Hi Guys new to the forum- I accidentally formatted my 2TB external hard drive with encrypted nonsystem partition thinking it was the new drive. Unfortunately, it was my external hard drive that housed all my important data which is now not accessible. The exact procedure I did was locate the hard drive in MiniTool Free Partition and delete the partition and then create a new partition. After this happened, I quickly checked to see if I was able to access the VeraCrypt partition with the password. I received the incorrect password error message. I went through various threads by Dantz which were super helpful and discovered I could backup the header. Restored the backup header to the existing offending drive and now Veracrypt accepts the password but threw the following error message: Windows does not recognize the file system here is the exact error "Z:/ is not accessible. The Volume does not contain a recognized file system". I then followed the following threads below and created a test file that was also mountable. https://www.wilderssecurity.com/threads/truecrypt-missing-partition-table.336671/ And https://www.wilderssecurity.com/threads/encrypted-truecrypt-raid-1-external-recovery-help.330178/ After the test file was successful, I was feeling good and thought I was closer to recovering my data by either copying the full encrypted volume to another disk or mounting the file (which did not work). My next steps would be copying the data file to the new disk and recreating the partition, but I need some help with doing so. Please help
It seems we are in a similar situation. I had 2 copies of a 12 Tb simple Veracrypt disk, non windows without hidden volume. One of the disk failed and I wanted to clone the good unique disk. Even though I thought I was doing everything carefully, I placed wrongly the disks and for 10 seconds I cloned a new empty HDD to my very valuable data drive. I was horrified and I stopped it immediately. I was happy to see that Veracrypt can still open the volume, but it only sees a disk that is RAW, with no file or anything. Nevertheless, I am sure most of the data is still there. Maybe you can also help me to fix my problem. I see many reference to @dantz who seems super knowledgeable, but I can't understand where to start. Each post of dantz seems close to what I need but is never the same case as mine. I am also looking for help to revover my disk... Thanks to all
Hi @dantz you seem very knowledge on this subject would appreciate your assistance in understanding the best possible way to get my data back.
@subzero03, it appears that your password is being accepted and your volume (whatever it may consist of) is mounting, so that's a good start. The next step is to figure out whether or not VeraCrypt is actually decrypting the mounted volume's data. Decryption only occurs if the header is located in exactly the same position (relative to the data) that it was in originally (before the accident). If the header is even one byte out of place then the data will not decrypt. In your first link, "Part 3" of my post describes a way to look for decrypted data in a mounted volume by using a hex editor. I wrote this for TrueCrypt, but VeraCrypt shares a lot of the code and it should work the same way. So first you need to mount the volume, then open the hex editor and select the drive letter that you mounted the volume to. Switch to Text Only view, then scroll down while looking for recognizable data. In text view, you might see common words like "file", or long stretches of empty space (ie zeros). Either of these things indicates that the mounted volume is decrypting. You can also switch to Hex view and perform a search for a common pattern such as 00000000. There should be lots of them in decrypted data. The other possibility is that the header was restored to the wrong location (ie, not at the exact same distance from the data that it used to be), in which case the volume will still accept your password and will appear to mount normally, but the data will not decrypt and you will merely see a very long block of random, patternless data. The hex editor doesn't have to be WinHex. HxD is also quite good and it's free. I haven't tested it on VeraCrypt volumes, but I expect it will work. However, I haven't used it in a long time so I can't post any instructions on how to use it. I'll try to get to that soon.
@dantz I truly appreciate your response the scenario quoted looks to be what is happening I've added some screenshots to help show what I am seeing in both Winhex and Hxd. If the header is in the wrong place and not decrypting what is the best possible way to make sure the header is in the correct sector of the drive, so it decrypts correctly. I was able to back up the header previously and created a test file following post 6 here: https://www.wilderssecurity.com/threads/truecrypt-missing-partition-table.336671/ I then proceeded to copy off the whole block of encrypted data from offset = 1048576 to the end of the drive and save it to a file with Winhex. I then examined the offending drive first and then the large block file with both Winhex and Hxd. The partition and the encrypted portion of the drive looked different in both WinHex and Hxd. See screenshots Hxd shows the start of the drive with “0000000” and the encrypted text as jumbled text. Winhex only displays “unreadable sectors” at the start of the drive and at the end. Which brings up the question is the header in the right place and is it decrypting correctly? I tried recovery tools and wasn’t able to read any data off the drive once mounted either. Prior to working with the offending drive, I Imaged the drive with Getdataback so I have been working off the backup image to not risk the integrity of the drive. I may need a better way to image the drive or copy the image to another drive and rebuild it which where I am stuck if that route is best? Hxd front of drive: https://imgur.com/a/08jKDjL Hxd showing encrypted portion: https://imgur.com/a/WeBmv11 Hxd zeros endofdrive: https://imgur.com/a/4y6lH2O Error: https://imgur.com/a/NB2dn1O Mount: https://imgur.com/a/Y9umm0v Winhex start of drive: https://imgur.com/a/TZnj3Y8 Winhex end of drive: https://imgur.com/a/GGK1yCc
Hi @subzero03 , I have found a little time to work on your problem. Your screenshots aren't quite what I need to see. I'm going to ask you to redo them, and I will give you specific instructions as to how to set them up, but first please answer a few of my questions so I can know (or confirm) a bit more about the situation: What version of Windows are you using? Did your external drive originally hold just one large, drive-filling partition? (which you then encrypted using VeraCrypt?) I understand that you accidentally deleted your partition using Minitools Partition Wizard Free, and then you used the same program to create a new partition on the same drive. Using Minitools Partition Wizard Free, did you by any chance "Wipe" your original partition before you "Deleted" it? (The Wipe would have taken a considerable amount of time.) I don't think you did, but I'm just checking. Did you accept the default settings (i.e. one large partition that fills the drive) when you created the new partition? (I think you did) You also said that you formatted the drive, and I assume this means that you formatted the new partition after you created it. If so, did you perform a Quick format of the new partition, or did you uncheck the box and do a Full format? And do you happen to remember which file system you chose (ie FAT, exFAT, NTFS)? So far it appears to me that your new partition was created in the exact same location as your original one. The endpoint of the partition is almost certainly in the same location, otherwise I don't think the VeraCrypt backup header would have accepted your password (as the backup header would not have been found). And the starting point of the partition is likely in the same standard location, unless of course you specified that it should be different. So your backup header survived, but your main header was almost certainly overwritten. In a little while I will write you up some instructions for HxD. It's probably going to be quite similar to what you have already done, but I need to be sure of what I am looking at because your screenshots are not showing me what I would expect to see. You can ignore the WinHex "UNREADABLE SECTOR" messages. WinHex displays those when you go beyond the range of what the VeraCrypt header is claiming for itself, size-wise. For example, if you take a header that was originally created for a 2TB drive and attach it to the front of a 100MB file then it will actually seem to work. By this I mean it will accept your password and mount the so-called volume. However, the contents of the mounted volume will be gibberish from beginning to end, and if you inspect the mounted volume using WinHex and you move beyond the 100MB point then WinHex will let you know that you have basically left the galaxy and are now in hyperspace or whatever.
Your screenshots of what I assume to be the mounted volume show that the volume is decrypting normally, but I don't understand why the first sector of the mounted volume appears to be clean and undamaged. This area will usually be destroyed after you format an unmounted drive, especially if you delete and recreate the partition. Did you by any chance perform a fresh format of the mounted VeraCrypt volume after you created the new partition and restored the header?
Hi @dantz sorry been a bit busy didn't get a chance to get back to you. Here is my responses to your questions I truly appreciate the help Operating system: Windows 10 That is right, one large nonsystem partition that spanned the whole drive. Here is the screenshot showing what the partition looks like when its mounted. https://imgur.com/a/Y9umm0v No wipe operation was selected only create and delete partition. All default settings were selected when the large partition was created that filled the drive. I don't believe any formatting or quick formatting happened. When I modified the drive I selected the whole drive and selected 'delete' which made the drive unallocated. I then selected the create option which creates a new partition while selecting NTFS file system without the format option it appears that may be secondary step, but again not totally sure. This then made the drive file system not readable when mounted with VeraCrypt.
I don't believe so unless formatting happened some how during the delete and create new partition operation.
@dantz want to say thanks for the help so far looking forward to your HxD instructions to proceed further.
Hi, @dantz you seem very knowledgeable on this subject would appreciate your assistance with resolving this issue to recover very important data.
Hi all, hi @dantz Can anyone help me recover my deleted veracrypt partition? 1TB external USB drive (originally 1 partition). Made into: - 64GB NTFS non-encrypted - Rest of the space ~936GB encrypted (non-hidden) veracrypt partition I accidentally deleted both partitions (don't ask why, I wanted to delete /sdc1, instead I did /sdb1 because in the meantime I plugged in a different drive and the order changed) - I recovered 64GB partition using testdisk - I'm left with unallocated space and testdisk cannot find a way to recover it - I have not touched this free space after the accident I've created a forensic copy (sector-by-sector) using DMDE and trying to recover that lost veracrypt partition, but having trouble doing the first steps. - I've done a full scan using DMDE on the unallocated space (found huge JPG (30GB), TIFF (25GB), ZIP file (100GB). I dont know what's under them, can't really open these - How can I recover the volume header from unacllocated space? - Should I re-create the partition and try to recover it or any recovery should be done with this unallocated space? https://imgur.com/a/8kyhCzO
