Corrupt encrypted partition (I used Truecrypt)

Hello everyone, I would really appreciate some help on this.

Alright, so yesterday I was trying to install Gentoo GNU/Linux on my system.

This distribution forces you to partition your hard drive on a CLI environment, I am not very familiar with the different partition labels (such as /dev/sda6p1) when you are dealing with a hard drive with many partitions instead of a completely empty hard drive.

Now, I have this 100GB partition that I encrypted using Truecrypt, and I have this other empty 100GB partition next to my C:\ (the one that I was going to install Gentoo on).

I think I validated a wrong file system while using fdisk to my 100 GB encrypted partition instead of the empty 100 GB partition.

Oh, one thing I forgot to mention; the encrypted 100 GB is on an external hard drive.

So when I mount the drive using Truecrypt, Windows tells me that the drive needs formatting and that the file system cannot be read.

I already tried chkdsk and I get the following error:

http://i286.photobucket.com/albums/ll103/Ninjamaster333/asdfasdf.png

Is there any way I can get the files back, or any way to fix the file system?

Any help whatsoever will be great, any question or information that you need to know in order to fix the problem will be provided.

 

Sorry to bump the thread, but I reeeeally need help with this.

Any ideas at all?

================================================

Edit: Testdisk appears to mention the same kind of situation that I am in.

"Sometimes both Standard Volume header and filesystem boot sector are partially overwritten. After recovering the volume header using a backup, the volume can be accessed but the filesystem is still corrupted. "

This is mentioned here: http://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume

I will run testdisk and report back.

 

I ran testdisk and fixed the corrupt boot sector of the said partition.

The file system is still damaged, however, I tried running chkdsk and I get "Unable to determine volume version and state. CHKDSK aborted"

Is there any way to fix a damaged partition using software other than chkdsk?

[PS: I am REALLY SORRY for the triple post]

 

You're lucky you can still mount the volume. How did you manage this? Did you have to restore the backup header? Normally the header gets lost or overwritten during partitioning screwups. Are you still mounting the volume using the same path?

I'm not sure what happened to you, but at this point it sounds like your TrueCrypt volume's internal filesystem has been damaged. I would try using standard data-recovery software on the mounted volume. Try GetDataBack (NTFS version), PhotoRec, R-Studio, FileScavenger, or many others.

I would also suggest a good hex editor such as WinHex, and in fact I would start by using WinHex to examine the unmounted volume to get an overview of the extent of the damage. Then I would try using the data-recovery apps on the mounted volume.

Based on the types of files you're trying to recover, their level of fragmentation and whatever remains of your filesystem, you should be able to recover some of your files. However, this will not be a simple process. You'll probably have to spend a considerable amount of time learning how to use the various tools, and your overall results will vary widely based on the amount of damage that has occurred.

You should probably image the drive before going any further, so you will have a backup copy in case you screw up. It happens, and in fact you've already tried to to this. For example, chkdsk writes permanent changes to the drive, so running chkdsk on a damaged filesystem is NOT a good idea if you want to recover as much data as possible. A better approach would be to make a RAW image of the drive, restore the image to an other drive, and run all of your data-recovery operations from there. At some point you might want to try chkdsk, but if it made things worse then you could always restore the image, and thus no permanent harm would be done.

 

Hello Danz, thanks for the reply!

Yes, the header was corrupted I think but I was easily able to fix it by restoring the backup. Yes it uses the same path.

I tried most of everything until I ran photorec, I think it probably saved everything there but all the files are unorganized so I'm still working on saving the drive itself. If I really don't save it, at least I got the files back (thanks photorec!).

I am a complete beginner when it comes to hex editing, what I am supposed to be looking for? How do I know how bad the state of the unmounted drive is?

Well I am pretty much out of space right now, I will have to buy a new hard drive if I would have to make an image. I recovered the files, but as I said, it's completely unorganized. Should I probably give up on saving the drive itself?

 

PhotoRec and FileScavenger are good at recovering specific types of files based on their identifying characteristics, e.g. known headers etc., but fragmented files most likely won't be recovered in their entirety. GetDataBack for NTFS is best at fixing problems within the NTFS filesystem itself (assuming there's enough left to work with), and it can sometimes recover fragmented files using that data.

Since you're already successfully recovering files, you may not need to use a hex editor. However, if you want to see the extent of the damage, you can view the unmounted volume (the partition, in your case) in a hex editor and try to spot any large swaths of non-random data such as strings of zeros, recognizable text, non-random code, etc. An undamaged, unmounted TrueCrypt volume will appear to be completely random from start to finish, so any non-random areas probably represent unintentional overwrites. If you can determine where the damage starts and how far it goes, you can sometimes get an idea of how much filesystem damage has occurred to the encrypted volume. However, this is a completely optional step.

Making a backup image is also optional, although most data-recovery experts would say that it is extremely important and that it should be done BEFORE attempting to recover any data. Since you've already decided to take your chances by doing a data recovery without having a backup image available, I'd say you're already past the imaging step. I guess some people just like to live dangerously.

If you're finished recovering files from the drive, you can reformat the partition and start over. No need to dispose of the drive.

 

You should not install Gentoo (or any Linux distro) on one partition. You need at the very least 2 partitions. I usually use 4 or 5 when I install.

What does "validated the wrong file system" even mean?

Most likely Windows can't read it because the partition has been formatted to ext3/4, which is a Linux file system.

You would have to use forensic software since the file system format effectively erased the disk.

P.S. A newcomer to Linux should NEVER install Gentoo. Unless you know your way around the bash shell like the back of your hand, you should not touch Gentoo.

 

I know, one for boot, another for the swap and a third for root is the setup I was going for before I ended up messing up a partition on my external rather than working with my internal hard drive.

See, I had a 100 GB partition in my internal and a second in my external.

There is a step on the Gentoo installation whereas after you get the partitions set up, you need to validate the file system i.e. add the partition labels such as 82 for the swap. My guess is that I did this on my external partition, causing the file system to become corrupted.

I don't think was formatted to ext3/4 since chkdsk and testdisk both find it as NTFS.

I HAVE installed Gentoo before, I am not a newcomer. This was my first time installing it on a hard drive with partitions already on it (the times I've installed it were on empty hard drives where partitioning is much easier).

I made a mistake, we're all humans.

And thanks for all the info Dantz!