CRC error Truecrypt can't mount volume

Discussion in 'encryption problems' started by zephy, Dec 17, 2013.

Thread Status:
Not open for further replies.
  1. zephy

    zephy Registered Member

    Joined:
    Dec 17, 2013
    Posts:
    6
    hello all,

    Incidentally, I had a few days looking for information about CRC errors, TrueCrypt but still have not found an answer, hopefully I can find it here.

    ok .. first

    I have a 16 gb usb flash drive , and then I tried to encrypt folders on the flash drive . I tried using TrueCrypt and the results are satisfactory for several months . but a few days ago I tried to mount the volume , TrueCrypt does not want to mount the volume of flash drives and says ' incorrect volume size' and when I try to click the mount again it says CRC error .
    \ Device \ harddisk2 \ partition1 occasionally disappear from the list when I click on select devices.

    The options I had used when I created this encrypted drive a few months ago was as follows

    Standard TrueCrypt volume
    fat 32

    I tried winhex search method as the following block hex decimal 100.000 Offset = 1048576 and I can find it. then i copy block 1048576 -1248576 , make tc test and I got the result "Incorrect password or not a TC volume " I also tried a test block with hex 10000 = 65536 result was the same . from decimal 0 to 65520 I can see the word ' Unreadable sectors ' .
    I was also trying to find the top ten " 0000000000 " nothing found . I was very confused to determine the starting point .

    also
    I can see the partition as an unknown ( non partitionned media ) and change the type to fat32 I could see the sector is identical , but for boot record, backup boot is not found in Testdisk.

    until now I still do not format the flash drive, I'm afraid the data will be lost.

    please help me :'(
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Have you tried mounting the volume using TrueCrypt's "Mount Options: Use backup header embedded in volume if available"?

    Also, try this: Use WinHex to look at the very beginning of the drive (select it under Tools: Open Disk: Physical Media). What do you see there? On some encrypted USB flash drives the TC header begins at offset 0 (just like a fully-encrypted device). In this case all you would see is random (i.e. encrypted) data beginning at the very beginning of the drive and filling every bit of space in the drive.

    Also, what's at the very end of the drive? Random data? Zeros?

    CRC errors are most likely being caused by faulty hardware. Are the errors consistent, or only occasional?
     
  3. zephy

    zephy Registered Member

    Joined:
    Dec 17, 2013
    Posts:
    6
    Thank you for your quick reply dantz.

    yes, the results are invalid volume size and CRC error.

    from the offset 0-7 = 55 4E 52 45 41 44 41 42, offset 8-15= 4C 45 53 45 43 54 4F 52, Unreadable sector

    this Unreadable sector is repeated from decimal 0 until 65520. after that I could see random data (hex).


    its random data. I could not find any zeros,mostly random data.

    this is the screenshoot for end of the drive.

    http://s18.postimg.org/erq11ez3t/SC_1.jpg

    seems consistent, some bad sector most likely in the very beginning sector of partition drive. the rest of drive still intact, i think.
    I tried hdd regenerator to repair the whole drive and the results is 82 sectors recovered.

    ------
    so today i made some progress.

    I tried Truecrypt Command Line like this :

    /q /m recovery /v \Device\Harddisk2\Partition0

    the password box menu from mount show up, asking me for password, then my password is accepted and successfully mounted the partition drive.

    http://s29.postimg.org/z434emv07/SC_2.jpg

    size of mounted partition drive : 16,008,331,264 bytes
    real size Physical drive with winhex : 16,008,609,792 bytes
    at the same time I also made ​​a backup volume directly to the partition successfully via volume tool.
    now i can see the partition drive with raw healthy primary partition in disk management. Previously showed as unallocated drive.
    but now I face a new problem... when I try to click on select devices, the list only showing removal disk 2 with size drive... i cant find the \Device\Harddisk2\Partition0. and when click ok in removal disk 2 its showing as \Device\Harddisk2\Partition1 not Partition0.

    http://s16.postimg.org/qi7l09kjp/SC_3.jpg
    http://s27.postimg.org/qry6lwiub/SC_4.jpg

    Partition drive is also not accessible.

    http://s29.postimg.org/igg7pvpmf/SC_5.jpg
    http://s22.postimg.org/cg51ihgap/SC_6.jpg

    also i tried to restore the volume for physical drive via backup external that i created before, and it accepted my password as well, after that crc error appeared.

    http://s11.postimg.org/t1igbs58j/SC_7.jpg
    http://s27.postimg.org/rlt5xhieb/SC_8.jpg

    this is the last result in winhex after try that backup.

    http://s13.postimg.org/rvjscvpbb/SC_9.jpg

    now i am stuck how to get rid of that bad block.:(
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    You appear to be increasing the complexity of the situation by writing to the damaged disk. I suggest you stop doing that, as it's far too risky and there are better approaches.

    It would be helpful if you could clearly answer the following question:

    When (in TrueCrypt) you select the entire device and then attempt to mount your volume using the embedded backup header (using "Mount Options" etc.), is your password accepted? That is, you are not presented with the "Incorrect password or not a TC volume" prompt?

    We don't care about the CRC errors, that's just a function of your damaged drive. We also expect to see some filesystem errors when you attempt to browse through your files, so don't worry about that right now. First we need to confirm whether or not your embedded backup header is still usable.

    If it is then it's merely a matter of using WinHex to clone the appropriate portion of the drive (probably the entire device) and saving it onto fresh media as a file, which will probably be mountable by TrueCrypt. Then you can engage in data-recovery procedures without being hampered by defective media.

    You've got to get your data off that damaged drive before things get any worse.
     
  5. zephy

    zephy Registered Member

    Joined:
    Dec 17, 2013
    Posts:
    6
    yes, I have tried it several times using the 'Mount Options> backup header embedded in volume if available' of the physical drive, as you have said in the first post and it always says 'invalid volume size'.My password seems well received and as far as using mount option the 'embedded backup header' physical drive I did not see any "Incorrect password or not a TC volume".
    'Incorrect password or not a TC volume' came out only once when I tried to click on the 'auto-mount device'.
    so after that what I'm trying to do is just use the TrueCrypt command line recovery for the partition0, password accepted and its mountable.Then i try to use tools backup volume header and success create backup of it.
    so do you think if this command line or restore backup volume to physical drive can overwrite the entire drive? I was so scared that my data is overwritten since you say like that.
    whether it is still necessary to find a starting point block outer volume sector in physical drive with the help of winhex?
    until now I still didn't do anything else on the drive. I'm just waiting for the next step WinHex clone from you dantz.
     
  6. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    Maybe this will help. Maybe not. I certainly don't have the expertise of dantz. But I was able to recover my data after Windows overwrote the first portion of the partition.

    Here's the story. TC was able to find and use the backup header; and accepted my password; but I still couldn't get to or use the data in the messed up partition despite thrashing about with several different data recovery programs.

    So after a while it occurred to me that part of the process of creating the TC partition is having TC format the partition (NTFS is what I had chosen when TC asked what formatting to use). So I wondered whether the encrypted NTFS formatting instructions might also have been overwritten.

    OK. The next part is very important. I decided to try to some experiments, But first, I copied the entire messed up partition to a different disk and did all my experiments with the copy. Do not perform any write operations on your original messed up partition! Make a copy and try to recover your data using the copy!

    So I made the copy of the damaged partition; then used the normal TC procedure to mount the partition. Then I used a quick format command - from either Windows Explorer or the disk management console in Win7 as I recall; and quick formatted the mounted partition as NTFS (while the volume was opened in TC -- i.e., with password entered etc). And lo and behold, Recuva file recovery software (Piroform) was then able to find files whereas it could not previously. Sadly, the file names were gone, so the files had gibberish names; and in some cases of files in complex directory structures, the directory structures were not in tact -- i.e., the gibberish named files weren't necessarily kept together in the same directories as they had been before. BUT the data in every file was fully in tact. So I had tons of files and then had to set about adding names to the recovered files, etc.

    Perhaps this will help. Be sure to only work with a copy!

    __
     
    Last edited: Dec 19, 2013
  7. zephy

    zephy Registered Member

    Joined:
    Dec 17, 2013
    Posts:
    6
    helloSB, thanks for your reply

    In my case TC wasn't able to found the backup header embedded in physical drive.I always get only an 'invalid volume size'.Maybe because the volume header is damaged,corrupted or lost by bad sector.
    I've also tried using several different data recovery programs when the physical drive is still in a state of RAW (unallocated). some of them find something, some are not finding at all. probably because it is still in the encryption.

    For the first time I also had a thought like that for my filesystem Fat32 (raw physical drive), right before partition0 is recovered using command line. but I was so scared the data file is being overwritten or maybe lost, so I decided not to do any re-formatting.

    it seems that the method can only be used is to clone entire disks or partitions in order to save the data. I am also still waiting for the next step from Dantz. thanks for the input S.B! I will try your method also.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    The "invalid volume size" message usually occurs when the volume is smaller than the minimum possible size (i.e. under approximately 16 KB), although there can be other reasons as well. I'm not sure why it's popping up now, but possibly it's related to your hardware issues.

    Let's do a quick test of your volume's embedded backup header to make sure it's intact and is located where we think it is. We have to select it and then copy it off the drive before we can test it properly. Here are the steps: (If this works then the next steps will be to clone your entire volume, saving it as a file.)

    1. Open WinHex

    2. Ensure that you are in Read-Only mode (Options: Edit mode: Read-Only mode)

    3. Ensure that the Offsets column is displaying in Decimal mode (The offset heading row should read 0 through 15, not 0 through F). If it's not in Decimal mode then click once in the offset column to toggle it back.

    4. Tools: Open Disk: Physical Media: select your flash drive
    (should open as "Removable medium 1" or similar)

    5. Navigation: Go to Offset: New Position: 131071 Bytes (decimal)
    relative to "End, (back from)"

    (Note your current location. This is typically the starting offset of the embedded backup header for a fully-encrypted device, including most flash drives)

    6. Edit: Define Block

    7. Beginning: [Under "Beginning", leave the "0" alone. In the right hand dropdown, select "Current Position". Your current position's offset should now appear in the "Beginning" box.]

    8. End: [Copy the number that is currently displayed in "Beginning" and add 65,535 to it. (I just use Calculator). Paste this number into the "End" box, replacing the "0" entry. Leave the "End of block" setting alone.]

    9. Click "OK". This should highlight the selected block (although it's too large for all of it to appear on the screen).

    10. The above should result in a 65,536 (64KB) block selection, which ideally encompasses the entire embedded backup header from beginning to end. Check in the bottom right corner of the WinHex screen to see if the "Size" is 65536.

    11. Edit: Copy Block: Into New File

    12. Select a pathname for the new file. Any filename will do (how about "EmbeddedBackupHeaderTest.tc"), but make sure you select a location on a different drive, not the damaged one. When you're ready, click "Save".

    13. WinHex opens the newly-created file in a separate tab. We don't need this file to be open, so right-click on the filename tab and select "Close".

    14. Close WinHex.

    15. Open TrueCrypt

    16. Choose a free drive letter

    17. Click on "Select File"

    18. Navigate to the location of "EmbeddedBackupHeaderTest.tc" (or whatever you named it) and click "Open"

    19. Click "Mount"

    20. Enter the usual password

    21. Click "OK"

    Did the file-based volume "mount" without issue? (That is, no error messages so far?) Is it now listed in the TrueCrypt window, next to the drive letter that you selected? (Don't try to browse the volume's contents, as there won't be any. The embedded backup header doesn't contain a file system or any user data. This is just a test to see if it is mountable and works as expected.)

    22. In the TC window, click on Volume Properties and write down the exact size of the volume in bytes. This number represents the size of your original volume, not the current 64KB test file.

    23. I hope you were able to get this far! If so, dismount the volume and let me know how it all went.

    (Hopefully the above steps are correct, but there could be a minor error here or there. If anything doesn't seem to work right then please let me know.)
     
    Last edited: Dec 19, 2013
  9. zephy

    zephy Registered Member

    Joined:
    Dec 17, 2013
    Posts:
    6
    I just followed the instructions above as you said very clearly and carefully ... then yes, boom! .. it's working! I am very happy at this time.
    I am able mount and dismount the 'EmbeddedBackupHeaderTest' without experiencing any problems via TC. But when I try to browse/open the contents of the volume, its says ''the drive is not accessible,Reached the end of the file". I wonder what happens to the volume?
    exact size of the volume in bytes TC :
    16,008,331,264 bytes.
    so far I have not experienced a strange problem. so I'm ready to go to the next step :)
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Great! But it's time to get some sleep over here. I'll post the rest of the steps tomorrow.
    The error messages are normal for this situation. It's just a test, the volume isn't actually there. TrueCrypt is reporting the wrong volume size because it gets that data from the header, which hasn't changed.
     
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    I've already written your cloning procedure, but I'm rewriting it now, as I've noticed a sizing discrepancy that has forced me to change my methodology.

    You stated that the exact size of the mounted TrueCrypt volume in bytes (according to TC's Volume Properties screen, I hope) was 16,008,331,264 bytes.

    To determine the total size of the unmounted volume, which includes the four 64KB headers that it is wrapped in, we need to add 256KB (262,144 bytes) to the above number, resulting in a total unmounted volume size of 16,008,593,408 bytes.

    I was hoping that your volume filled the entire flash drive from beginning to end, so we were just going to clone the whole thing, but you have stated that your flash drive's total physical size was 16,008,609,792 bytes (according to WinHex), which is 16KB larger than the size of the file that we need to create.

    Please re-check and confirm these numbers as best you can, while I modify my procedure so that everything will (hopefully) turn out properly.
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    OK, assuming that your previous numbers were correct, here is a procedure you can try. If it turns out that your numbers are different then we will need to make some adjustments before you begin:

    1. Choose a formatted location that has adequate free space for the 16GB file that we are going to create. It would be preferable if the file could be contiguous, and hopefully there will be some extra space, although this is not essential.

    2. Open WinHex

    3. Close any files that might already be open in WinHex (right-click on the filename tab and choose "Close".

    4. Tools: Disk Tools: Clone Disk

    5. Set up the Source:

    a) Click on the "Disk" icon (the first icon) to open the "Select Disk" dialog box

    b) Under "Physical Media", select the flash drive that you want to clone

    c) Click "OK"

    "Source" should now say "Source: medium", and the Source box should be displaying something like "Removable medium (16 GB)"

    6. Set up the Destination:

    a) Click on the "File" icon (the second icon) to open the "Make Backup/Create Image File" dialog box

    b) Choose the location where you want to save the output file.

    c) Name the output file whatever you wish, such as "FlashDriveClone.tc"

    d) Click "Save"

    "Destination" should now say "raw image file", and the Destination box should be displaying the full pathname of the file that you are about to create.

    7. (removed, skip this step)

    8. "Log procedure silently" should already be selected. After the procedure is finished, a log file named something like "Cloning Log.txt" should be created in your temp folder. It will also display on the screen.

    9. The "Write pattern for damaged source sectors" can be whatever you want, but I would just leave it as "UNREADABLESECTOR". Based on how many damaged sectors are in the source drive, you might see some of this in the output file. Can't be helped.

    (I inserted some extra steps here, so the numbering system will go 10a, 10b, 10c etc. for a little while)

    10a. On the right side of the dialog box, look at "Number of sectors to copy" box (which is probably greyed out at the moment). This number represents the size of the entire physical drive. Is the number in this box "31266816"? If not, stop here and tell me what you're seeing.

    10b. Uncheck "Copy entire medium" if it's selected.

    10c. Set "Start sector (source)" = 32
    (Based on the size of the TC volume, we're going to exclude the first 32 sectors from the cloning operation by beginning on Sector 32)

    10d. Set "Number of sectors to copy" = 31266784
    (According to your numbers, this is the exact size [in sectors] of the TC volume, including its headers. It should also represent the total number of sectors remaining on the physical drive, after we skip the first 32.

    11. I would leave "Avoid damaged areas" unselected for the first attempt, as this will allow WinHex to try to recover more of your data. However, if there are too many bad sectors and the procedure seems to get clogged up by them then we can try using this option to skip through them more quickly during a second attempt. I've never attempted to clone a physically damaged flash drive before, so I'm not sure how this part will go.

    12. When you're all set, click "OK"!

    13. It might take awhile. When it's finished, the timestamped "Cloning Log" report should pop up. Note the number of sectors that were successfully copied, and the number of bad sectors in the source. Close it when done.

    14. WinHex will post an "X sectors copied" message and will open the target file. Go ahead and close the target file, as we don't need to see it at the moment.

    15. Close WinHex

    16. Open TrueCrypt

    17. Choose a free drive letter

    18. Use "Select File" to select the newly created file

    19. Click "Mount"

    20. Click "Mount options" and select "Use backup header embedded in volume if available", then click "OK".

    21. Provide your password and click "OK" to mount the volume. Hopefully it mounted, just like the test file did.

    Now comes the interesting part. We don't know whether or not your volume's file system has been damaged, or what we might need to do about that.

    We also don't know if the target file was created correctly, particularly the file size, which has to be exactly right. If it's not then the volume will mount without decrypting, which will be rather disconcerting, but don't worry, we can fix that if needed.

    22. Try looking at the mounted volume using Windows Explorer. If you can browse through your files then stop the procedure here and focus on making backup copies of your important files. If you can't see your files then continue on to the next step.

    23. If Windows wants to format the drive, say "No" (or Cancel, I forget which).

    24. Open WinHex, select "Tools: Open Disk" and select the Logical volume based upon the drive letter that you mounted the volume to, then click "OK".

    25. Are there any folder or file names listed in the top half of the screen? If so, great! It's decrypting and at least some of your data is available.

    26. If you didn't see any folder or file names in the previous step then visually inspect the first few sectors of the volume. We want to see some non-random data (any amount will do) in either the hex column or the text column.

    a) In the text column, do you see anything recognizable such as "NTFS", "a disk read error occurred", "NTLDR" or any other recognizable text?

    b) In the hex column, do you see any large groupings of zeros such as "00 00 00 00 00" (or longer)?

    27. If you don't see anything like that then scroll down a bit lower and look some more. If nothing turns up and everything looks totally random then we may need to adjust the size of the target file, which is fairly easy to do once we figure out what we want. You shouldn't need to clone the whole thing again.

    OK, that's enough writing on my part. I hope my math was correct. How far were you able to get in the above procedure?
     
  13. zephy

    zephy Registered Member

    Joined:
    Dec 17, 2013
    Posts:
    6
    omg! :blink: :eek: .... you're a genius Dantz, I do not know what else to say.
    I followed your steps again from the beginning and just stop at parts twenty-two.
    As a result, I was finally able to browse my mounted volume again. My files are still intact and nothing broken or missing altogether. it's like magic.
    you're right '31266816' this is the exact size of the entire sector physical drive in winhex before clone the disk.
    I don't know if the system volume is damaged or not, but I've tried with TestDisk and it said volume system is damaged. But the partition is still visible at that time and labeled as unknown.
    I really did not expect anything like this. The age of the flash drive is still relatively new. I just bought it about 5 months ago.
    from now on I will move the data out and create backup as much as possible.
    thank you so much for all the efforts you did. I owe you Dantz! :D
     
Loading...
Thread Status:
Not open for further replies.