truecrypt volume error

Discussion in 'encryption problems' started by zorkling, Jan 12, 2014.

Thread Status:
Not open for further replies.
  1. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    Ok, I'm trying to save that with HxD using those bloc parameters.
     
  2. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    it mounts, but Windows says it doesn't contain a recognized file system.
     
  3. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    I've gone ahead and ordered a WinHex license as it seems to be the preferred software. I guess this process will be deferred. Patience is key.
    Assuming the whole thing isn't fubar.
     
  4. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    Despite following the procedure with a licensed copy of WinHex, the resulting volume is still unreadable in Windows.
     
    Last edited: Jan 17, 2014
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Mount the volume, then use WinHex to open the mounted volume (by selecting the same drive letter that you mounted the volume to, listed under Logical Drive Letters) and see if there is any decrypted data visible. You should see it right away. Things like "NTFS" or embedded error messages in the text column, or large blocks of zeros "00 00 00 00 00" in the hex columns.
     
  6. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    No zeroes or recognizable terms when I examine the mounted volume in WinHex. It's still the same gobbledygook. That means it's still encrypted, right?
     
  7. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Most likely. I wonder why? Are you sure you're examining the mounted volume in WinHex, and not the file itself?

    I think you should try making another small test file that begins at offset 32256, but this time make it slightly larger, maybe 2 MB or so. It shouldn't take long, and this file will be large enough to contain some user data.

    Use Truecrypt to mount the test volume, then open the mounted volume in WinHex (there will be some error messages, but just click through them) and look for decrypted data in the mounted volume. Strings of zeros or obvious patterns in the hex columns, or recognizable words in the text column.
     
  8. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    In order to make it bigger I adjust the end of block by adding 2 mb (which is 2,097,152 bytes) to the total?
     
    Last edited: Jan 19, 2014
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Yes, and it doesn't even have to be that exact. We just want the block to be large enough to extend beyond the two 64KB headers that are located at the beginning of the lost volume. The file system and the data should begin right after that.

    Perhaps we should have tried doing this first before copying your entire partition. I considered this, but I decided that since you had already found the actual working header at the expected location, there wouldn't be any problem with just going ahead and copying the whole thing. Sorry to put you through that.

    Yes, please perform this small-scale test and then see if you can find any non-encrypted data within the mounted volume.
     
  10. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    I first copied a block with the starting point at 32256 and endpoint of 64025352191, but that didn't work because it was larger than the entire disk. This was a misunderstanding on my part.

    I then I tried another copied volume with the starting point of 32256 and the end point as 2,097,152 which took longer to copy than any of the previous test volumes for some reason, like 108 minutes. It wasn't readable and wouldn't mount.

    You meant for me to add 2mb to 52256, which would be 2149408 bytes? I will try that now.
     
    Last edited: Jan 20, 2014
  11. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    When I made that slightly larger test volume, the usual random characters are followed by a long string of 'unreadable sector' in caps with no spaces. Also I get popup messages in WinHex telling me it cannot read from sectors.
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    108 minuteso_O That's nuts! It should take about two seconds. After all, it's only a 2MB file. Something else is going wrong here, but I don't know what it is.
    In the "Define Block" dialog box, just set the beginning at 32256 and the end at 2129407. The result will be a file that is exactly 2MB in size (not that it has to be exact, but just for your benefit, those are some numbers you can use.)

    Don't worry about the WinHex error messages. They're normal for this situation. The "unreadable sector" messages are there because TrueCrypt is claiming that the mounted volume is much larger than it actually is, and WinHex has no way of knowing otherwise. It expects to be able to read data beyond the 2MB mark. The other WinHex notifications are due to the fact this tiny fragment of your volume appears to WinHex to contain an incomplete file system. Of course it does, it's only 2MB and it is far too small to hold a complete, intact file system.
     
  13. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    Yeah, I wasn't sure what was going on back there with that previous 108 minutes attempt, but even I knew something was off. Perhaps I typed the wrong thing. I'm hoping with this most recent test file that it's approaching normal.

    And it's giving these unreadable sector messages because it doesn't have enough information to go on. The 2 MB is only a tiny slice of life.

    Is it proven beyond a reasonable doubt that this volume was in fact based on a Windows XP system? I bought the drive in late 2011 and at the time, my XP system was in storage. This is a mild point of contention but I'm not 100% sure. I hope it doesn't make any difference.
     
    Last edited: Jan 20, 2014
  14. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    So I guess the next step is to decrypt it by block?
     
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    I'm too busy to respond right now, sorry. I'll try to catch up later.
     
  16. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    That's fine. I still have a lingering suspicion that this device was "RAW (healthy) primary partition" I say this because I have several other TC volumes on various external disks (both hdd and flashdrive) that are not corrupt, and when I plug them into my pc windows lists them as " RAW (healthy) primary partition. My reasoning is that these were made in approximately the same time, in a similar fashion. I wish there was some definitive way to prove if this is so.

    I notice, with a flashdrive volume I have to select device/hardisk/partition1 to mount as opposed to "removable disk 1:". Maybe that refutes my theory and these are partitioned.

    On the other hand one of these properly functioning volumes (hdd) and two of the flashdrives also list as unallocated. furthermore windows is prompting me to initialized the disk so logical disk manager can access it. I haven't done this.

    As of now the corrupted volume simply lists as "unallocated" under disk management.

    sorry if this is unclear.
     
  17. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    OK, I'm back. Sorry about the delay.

    I'll read through the thread and will see if I can come up with any suggestions, but before I do, have you made any headway or had any realizations?
     
  18. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    Nothing new, just the acknowledgment that some of my (functional) volumes show up as RAW in disk management and some don't.
     
    Last edited: Jan 31, 2014
  19. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    I believe this issue may have stemmed from running disk cleanup or defragmentation of some kind, but I'm not sure. And I know most users merely encrypted the partition as opposed to the RAW disk, but I don't think there's a way to tell for sure.
     
  20. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
  21. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    I'm trying to catch up on all of the TrueCrypt problems, but I have to sign off now so I can get some work done. I'm still thinking about your situation, though. Maybe I'll post back soon. Sorry about the delay.
     
  22. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    I just noticed that I kind of dropped your thread. I'm sorry, I've been overly busy lately and I lost track of things. Have you made any progress since your last post?
     
  23. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    I notice that one of the volumes shows some kind of partition. I will post an image soon.
     
  24. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    Jumping ahead to the other volume, I see that in WinHex it lists unpartionable space. Here's a picture:
    http://imgur.com/FFxdfwB

    Here are the specifications of the drive:
    http://imgur.com/OeBz4Ug

    And here is where encrypted data begins at offset 32256:
    http://imgur.com/pRuRRb1

    All these are from viewing the physical device in WinHex. I tried to mount it, but this one doesn't work either.
     
  25. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    OK, I'm reading through the whole thread again, and hopefully I will come up with something for us to try.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.