Accidentally deleted Truecrypt partition

Discussion in 'encryption problems' started by wilder7500, Dec 30, 2013.

  1. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    Fist off I have almost all data on the partition backed up so not a major disaster, however a few files were not. I take full responsibility for what happened :cool:

    Info:
    PC has 1 ssd (system) and 1 hd (data)

    win7 64 bit on ssd, hd is just data drive

    the hd has 2 partitions the affected partition was partition 2 which before i did the encryption had drive letter G

    I know I wasn't thinking but here's what I did. I mounted the newly encrypted partition in truecrypt and it assigned it to the T drive, I was thinking I need it to be G since some programs use that path. However I couldn't see G in the truecrypt window so I started windows disk management and there was G, I thought since the partition now is T the G is probably just a left over so I deleted it :eek: :cool:

    Any chance of getting it back?
     
  2. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    Bump...
     
  3. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Probably.

    Most partition recovery tools will be unable to help, since encrypted partitions don't have any recognizable signatures for them to work with. If you had a backup copy of the partition table that would be quite helpful.

    It should also be possible to use a hex editor such as WinHex to go to the very end of the first partition, then go one byte farther to pick up the beginning of the second partition (assuming no partition gaps, that is). This location can be tested for the presence of the TrueCrypt header (which is always located at the very beginning of the partition) by using a combination of WinHex and TrueCrypt, as described in several of my previous posts. The technique would have to be adapted to your situation, but the basics are pretty much the same.

    Once the header has been confirmed, it's merely a matter of using WinHex to create a large file that contains the entire contents of your lost partition, and then mounting the file in TrueCrypt.

    Many details have been excluded because my brain is still on break, but to answer your question: Yes, I think so.
     
  4. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    Thanks dantz, could i follow this guide?
    http://superuser.com/questions/484186/partition-magic-8-made-truecrypt-partition-invisible

    I should say that I ran acronis disk diector and stellar phoenix data recovery to try and locate the partition but neither one of them could find anything. So I guess the partition would be unchanged right?

    when you say backup of the partition table, would that table be on the affected partition 2 or at the beginning of the drive before partition 1? I got plenty of acronis backups of partition 1
     
  5. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The guide that you linked is lacking in several crucial steps and related details, but it does describe the general approach. In your case I think you're going to need a little bit more than that to accomplish this job.

    I will write you a short procedure. I've already sketched out the barebones and will probably be able to post the first part fairly soon, but I'm kind of busy right now, so I probably won't be able to post the rest until later on.

    Do any of your backups include Track 0? Also, what partitioning scheme are you using, MBR or GPT?
     
  7. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    The disk is MBR. The disk and partition 1 is working perfectly partiton 2 was accidently deleted. I have an "acronis true image 2013" image of partition 1. In the acronis backup menu I ticked partition 1 and the first entry called System (does system contain track 0?) I don't have an image of partition 2, however I have almost all of the content of that partion on another drive.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    OK, I'm back.

    You can use WinHex and TrueCrypt to test for the presence of the TC header at the beginning of what used to be Partition 2. If you're able to successfully locate the header then you can use WinHex to recover the entire partition by selecting all of its data and saving it as a file.

    The first thing is to locate the starting offset of your lost partition. We'll start out by assuming (or hoping) that the second partition used to be located immediately behind the first partition, with no partition gap (unallocated space) between them.

    Note: If the procedure I've written below doesn't work for you, or if you'd prefer a much simpler approach, then another way to go would be to restore the MBR and Track 0 from your most recent backup. This would be very quick and easy, and it would probably work, but it's also a bit riskier than the method I've proposed.

    The risk comes in because many backup/restore programs will actually redefine the partition boundaries during a restore (thus giving the user the option of shrinking/expanding them, etc.), which is the one thing that you don't want to have happen, especially since your lost partition is now in unallocated space and thus is very vulnerable to being "messed" with. Maybe that wouldn't happen if all you did was restore the MBR and Track 0, but unfortunately I have no way of knowing that. Ironically, I'd want to make a good sector-by-sector backup of the current system before attempting it.

    Of course, the big advantage of the above-mentioned method is that it's very quick and it doesn't require you to purchase a licensed copy of WinHex. So if you don't mind taking on the added risk and you want to try solving this thing quickly and easily then be my guest (and please let me know how it turns out).

    Otherwise, the following is the "longer, safer, more expensive and considerably more cumbersome" approach:

    Note: The following isn't the full procedure. It's a test to see if the full procedure will work. All of the steps in this post can be accomplished using the free Evaluation copy of WinHex. However, that version isn't able to save large files, so you will need to obtain a licensed copy before you can perform the actual partition recovery. I will post those steps only if you are able to successfully perform this procedure first.

    I suggest you start out with the evaluation version of WinHex in order to see if we are on the right track. There's no point in your buying a full copy if this won't work for you.

    OK, here are the steps:

    1. Open WinHex

    2. Options: Edit Mode

    3. Ensure that you are in Read-Only mode. Change it if necessary.

    4. Tools: Open Disk

    5. Select the Physical Media that represents your data drive containing the lost partition, then click OK

    WinHex should open the selected disk. There should be a tab that identifies your disk (it probably says "Hard Disk 1"). Below that is the WinHex "directory browser", which lists that disk's existing partitions and other structures. Below that is the actual data in bytes (displayed row-by-row as both hex and text).

    We want to place your cursor one byte after the end of Partition 1, but there isn't a direct way to do that, so we need to use a roundabout method:

    6. Double-click on "Partition 1" to open that partition in a separate tab.

    Note that WinHex now displays two tabs. The second tab might say "Hard disk 2, P1" or something like that. The contents (files, folders etc.) of Partition 1 should now be displayed in the data area.

    The "hex" and "text" columns are displayed below the directory browser. There should be 16 column headings (0 through 15) above the hex. (If you see columns 0 through F then you're in hexadecimal mode, in which case some of these instructions will not work as written. If this is the case then click once in the Offset column to switch back to decimal display.)

    7. Click once somewhere in the "hex" column to place your cursor there.

    8. Press "Ctrl+End" to go to the end of the partition. (The partition probably ends with "55 AA". Let me know if it doesn't.)

    9. In the information pane on the side of the screen, note down the "Physical Sector No." that your cursor is now in. Try right-clicking on that number and then using WinHex to copy that particular entry.

    10. Click on the "Hard Disk 1" tab to switch back to your entire disk.

    11. Navigation: Go to Sector

    12. Paste the Physical Sector number that you just obtained into the "Sector" box.

    13. Edit the number by adding one sector. (For example, change "51199154" into "51199155").

    14. Click "OK"

    Your cursor should now be exactly where we want it to be, one byte past the end of the previous sector and partition. You should be looking at totally random data (the first 512 bytes of the TrueCrypt header). If you can see any obvious patterns (such as long strings of zeros like this: "00 00 00 00 00") or any recognizable words in the text column (such as "NTFS") then you're likely in the wrong place, in which case stop here and post your results.

    Now we want to select a block of data that begins at this offset and extends forward roughly 20KB, and save it as a file (for testing purposes), as follows:

    15. Edit: Define Block:

    16. Under "Beginning", click on the dropdown and select "Current Position". Note that WinHex displays the exact starting offset in the left-hand box.

    17. Copy the number from the "Beginning" box and paste it into the left-hand "End" box, so that both boxes contain the same number.

    18. In the "End" box, edit the number by adding approximately 20,000 to it. I usually just count in five digits from the right, and increase that number by 2. (For example, 57675623360 becomes 57675643360). Then click OK.

    If you got it right, the "Size:" number in the bottom right corner of the screen should now be showing 20001, or very close to that. (It doesn't have to be exact, just reasonably close. We're just trying to exceed the minimum allowable size of a TrueCrypt volume so it won't trigger an automatic error message when we mount the volume.)

    19. Edit: Copy Block: Into new file

    20. Select a location that has room for a 20KB file, give the file a reasonable name (such as "HeaderTest1.tc") and then click Save. (The .tc extension is optional).

    20. Close WinHex

    21. Open TrueCrypt

    22. Click on Select File, then locate and select the test file that you just created, then try to mount the volume. (i.e. assign a drive letter, click on Mount, supply the password and click OK).

    All we want here is for your password to be accepted. If your password goes through without any complaint and if the test volume actually "mounts" to the drive letter that you selected, and if you don't see the "Incorrect password or not a TrueCrypt volume" message, then you're good! You've located and copied the intact TrueCrypt header, which also marks the beginning of the lost partition, and that's all we needed to accomplish. The mounted test volume is just a tiny fragment of your lost volume, so it will not contain a working file system or be searchable by Windows Explorer.

    If the above test was successful then the next step will be recovering the entire partition by performing a much larger version of what you just did.

    However, if you're stuck on the "incorrect password or not a TrueCrypt volume" message then we missed the target and will have to go back and reconsider our approach.

    OK, That's enough for now. Were you able to make it this far?

    PS: I can't guarantee that everything above was written with 100% accuracy and I apologize for any errors that may have crept in. Hopefully you'll be able to figure it out. Let me know if anything seems unclear.
     
    Last edited: Jan 7, 2014
  9. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    When I finish step 14. I get 14 or so rows of 00s so no random data. I see 32 columns 0-31 where you describe 16 in step 6. I do see an entry for partition 2 in the top pane it has a ? in the ext. column where partition 1 has NTFS. I also see an entry named "partition gab" sized at 1 MB. which might be why we don't see any data. When I double click on the partition 2 entry it opens a tab. couldn't I go from there? Or maybe do the same procedure on the "partition gab". Or is the "partition gab" the header?

    Just checked the "partition gab" it has pretty much all 00s in it except for maybe 12 or so characters.
     
    Last edited: Jan 8, 2014
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Looks like it's not the right spot. This might be the beginning of a partition gap rather than the beginning of the next partition.
    That's ok. Apparently you have a widescreen monitor, so WinHex decided to show you 32 columns instead of 16. Shouldn't matter.
    Wow, there's still an entry for the partition that you thought you deleted? That's great news! Yes, we can use that.
    You sure it doesn't say Partition "gap?" I've never heard of a partition gab. (Perhaps you're using a different language?)
    Yes! Try that. Does it look like all random data from that point downwards? Just start your block at the very beginning of the partition and go down approximately 20 KB, as I described in the procedure. (In this case I think you would set up the block as Beginning = 0, End = 20000)
    If it's mostly zeros then it's definitely not what we're looking for. The TC headers and the encrypted data that follows them should look like a huge block of completely random data, with no visible patterns or recognizable text.

    When you double click on the "Partition 2 (?)" entry does it open a partition of the expected size? Maybe it's all still there! If so, that will definitely make our job easier.
     
  11. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    YEEES it works!!! :D :D :D :D :thumb: :thumb: *puppy* *puppy* :argh: :argh: :argh: :D :D :D

    Awsome guide Dantz, very detailed and precise. So I guess it's just a matter of purchasing winhex and marking the entire partition right? How Would I get it safely on to the original partition 2 and assigning the G drive letter, just don't want to screw it up.
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    That's great! But before you go any farther, there's one thing that I'm unsure about. I wasn't expecting the partition to still be there, so I'm wondering if you even need to copy all of the data to another location. Are you sure the partition doesn't already appear in Windows' Disk Management? Or in TrueCrypt's "Select Device" screen?

    If the partition is visible in Disk Manager, be careful not to format it or otherwise alter it, no matter what Windows suggests.

    Oh, and keep the test file. It can be used to create a backup header if you need one.
     
  13. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    The partition appears as free space in windows computer management, and as unallocated in Acronis disk director. It appears to be the right size. I purchased winhex anyway (since it's a useful program to have) so I can make a copy to a seperate hd, then see if i can mount it and access files. Just to be sure. With the information given above do you think I can recover it from computer management or Acronis disk director?

    OK i'm making a copy right now, I just opened partition 2 in a tab in winhex pressed <ctrl a> to select everthing > Edit: Copy Block: Into new file > chose a location on another hd that has enough capcity for the file. Does that sound right?
     
    Last edited: Jan 9, 2014
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    No, not if it's listed as free space or unallocated. Luckily WinHex can still see it. I guess you didn't do a good enough job when you accidentally deleted it! :)

    Sounds great! Let me know how it goes. We could have tested the size first, just to make sure, but it's probably going to be ok.
     
  15. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    Good news, everthing seems to be as it was. Tried opening a lot of different files without any problems. I would like the content back on the old partition 2 with the drive letter G: would I just create a logical partition in partition 2 (which now shows unallocated) and copy the file over?
     
  16. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes, it's just like starting fresh. Use Windows Disk Management to create and format a new partition, use TrueCrypt to encrypt it, and then use TrueCrypt to mount both your newly created partition-hosted volume and your recovered (container file) volume and copy over all of your data.

    Whether you create a Logical or a Primary partition is up to you. I usually create Primary partitions whenever possible, as long as I'm sure that the disk will never need more than 4 partitions, but either is fine.

    You don't need to assign the newly-created partition a drive letter in Windows, and in fact it's probably better if you don't. TrueCrypt will still list it in the Select Device screen and it will work fine either way.

    You can use TrueCrypt to mount the volume to whichever free drive letter you wish. Probably you will want to set it up as a Favorite that always mounts to "G".
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Good work! dantz. Very impressive. :thumb:
     
  18. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    Are you saying I should create a partition on the unallocated space that use to be partiton 2? Then encrypt the empty partition (do I choose a different password here)? Remember the file I made contains the ENTIRE old partition 2. Couldn't I just create the partition and copy the file over?
     
  19. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes, as long as you are sure that you have safely recovered all of your files before you overwrite the lost partition.
    You can use the same password or a different one, it doesn't really matter.

    Perhaps that might work if you used WinHex to copy the file's raw contents directly into the newly created partition, but the sizes might not match up exactly, which means that TrueCrypt's embedded backup headers would no longer function, plus the missing (or extra) space at the end of the partition could cause unusual problems of its own, as TrueCrypt would no longer be aware of the exact size of the partition that is was supposedly encrypting.

    Why not just create a new partition, encrypt it and then copy across your data? If it's too much data for Explorer to handle then you could try using robocopy or a similar tool.
     
  20. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Thanks! I've been on a lucky streak lately and have managed to rescue a lot of data, but I suppose it will have to end at some point.
     
  21. zombielove

    zombielove Registered Member

    Joined:
    Jan 9, 2014
    Posts:
    12
    Location:
    United States
  22. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    You mean mounting in truecrypt the file (file.tc is what I named it) that I recovered. Then selecting all content and copy to the newly created and encrypted partition. You don't mean copy the file (file.tc) to the newly created partition without first mounting it in truecrypt right?
     
  23. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes. Mount both volumes first, then use Windows Explorer to open the drive letter that you assigned to your mounted "file.tc" container, then select all of the contents (all of your folders and files) and copy them into the drive letter that you assigned to the new, mounted volume that you just created in the new partition. So you mount both volumes, then you copy your files from one drive letter to the other.

    You don't have to use Windows Explorer for that task, but you can try it first, since it's the most convenient. However, sometimes Windows Explorer will "crump" if you give it too big of a job. If this happens then there are other, more robust file-copying tools that you could try using instead. That's why I mentioned Robocopy, a Microsoft command-line tool that is included with Windows 7. There are also a number of decent file-copying utilities that you can download, and most of them have a full user interface so they are quite easy to use. However, I can't think of any names right now.

    No, don't do that.
     
  24. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    58
    Location:
    USA
    Great! Everthing is now copied back over. You were right, it took a loooooong time with explorer. Do you know how to safely change the the label of the partition back to what it was, Truecrypt just gave it the generic name "Local Disk"?

    Also, is there anything else I should do than making a header backup and a regular backup of the data?
     
  25. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    That's a Windows thing, not TrueCrypt's doing. I think you can just right-click on the drive (in Windows Explorer) and click Properties, then type in a new name for the mounted volume.

    Well, that's most of it, but you could make more than one header backup and store them in separate locations. You could write down your password and store it somewhere safe and offsite (if you dare). You could have more than one backup drive and alternate your backups between the two drives, just in case one of them fails or gets screwed up during a backup. That sort of thing.
     
Loading...