Corrupted Truecrypt volume, requesting recovery help

Hey guys, let me first say that this forum has been a huge help for me in the past and most of the time I've been able to resolve my issues simply by reading others' posts. Well, today I encountered a problem that I just couldn't resolve by following along previous threads, though I tried. I'm hoping someone would be able to give me some helpful advice for my issue.

Here's my dilemma: I have a microSD card that I have created an encrypted Truecrypt volume on (encrypted the whole partition on it), which I use to store important files. When I want to access the drive, I put the microSD card into a little USB adapter i have, then plug it into my PC, and then mount the partition with Truecrypt. This has worked great for me over the past years. Today, when trying to mount my drive, Truecrypt seemed to freeze up. I ended up having to unplug the USB adapter to get Truecrypt to respond. After doing this, i went to mount the drive again, which appeared to work successfully (no errors). It shows up in Truecrypt as the following:

http://s17.postimg.org/n46jlomkv/tc_mounted1.png

However, when I attempt to browse the volume, windows throws an error asking if I want to format the drive, to which I click "No", then it says the following:

Code:

P:\ is not accessible.
The volume does not contain a recognized file system.

So, I am unable to access the files on the drive. The first thing I did at this point was make a backup image of the microSD in linux using the following command:

Code:

dd if=/dev/sdb of=/mnt/backups/backup.img

I began reading about how I might be able to recover my files and tried going through the steps in this guide: http://pastebin.com/5nNTg3Y1
However, I was unsure as to the original filesystem type, but I assumed it was FAT32. After completing Step 9 in the above guide, I tried listing the files on the drive, but it showed nothing, just the root folder. I quit out of TestDisk without hitting "Write", which I'm assuming means that it didn't write any changes to the drive. I thought maybe I had just selected the wrong filesystem type, so I went back through those steps again, but tried selecting FAT16 and NTFS instead. Unfortunately, neither one of those seemed to work either (I never progressed past Step 9).

The next thing I tried was doing the "Restore Volume Header" in Truecrypt. I tried this, restoring from a header backup located on the volume itself. There were no errors during this process. However, after doing this, I was still unable to access my files. At this point, i am still able to mount the volume in Truecrypt, but when I try to browse it I get the same Windows error: "The volume does not contain a recognized filesystem". I'm not sure if I messed up anything by doing these previous steps, but if so I'm hoping I can still work from the backup image I made, if all else fails.

At this point, I did some reading on the forums here, specifically these posts:
https://www.wilderssecurity.com/showthread.php?t=337041
https://www.wilderssecurity.com/showthread.php?t=336671

I tried going through the steps in the latter post, which include opening the volume in WinHex and making a test file of the volume header alone. However, i am unsure as to where my correct offset would be for this. I tried the numbers in that other post but it didn't seem to work and the test.tc file I created would not mount in Truecrypt. I'm kinda lost at this point and really not sure what step to take next. I would greatly appreciate any help or advice anyone can give, as I'm really kinda depressed at this point and thinking I might not get my files back.

If anyone can give any help at all, it would be greatly appreciated! Thanks so much for taking the time to read this.

 

So in further attempts to recover my data, I've been trying my best to figure out how to extract those volume headers and test to see what exactly the problem is. I've got a new microSD card, same size, and wrote my backup image of the original card to it using dd, so I have a fresh card to work with. I've redumped the image using dd and confirmed that the MD5 sum matches the original backup, just to verify that the image is intact. I mounted the encrypted volume in Truecrypt, and took note of some of the information there:

http://s22.postimg.org/ys56nsrld/tc_properties.png

I then opened the mounted Truecrypt volume ( P: drive) in WinHex and this is the info it's showing:

Code:

Drive P:
File system: FAT32
Used Space: 121 MB (126,745,600 bytes)
Free Space: 0 B
Total Capacity: 968 MB (1,015,516,672 bytes)
Bytes per cluster: 512
Free clusters: 0
Total clusters: 247,550
Bytes per sector: 512
Usable sectors: 247,550
First data sector: 3900

In WinHex, I can see what looks like garbled data from offset (decimal) 0000000000 to 0000001008. After that is all zeros from 0000001024 to 0000003072, with the exception of hex chars 0x55 0xAA spaced evenly 512 bytes apart 4 times (the chars appear at the end of each 512 byte section.

At offset 0000003072 to 0000003162, I have a chunk of text that contains:

Code:

ë<MSDOS5.0

and

Code:

)ÁbÚNO NAME    FAT32 

Which makes me think the FAT32 header or w/e is still intact, but I'm not really sure. After this part, it's mostly zeros, with some scattered characters in between the zeros.

At offset 0000016384, there's another chunk of garbled text that continues until offset 0000016896. There are a few more similar sized chunks of garbled text, separated by zeros, up until around offset 0002014208.

At offset 0002017280, I can see some legible text from a text file that I know was on the drive! I'm guessing this means that the drive IS being decrypted and that maybe my files will be recoverable after all. I'm wondering if there's a way I can just pull the files straight from the drive from within WinHex? The plaintext is easy enough to copy, but there are some other filetypes on there I'd like to recover as well which I'm not sure how I would extract from the hex.

Sorry for the long posts, I'm just trying to be as descriptive as possible in hopes that maybe someone can give me some helpful advice. Does anyone have any advice as to how I can fix this drive or at least extract some of the files on it?

Thanks for your time.

 

At this point there is no reason to create a test file (using WinHex) in order to locate your TrueCrypt header. Your TC header is already working just fine, as shown by the fact that your password is accepted and your TC volume mounts to whatever drive letter you select.

The fact that Windows cannot make sense of your volume's contents is of no concern to TrueCrypt. TrueCrypt operates on the block level and isn't even file-system aware.

What I'm trying to say is, you don't have a TrueCrypt problem, you have (apparently) a file system and/or data problem. Your mounted volume used to contain a working file system and data, but somehow it has become damaged (partially overwritten, screwed up, who knows?)

But since TrueCrypt is still able to mount your volume, you don't need to troubleshoot that part of the process. Instead, troubleshoot the contents of the volume. I suggest using data recovery software (and make sure you use it to explore the mounted volume by selecting the drive letter that you temporarily assigned to the volume during the mounting process) to see if any data can be recovered, or at least identified. Try GetDataBack, PhotoRec, etc. You can also use WinHex to examine the mounted volume to see if you can spot anything recognizable in there.

If you get no results whatsoever, not even a filename or a folder name or any written text whatsoever, then you can start wondering whether or not your TrueCrypt volume is working properly (i.e. decrypting your data) and you can think about troubleshooting TrueCrypt itself. But first try to recover some data.

edit: Whoops, I see that you entered a new post before I was done writing my reply to your first one. Some of this information might not be relevant. Wait a sec and I'll try to address it.

 

WinHex has a "file recovery by type" feature, but I haven't used it enough to provide usage details. Access it via "Tools: Disk Tools: File recovery by type". PhotoRec is also very good at "file carving" in the absence of a functional file system.

 

Hello dantz thanks so much for posting and helping me out! It's good to hear that the Truecrypt header is working properly, this gives me more hope that I'll be able to recover my data.

I just downloaded GetDataBack and ran it on the mounted drive. While it was running, i saw a few file names flash across the screen that I recognized, as if it was discovering files on the drive. However, when it finished running, it showed no files to be recovered.

I took this screenshot during the Step 2 which shows some more drive information, maybe it's useful...

http://s2.postimg.org/51fau7knt/getdataback_01.png

I will try experimenting more with WinHex and maybe some other recovery programs to see if I'll have better luck with those.

Thanks so much for your help and response.

EDIT: Here's a screenshot of what showed up while GetDataBack was running
http://s24.postimg.org/6rz8xz2o5/getdataback_02.png

I am running PhotoRec now to see if it can recover anything, will post back with the results.

 

Progress!! After running PhotoRec a couple times, specifying which file types I wanted to recover, I was able to recover most of my text files which were on the drive! This is awesome and I'm absolutely ecstatic!

However, there is one very important file still on the drive I have been unable to recover, which is a bitcoin "wallet.dat" file. I am going to try some more things to try to recover this file. I think the file size was around 150 KB so it's not that big.

I tried running PhotoRec again, specifying that I only wanted to recover *.dat files, but it didnt seem to work. I'm wondering if maybe it's looking for a different type of *.dat file header, so maybe that's why it's not finding it?

Perhaps if I can figure out what the correct file header looks like, I can try searching for the beginning of the file and extracting it that way, I don't know. I will post back after further efforts and let you know how it goes.

Thanks again for helping

UPDATE: I'm still working on recovering the wallet.dat, following this guide: https://bitcointalk.org/index.php?topic=22697.0
I've been a bit busy and it's a slow process so haven't had as much time to work on it, but I will post back to let you know if I'm successful or not.