Another Lost TC incident?

Trying to help someone who set up an encrypted external HD with Truecrypt.

Now it won't mount, it won't show up under my computer as a drive letter.

The drive doesn't show up in TC either except for under the "select device" option.

\Device\Harddisk1\Partition0

Under windows disk manager it is there listed as disk 1, unknown, not initialized. The "initialize and convert disk" wizard pops up.

TC keeps giving the error:
"The parameter is incorrect." after he enters the password
after attempts to mount using "select device".

Is it gone? Is there any way to mount it? Did something damage the MBR? Don't know really what I am doing or what to do about ti. Any suggestions?

 

fwiw, tc never shows partition0 for any hard disk on my computer. they go from:

\Device\Harddisk0\Partition1
\Device\Harddisk0\Partition2
...
\Device\Harddisk1\Partition1
\Device\Harddisk1\Partition2
...
and so forth.

if you are using a truecrypt traveler disk to mount the volume, and it's a system volume, then you have to specify an extra option before mounting.

 

Thanks for the reply.

I am using an external HD. It is not a system drive. Not sure about a traveler disk.

No partitions are listed. The program fills in partion0 for me.

 

Your friend seems to have encrypted an entire RAW device .
(partition0 is just another way of saying 'device')
It is possible that the disk has been initialized by windows.
Try mounting it 3 times in a row, Truecrypt should then offer to restore the header from the embedded backup ..

 

Thanks for the answer again. It is not listed as initialized under the disk mgmt window.

Even after several consecutive attempts it just keeps giving an error, not offering to restore the header.

 

\Device\Harddisk1\Partition0

This implies that the entire hard drive is encrypted, as someone else previously mentioned.

Definitely DO NOT attempt to initialize the disk or alter it in any other way with Windows. It could overwrite the header.

The error, "The parameter is incorrect", is not ringing a bell with me right now. Not sure what it means. The only thing I can think of is that the hard drive has failed, but it's just a guess.

That error message is the key. Just don't do anything to modify the hard drive until someone can chime in with what that error message means.

 

Here's my suggestion. Wait a week for another response.

If no one chimes in with something that works, then maybe it's safe to assume that there's been some hardware failure. I once had luck with taking a failed USB hard drive and making it an internal hard drive (internal, slave drive).

If you have any experience with this sort of thing, you might try that in a week (absent any better suggestions). Then you could try TrueCrypt with the internal drive.

 

This business of which drive or partition you're selecting is interesting and it can also be the source of a fair bit of confusion, but I don't think it's particularly relevant to your current problem.

If TrueCrypt can't find the starting location of a volume, or if the volume's header is damaged, or even if the volume has been inadvertantly overwritten, then after selecting the volume and entering the password you will always see the "Incorrect password or not a TrueCrypt volume" message, not "The parameter is incorrect". I've never seen TrueCrypt display that message, and I'm not even sure if it's in the code. That's a Windows error, not a TrueCrypt error. It often indicates a hardware problem of some sort. Are you sure it's being displayed by TrueCrypt and not by Windows?

For starters I'd try running the manufacturer's diagnostics on the drive to see if it's still healthy. Also, check the connections.

As far as which drive or partition you are selecting, that's of secondary interest at the moment, but here's how it works: I've noticed that the vast majority of users who think they have encrypted their entire hard drive have actually just encrypted the single, maximally-sized partition that already exists on their hard drive. If your friend had encrypted an entire RAW (uninitialized and unpartitioned) hard drive then Enigm's suggestion probably would have worked (excluding hardware damage). Another possibility (again, excluding hardware damage) is that your friend encrypted a partition and then somehow destroyed the partion table.

If you overwrite/destroy the partition table then TrueCrypt will no longer be able to find any partition-hosted volumes on the drive, or even their backup headers. Other symptoms are that Windows will now see the drive will as uninitialized. If you try to select your encrypted volume via "Select Device" in TrueCrypt then you will see something like "Harddisk 1:", which TrueCrypt will display in the Device window as "\Device\Harddisk1\Partition0".

To select a partition, the user generally wants to select something like "\Device\Harddisk1\Partition1" or some other partition number (not zero), but if the partition table was destroyed then those options will no longer be listed among the choices.

I mention this so you can ask your friend how he used to select the drive, back when it was working, so we can figure out whether it's supposed to be an entire encrypted drive or an encrypted partition.

If you weren't seeing that "parameter is incorrect" message then I would probably lean towards the idea of rebuilding the partition table, but I think you'd better check on the drive's health first.

 

Thank you very much dantz for your extensive answer. It never ceases to amaze me the kindness people show on forums like this. Thank you.

I guess I neglected to mention that I have also seen the: "Incorrect password or not a TrueCrypt volume" message as well. I did try mounting it three times in a row but true crypt did not prompt me for restoring the header.

Yes, by entire hard drive was encrypted for sure. I was there when it happened! (Hence my level of responsibility in the matter after suggesting true crypt.)

I haven't used true crypt extensively for sure but I never had these problems. Only after recommending it to others did I find that this problem showed up.

I haven't asked him about the contents of the drive so maybe it's time to start asking about how valuable the data is. Of course that's not the resolution anyone's looking for. Any continued suggestions would be appreciated, and I can't thank you guys enough.

 

Was the drive encrypted using a fairly recent (v6.0 or higher) version of TrueCrypt? If so, go into Mount Options, select "Use backup header embedded in volume if available" and try that. (Earlier versions of TrueCrypt did not create an embedded backup header during volume creation.)

A fully-encrypted device (e.g. a drive that was in an uninitialized and unpartitioned state when it was first encrypted) stores its volume headers at the very beginning of the drive, while the embedded backup headers are stored at almost the very end of the drive. It's unlikely that both ends of the volume would be damaged simultaneously during a typical accident (e.g. mistakenly allowing Windows to initialize the drive, or performing a quick format), so the embedded backup header, if present, will almost always be usable.

However, if you encrypted a pre-existing partition on the drive then you are reliant on the partition table being intact and uncorrupted, otherwise TC will be unable to find either of its headers and you'll see the "incorrect password etc." error no matter which header you try to use. In this case the best approach is to try to rebuild the partition table, although there are also other approaches that can be tried.

At this point I would probably want to look at the drive using a hex editor to confirm that Track 0 (the first 63 sectors) is fully encrypted and does not contain a possibly broken MBR and partition table (thus showing that you are dealing with partition encryption rather than full device encryption). I'd also check to see if any of the encrypted data was overwritten by plaintext, as often happens during an accidental formatting. And finally, I'd look near the end of the drive to see if there was anything unusual going on in the vicinity of the embedded backup headers. A fully-encrypted drive will contain nothing but random data from beginning to end, no exceptions. The presence of any sort of plaintext indicates accidental overwrites. If both of the volume headers somehow become overwritten or damaged and you didn't save an external backup header then you're basically sunk.

None of this explains that "parameter is incorrect" error message that you mentioned earlier, by the way. That still needs to be looked into.