cant boot TrueCrypt hidden OS anymore

Discussion in 'encryption problems' started by Mehkab, Apr 28, 2015.

  1. Mehkab

    Mehkab Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    2
    Hello,
    I used a truecrypt hidden OS for 2 years without any problems. But if i booted the hidden the last time i got a bluescreen direct after the booting.

    Since this happened i have only access to the non hidden system, but if i try to get into the hidden OS the password will be accepted, i see Booting... but nothing happens.

    I dont think that the rescue disc is usable for this problem because i have reset the the bootloader and volume header but without an positive result.

    I hoe that anyone can help me with this problem, doesent matter how, but i need the data in the hidden system.

    thank you for your help
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    You have two concrete options, which if done correctly will almost certainly get you what you are looking for.

    BSOD (blue screen of death) is a windows issue and has nothing to do with TrueCrypt. If I am correct and even if you could decrypt the hidden OS (you cannot decrypt a hidden OS this is an example only), your windows OS will still blue screen you. Something went wrong in windows (big surprise there, not!) and its not loading/mounting.

    You commented that you only want the data inside the hidden OS. So lets help you go get it.

    Options:

    1. Remove the sata drive (hard drive - sata, ide, etc..?) and take it to another computer running TrueCrypt with the same version. A simple extra option is to use TrueCrypt portable on the second computer so you don't even need TC installed on the machine. From there open the TC panel and select the option to open locked drive. You will need to use/know the correct password of course. Once open the entire hidden OS volume will have the drive letter you assigned it via the TC panel. From there its a mounted volume and you can grab the data you need without changing anything at all on the volume. Just copy the data off to an external drive and you got it!! Very simple to do and I've done this dozens of times without issue, although I use option 2 because I created the tools for this exact thing! The end results are the same ---------------- > you have your data!

    2. Use a live linux disk and mount it in RAM. Once mounted in RAM you can install TrueCrypt linux version (same version as the one you are opening is best) in RAM and then use TC to open the hard drive using the same method as mentioned above. I went one step further and actually built TC into my live disk so when I mount the live disk TC is installed and ready to go. The big advantage of option 2 is you do NOT have to remove the hard drive because you are not using it to mount the OS. That is done in RAM on the same machine, which is very fast and easy. Same as before, you just copy out the data you need to an external drive and again, you got it!!

    Since you are seeing BSOD you MUST repair windows before it will mount. Unless you just want to blow it all away and start over. After you get the data you want and its safe and sound, you can open the drive as we just talked about and affect windows repairs. I have done lots of AV work on a windows drive using this method too.

    BEFORE TRYING TO REPAIR WINDOWS --- GET THE DATA FIRST!!
     
  3. Mehkab

    Mehkab Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    2
    thank you for your answer,

    If i open TC in the decoy system i can go to automount devices, fill in the password for the hidden system, then i see in the TC window the hidden system.
    But if i try to open it, i get the message that there is no access to this device its not readable and maybe damaged, so i cant get the data out fro there.
    Seems to e that i must repair it first till i can get the data, do you think i should use RUN chkdsk to solve this problem?
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    Remember that IF you get to your data in the future you NEED to completely redo your decoy system now. You have placed marks on/in it showing access or attempts at access to the hidden system. Your decoy is forensically dirty. The system file meta data inside the outer volume will NOT correspond to the activity "forensically inside" the decoy volume. Simple fyi.

    Option 1 or 2 above is the way to achieve a more accurate result. Until you attempt those any other "moves" are taking unnecessary risks.
     
Loading...