Corrupted truecrypt partition...

Discussion in 'encryption problems' started by AF1X, Jun 25, 2012.

Thread Status:
Not open for further replies.
  1. AF1X

    AF1X Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    10
    I've one partition on an external 2TB WD HDD encrypted with truecrypt that is refusing to open.

    I can mount the partition but, strangely, in the truecrypt window the partition mounts as \Device\Harddisk1\Partition0. When attempting to access the drive with windows explorer I receive an error stating "F:\ is not accessible. The parameter is incorrect". Only today has that error appeared, previously it said something similar to "Windows can not recognize this file system. Would you like to format it?".

    Restoring the volume header didn't work so I fired up chkdsk; it returns,

    Code:
    Checking the file system on the TrueCrypt volume mounted as F:...
    The type of the file system is RAW.
    CHKDSK is not available for RAW drives.
    
    Press any key to continue . . .
    Proceeded to use "GetDataBack for NTFS" and received another error stating the drive was FAT. Tried scanning the partition using the FAT version of the program and... yet more errors appeared.
    Code:
    Error: RangeError
    Range check error
    FAT:28
    00695019 
    
    004D6A82-000D5A82 004D6DA9-000D5DA9 005D468B-001D368B 005D4B3E-001D3B3E 0066C099-0026B099 0041B9B2-0001A9B2 0043ADE9-00039DE9 0043D245-0003C245 0043D02B-0003C02B 0045009E-0004F09E 00458A68-00057A68 00699185-00298185 
    The program also displayed strange information under the details tab: http://i.imgur.com/eOtId.png

    So I'm thinking this HDD is ****ed, which is unfortunate for me because there is data contained in it I'd like to save. Any help/ideas on recovery would be much appreciated.
     
    Last edited: Jun 25, 2012
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    What did it used to be? Partition1?
     
  3. AF1X

    AF1X Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    10
    It's been quite awhile since it's worked properly, so I can't remember exactly, but that sounds correct, partition1 or something similar, but never 0.

    I remember reading on another forum that truecrypt never mounts a working partition as 0 unless it is only mounting the drive as a device.

    I also attempted mounting the partition with truecrypt in "PartedMagic", the error came up as "You must specify the type of file system". The only vector I've yet to explore is using a hex editor; perhaps it is possible to manually fix the header from there? o_O
     
  4. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    276
    Location:
    USA
    You might try this:

    Truecrypt window, select device. Volumes tab, select Mount Volume with Options, select Use backup header embedded in volume if available. Enter password. See if this will properly mount the volume.
     
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    That's basically correct. So it sounds like you've lost your partition table, among other things.
    Yes, that may be possible, but first you need to provide more information. I don't understand how you are even able to mount the volume, since earlier you said that 'restoring the volume header didn't work'.
     
  6. AF1X

    AF1X Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    10
    Unfortunately that did not work either.

    What could have possibly caused the partition table to be damaged? I remember doing nothing out of the ordinary on the volume the day it was still working.

    I'll provide what information I can.
     

    Attached Files:

    Last edited: Jun 27, 2012
  7. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    I don't fully understand you because some of your descriptions aren't precise. For example, when you say that something "didn't work", that doesn't tell me enough. Did you mean that your password wasn't accepted, or that you could mount the volume but couldn't find your files?

    The biggest question in my mind is still how you are able to mount the volume at all. If you didn't used to select the device as \Device\Harddisk1\Partition0 (which represents the entire drive) then this implies that you used to have a partition and you lost it. However, once a TC partition is lost, you can't mount it at all until you fix things. Your password won't even be accepted. So I'm still trying to understand your situation.

    When the problem first occurred, did you restore the header from a file backup or from the embedded backup header, or could you just go right in and mount the volume without doing anything?

    Incidentally, "mounting a volume" means only that your password is accepted and a drive letter is assigned to the volume. The mounted volume may or may not be accessible to Windows, based on whether it contains an intact file system. I just want to make sure we're talking the same language here.
     
  8. AF1X

    AF1X Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    10
    The partition mounts, but the filesystem is not readable in neither windows (chkdsk says the filesystem is "RAW") nor Linux. Restoring the embedded header failed and the files are still inaccessible after being mounted.

    The password is accepted and the partition mounts, but I can not access the device.

    Yes, it is a strange situation. The partition shouldn't be a complete loss if it still accepts my password.

    I could mount it before I restoring the embedded backup header. Restoring the header changed nothing,

    It is not accessible in windows or linux. When attempting to open the device after mounting in linux, it says I need to specify the type of file system, and windows only reads it as "RAW".
     

    Attached Files:

    Last edited: Jun 27, 2012
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Try using PhotoRec (which comes with TestDisk) to explore the mounted volume. If it finds any files at all, even a single file then this would tell us quite a lot about what's going on.
     
  10. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    We're basically using PhotoRec to see if your mounted volume is decrypting or not. It's not a perfect test, but it may be sufficient. And you may get some files back in the process.
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    I'm active on the TrueCrypt forums and I help with a lot of data recoveries. I'd prefer to keep the thread here where we can post screenshots etc., as the TC forums suck in a lot of ways.

    If I sound confused in the above posts it's because the OP is posting conflicting information and I'm trying to sort out which information is correct and which is erroneous.
     
  13. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Here's something else to try. If you had a partition and you lost it, this will confirm it and it might also show us how to get it back. Restoring the partition exactly as it was, and then restoring the correct TC headers to the beginning of the partition, is probably the easiest way to solve this problem.

    Open the entire physical disk in WinHex and write down the drive's total capacity in bytes (as displayed in the left-hand column). Then close WinHex, open TC, mount the volume and view TrueCrypt's volume properties screen. The size of the TrueCrypt volume in bytes is listed. It's important to recognize that this number is based on the size of the volume that you originally created, not the current mounted volume, although the two numbers are normally identical. Also, be aware that the size shown by TC does not include the additional space taken up by the four 64KB headers which wrap around the volume.

    Take the volume's size as reported by TC, then add 262,144 to account for the four 64KB headers that surround the data area of the volume. Compare the resulting number with the size of the physical disk as reported by WinHex. Are the numbers identical? If so then you must have originally encrypted the entire device, which would explain why your headers are in the correct location for a fully-encrypted device.

    If the numbers are not identical (and I'll bet they're not), calculate the difference between them. This difference most likely represents the starting offset for the partition that you used to have, plus the unallocated space at the end of the drive.

    edit: fixed typos
     
    Last edited: Jun 28, 2012
  14. Vertuvius

    Vertuvius Registered Member

    Joined:
    Jul 9, 2012
    Posts:
    2
    Location:
    Belgium
    First of all thanks to all who participate, this forum is great. I have a similar problem and hoped you people could help me.

    I have a 100gb container, 50gb of which is hidden. It's located on my external hard disk and everything worked fine until a couple of days back. Both are mountable. I can open the main volume, but some of it's files are corrupt. Via properties in 'my computer', it says that it's FAT32.

    When I try to open the hidden volume however, I get an error saying the drive is inaccessible. So I copied the container to 2 other hard disks and tried some of the things mentioned in other threads.

    - when trying to repair using chkdsk, i get the error that 'CHKDSK is not available for RAW drives'
    - I tried to mount it using the backup header, but then it says my password is incorrect, so while the original header is intact, the backup header isn't.
    - testdisk says the first, second and third sectors are not identical. When I try to rebuild the boot sector, it says 'No FAT found'
    - using photorec I get a bunch of unusable .swf files
    - Getdataback didn't find any FAT32 filesystem either

    I don't know if this information could be helpful, but TrueCrypt gives 53686960128 bytes and for the primary and secundary key size 768 bits and 128 bits for the block size.
    According to GetDataBack: Geometry: C*H*S = (104857344*1*1) and Size: 104.857.344 sectors (50,0GB)

    I tried my best, but I'm nowhere near an IT expert and this problem is way beyond me... Any help would be greatly appreciated.
     
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    You probably should have started a new thread, but I'll just tack on an answer here for now.

    It's very unusual to have an embedded backup header fail while the volume header is still good. It's hard to be certain what happened here, but the most likely explanation is a failing hard disk that is developing bad blocks.

    Since you are able to mount both volumes, there's no need to delve into esoteric TrueCrypt issues at all. At this point it's merely a matter of following standard data recovery procedures, and sounds like you're already doing many of the things that I would suggest. I'd ask around on some of the data-recovery forums to see what they recommend. Of course, sometimes you just don't get it back.

    At this point I would probably also be using WinHex to look into things, but I don't want to have to write out an entire user manual on how to do this. First I'd look at the unmounted container file (looking for damage or for obvious overwrites) and then I'd examine the contents of the mounted volumes for similar issues. However, you have to be fairly experienced at using a hex editor in order to gain any benefit from these procedures, and it probably won't help you recover any data. It's more a way of figuring out what happened.

    Are you quite certain that the inner (hidden) volume is also formatted FAT? Most users just format their outer volumes as FAT in order to make more room for the inner volume, which they format NTFS. In other words, you might need to be using the NTFS version of GetDataBack on that volume.
     
  16. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    276
    Location:
    USA
    I'll add this about the backup header, when I had a similar problem I read somewhere that the backup header might not be the current password if you had changed the Truecrypt volume password, that it might be the original password used to create the volume. I had not changed my password so I cannot verify this personally but it is something to try if you have changed your password.
     
  17. Vertuvius

    Vertuvius Registered Member

    Joined:
    Jul 9, 2012
    Posts:
    2
    Location:
    Belgium
    Thanks for your help.

    I'm not sure the hidden volume is FAT too, so I did the procedures for NTFS with TestDisk and GetDataBack. Unfortunately it didn't recognize a filesystem either. For TestDisk I followed these steps. These for GetDataBack. Damn, I'm so sick of this...

    If by using WinHex we could figure out what exactly happened, would there be a good chance to recover data?

    I've never changed the password by the way.
     
  18. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Can't say. Every case is different. WinHex does have some data-recovery features that you can try, but I mainly use it to help me figure out what went wrong. There's a steep learning curve, though.

    You mentioned earlier that you recovered some files using PhotoRec. Did you recognize them or their contents? Have you confirmed that they were recovered from the mounted volume? I just want to make sure you're using the data-recovery tools correctly. Make sure you use them to explore only the mounted volume (accessed via whatever drive letter you assign when you mounted it), not the unmounted partition or disk where the volume resides.

    You'll probably get more specific advice on a forum that specializes in data recovery.
     
  19. zamzen

    zamzen Registered Member

    Joined:
    Jul 15, 2012
    Posts:
    1
    Please help to recover truecrypt partition and files...

    Dear All,

    I been using Truecrypt (TC) fort the past couple of years on my external HDD. I had created 2 containers in that. Yesterday, I added another hidden container within the same HDD.

    Since adding the 3rd partition, I am unable to access 2nd hidden partition. Whenever i try to mount it says 'Invalid password or not a truecrypt container'. I am 100% sure about my password.

    I appreciate your guys help in this matter.

    -zam-
     
  20. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Please start a new thread and re-post your TrueCrypt problem.
     
    Last edited: Jul 15, 2012
  21. AF1X

    AF1X Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    10
    If "standard data recovery" procedures are all that is required, why not just edify us? In fact, why are you in this thread at all - you seem to be fond of parroting "yup it's broke, go ask someone who knows".

    We don't need to illuminate every nook and cranny, only taught the steps necessary for recovery. But you're right on one thing, perhaps we should go ask elsewhere.
     
  22. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Because I'm a TrueCrypt expert, not a data-recovery expert.

    Do you think I should dedicate my entire life to posting detailed step-by-step instructions for every poster who asks a question, and look up things that I don't already know so they won't have to? Get real. I don't mind giving expert advice to users who ask for help, but I also expect them to pull their own weight.

    For example, if you want to learn how to use WinHex then download the evaluation version, play with it and read the relevant sections of the user manual. After that, if you have a question about how to use WinHex to examine a particular TrueCrypt volume then I'll be happy to go into specifics. What I won't do is write out an entire "how to use WinHex from scratch" procedure.
    Since I'm a TruCrypt expert, I try to help out TrueCrypt users who are unable to access their encrypted volumes. However, once they are able to mount their volumes and are able to confirm that the volume contents are properly decrypting then TrueCrypt is pretty much out of the picture. At this point the user is typically dealing with a broken or an overwritten file system, not an encryption problem, and the job merely becomes one of data recovery or file system repair. I can suggest software to try, but that's generally as far as I go. The majority of data-recovery software providers have forums related to the use of their software, and you can get highly tailored advice there, much better than what I can provide.
     
  23. morph000

    morph000 Registered Member

    Joined:
    Apr 13, 2003
    Posts:
    20
    All too late now I know but this may help people in the future...

    1. Don't attempt any form of repair before getting sound advice on the problem as the "cure" may just make things worse. eg don't run a disk repair utility !

    2. Try the drive on another pc to eliminate the 1st pc as a possible cause.
    eg a corrupted USB driver or similar issue could give the illusion of a faulty external drive when in fact it's ok.
    It's a simple step and costs nothing.

    3. I stumbled across a very nice little shareware proggy recently from Firesage called MBRWizard.
    Well worth having (I bought it). It can repair damaged MBR's too.
    If your MBR/partition table gets toasted, you're in real trouble but doing a backup can save your bacon.
    I've learned this the HARD way over the years too...

    4. Cardinal rule of computing for decades - BACKUP,BACKUP,BACKUP,BACKUP.
    Yes the external drive is the backup medium, but you have to back that up !!!

    I have 4 external 1TB drives and have backed up every last file on them onto DVDs just in case, and the DVDs are all stored offsite too.

    Remember - data is worth far more than the Dvds and hard drives they're stored on these days. :rolleyes:
     
  24. ali123

    ali123 Registered Member

    Joined:
    Nov 4, 2012
    Posts:
    8
    Location:
    Poland
    @dantz
    is there any chance to contact you directly when private messanger on this forum does not work ?
    I'd be grateful for your view on my unfortunately huge problem with TC on USB HDD.

    thanks so much
    Greg
     
    Last edited: Nov 5, 2012
  25. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Your timing is unfortunate, as I'm about to leave on short trip. I'll be back next Monday.

    I prefer not to go private, as that would defeat one of the main benefits of the forums. However, if for some reason privacy is truly required then I suppose we can switch to email or messaging. (I thought the messaging system was working, so we can try that first).

    Anyway, we can figure out how to proceed when I get back. In the meantime I suggest you start a new thread, as I'm not the only TrueCrypt expert on these boards.

    And of course, there's also the TrueCrypt forums.
     
    Last edited: Nov 5, 2012
Loading...
Thread Status:
Not open for further replies.