. So - how did it go? Was your password accepted? (If you normally need keyfiles then use them too).

 

Yes, that mounted correctly it seems.

sorry about the botched numbers.

 

You're in good shape. It's fairly easy to proceed from here, but it will require some storage space. It seems likely that the data on your lost, partition-hosted volumes (or at least, the one that we just tested) can be recovered by merely performing a slightly modified version of the steps that you just followed when you created the test file. The main difference is, for "End" you would select the very end of the disk.

Of course, before you create the full-sized files you will need to rustle up enough free space to store them on.

There's also an alternative approach, one that involves carefully redefining the partitions without formatting them, but I hesitate to lead you through it because it's risky, especially since you are now using Windows 7 and these disks were apparently formatted and partitioned using XP.

 

I got the external drive in late 2011 but the TC volume was made circa 2012, and I think in windows 7, but I'm not exactly sure. How much storage space do I need? The data itself doesn't exceed 40 GB.

 

You need enough space to fit each complete partition, saved as a file, so about 60GB each.

 

I have 94.5 gb on another external drive, is that enough? Are there negative consequences to having insufficient size? Is external ok? The spare drive is totally unencrypted btw.

 

I guess I'll go ahead and prepare some larger hard drives for this. That's all for tonight. Thank you.

 

Approximately 400 gb available.

 

OK, let's do this thing! Hope this works:

Close all open programs and dismount all mounted containers.

The operation is likely to take awhile, so make sure that your computer will not enter standby, sleep or hibernation while WinHex is copying the data. Also, disable any other processes (scheduled virus scans, etc.) that might otherwise interrupt.

Open WinHex

Open the physical disk (as before)

Click once within the hex data to place your cursor within the data. Anywhere.

Press Ctrl+End to move your cursor to the very end of the disk. Your cursor should now be at the very end of the last row. Leave it there.

(Next we select the block that represents the entire lost partition):

Click on "Edit: Define Block"

Under "Beginning", type "32256" (without the quotes, of course) into the first box

Under "End", select "Current Position" from the dropdown list in the second box. (This will automatically populate the first box with the offset number that represents the disk's final byte).

(If you experience any error messages, such as WinHex stating that it is switching to hexadecimal numbering, then stop here and let me know. We can adjust the procedure to deal with that.)

Click "OK"

(Next we save the block as a file):

"Edit: Copy Block: Into New File"

Choose a short, sensible filename, and of course choose a destination that has enough free space, then click "Save". This will begin the process of copying the block into a new file. (The block is large, so it might take awhile).

Once the file is finished copying, close WinHex.

Open TrueCrypt, click on "Select File" and select the newly created file.

Select a free drive letter, click on "Mount" and supply your password to mount the volume.

Hopefully at this point you will be able to use Windows Explorer to browse through your volume's contents (by clicking on the drive letter that you mounted it to). Give your data a good, hard look just in case anything got corrupted. (Uncommon, but possible if bad hardware or an unstable OS is involved).

Good luck! Let me know how it goes. I'll wait here.

(PS: This was typed mostly from memory, so there might be a small error or two. Let me know if anything doesn't work properly)

 

Damn, the trial version isn't letting me save anything over 200kb. I guess I need to get the full version?

 

Or try it with HxD. I think it can do it. Why don't you download it and play with it for awhile? Maybe you'll be able to figure it out.

If it bothers you to purchase a WinHex license for what is essentially just a one-time usage, just imagine how much more it would cost you if I was charging for my time and expertise. I'd say that so far you've gotten a really good deal.

 

No, I'm not averse to buying the license, but it might take a day or two.

 

I have HxD too if it's possible. I just want to get this done as soon as I can.