Damaged truecrypt partition on 2nd hard drive after windows install

Hey guys, maybe someone can offer me some pointers here?

One of my hard drives is wholly encrypted by truecrypt, the way I created it was to format the disk as 1 partition, then with truecrypt I chose "encrypt a non-system partition/drive". I created this volume around 2 years ago and have never had any trouble with it, in fact after some years working with truecrypt, this is the very first time for me to have any trouble at all with it.

It was working fine until last night - I installed windows server 2012 to test it - now note that I installed server to the c: drive, did not touch or modify my other hard drives in any way, nor do any formatting or partitioning work of any sort (I left existing file system in tact).

Anyway server installed fine, and when I booted back into my windows 7 snapshot I was mounting my truecrypt partitions, and one of them gives me the error message "wrong password or not a truecrypt partition". I am able to mount the volume only when I choose the option in truecrypt to "use backup header embedded in volume if available". This mounts the partition, but my data is not there, and I get the error "this volume does not contain a recognized file system".

I opened the physical volume in winhex, and see some files that were created last night (when I installed server) such as bootsect.bak, bootmgr, system volume information, and several more.... I am hoping that windows server did not for some reason write files to the disk and thus destroy my truecrypt volume.

I'm not sure if the installation of windows was incidental to the problem or not, but it sure seems strange that the problem occurred directly after having done the installation.

If anyone has any advice, please feel free to guide me - I had about 80 gigs of data on that volume that I'd rather not lose (unfortunately I don't have the data backed up)

Thanks

 

As you suspect, installing Windows while your encrypted partition was connected to the system was your big mistake. This is a very common scenario. You're supposed to know not to do stuff like that, but for some reason the TC Users' Guide fails to mention it.

Windows doesn't "understand" encrypted partitions. It thinks they are broken and it will sometimes try to "fix" them, especially during installations. There is a workaround (changing the partition type), but that information is also missing from the Users' Guide.

My guess is your volume header was probably overwritten, and possibly some of your data as well. Yes, Windows probably chose to write some stuff to that disk after it "fixed" your broken partition, as it would have considered the space to be unused and available. But as long as you have your embedded backup header you can recover whatever is left of your volume, which should be quite a lot.

Question: When you use TrueCrypt to mount the volume using the embedded backup header, which are you selecting, a partition, or an entire unpartitioned disk?

A partition will appear as "Device\Harddisk1\Partition1" (or higher). It can be any disk number from 0 on up, but the partition number must be 1 or higher.

An entire hard disk will appear in the selection screen as "HardDisk1" (or any other disk number), and it will resolve to "Device\Harddisk1\Partition0" in the main TrueCrypt window. (Note that "Partition0" indicates that you are mounting the entire disk, not a partition).

 

much obliged dantz

i'm selecting a partition, looks like so:

harddisk2:
device\harddisk\partition1

this should be an interesting learning experience

 

The first thing to try is to mount the volume using the embedded backup header, and then examine it with WinHex (or the hex editor of your choice) to see if it contains any recognizable data.

If Windows didn't change the partition's starting offset then the mounted volume should contain a certain amount of recognizable "plaintext" (i.e. decrypted) data in the form of known filenames, readable portions of text files, strings of zeros, readable Windows code, readable embedded error messages, etc.

However, if Windows decided to relocate the partition's starting point then the volume might possibly still mount, but it will not decrypt, and as a result the mounted volume's content will appear to consist of a solid block of encrypted data (i.e. random, unrecognizable data from beginning to end)

I'm using WinHex, so my instructions will be written for that, but if you want to use HxD or some other hex editor then you will have to translate my instructions:

1. Download and install WinHex (or a different hex editor). The evaluation copy will be fine for starters, but later on if we need to copy your volume onto another disk in order to recover it then you will need to obtain a licensed copy, as the evaluation copy has built-in limitations.

1a. To play it safe, make sure WinHex is in Read-Only mode: "Options: Edit Mode: Read-Only mode", then click "OK" if you changed the setting.

2. Use TrueCrypt to mount the partition-hosted volume to a free drive letter, using "Mount Options: Use backup header embedded in volume if available".

3. In WinHex: "Tools: Open Disk"

4. Under "Logical Volumes", select your mounted TrueCrypt volume by selecting the drive letter that you assigned it to earlier, then press "OK"

5. Here you are, hopefully looking at the raw contents of your volume. The first order of business is to see whether or not you can find any unencrypted data.

5a. There is normally a "directory browser" just below the WinHex toolbar. It lists files, folders and/or partitions, if present. Do you see anything recognizable in this area? Any known folder names, for example? If not, or if you're not sure, go on to the next step.

5b. Below the directory browser you will see the hex and text columns. Each row of data is displayed in both hex and text. (They are different ways of representing the same data.) Look in the (right-hand) text column first. Are there any recognizable words such as NTFS, NTLDR, any written text? Scroll down a short ways if you don't see anything but gibberish. Scroll down farther if you like. Look for any obvious patterns as well.

5c. The presence of large blocks of zeros is also a good indicator. Most encrypted data contains very few (if any) of these, wheras plaintext under an organized file system is usually loaded with them. Look in the Hex column for any "strings" of zeros, that is "00 00 00 00 00" (or longer). Start at the top and scroll down a bit if you don't see any right away.

(You can get back to the very beginning of the volume by clicking once within the hex or text column and then pressing "Ctrl+Home". You can also press Ctrl+End to go to the end of the volume, or drag the scroll bar to get anywhere in between. Your current location will be indicated in the Offset column. There are other methods too, of course, but I'm not going to go into all of that at this point.)

OK, that's enough for now. So - what have you found? A certain amount of plaintext, I hope? Even a small amount will be sufficient proof of decryption, so if you have found that then we can go on to the next step. (Otherwise we will search a little deeper using another method, just to make sure.)

6. Close WinHex when you're done viewing the volume's contents, but since your TrueCrypt volume is still mounted, please do this one last thing:

7. In the TrueCrypt interface, with the volume selected, click on the "Volume Properties" button and write down the Size of the volume in bytes, as we might need this information later. Then dismount the volume.

The next steps will depend upon what you have found thus far.

 

When I mount the volume, winhex gives me the message "volume does not contain a recognizable file system"
Also, this message appears in a popup window:
"Cannot read from Drive T:. Sector 3,473,942,530 does not exist. Messages of this kind will not be displayed here again for the remainder of this session."

In the directory browser, I see only a folder called Root Directory.



In the bottom pane hex and text columns, I see only gibberish, no recognizable file names etc - until I reach the very end of the block, where it reads:

80023912336 64 69 73 6B 20 72 65 61 64 20 65 72 72 6F 72 20 disk read error
80023912352 6F 63 63 75 72 72 65 64 00 0D 0A 42 4F 4F 54 4D occurred BOOTM
80023912368 47 52 20 69 73 20 6D 69 73 73 69 6E 67 00 0D 0A GR is missing
80023912384 42 4F 4F 54 4D 47 52 20 69 73 20 63 6F 6D 70 72 BOOTMGR is compr
80023912400 65 73 73 65 64 00 0D 0A 50 72 65 73 73 20 43 74 essed Press Ct
80023912416 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F 20 72 65 rl+Alt+Del to re
80023912432 73 74 61 72 74 0D 0A 00 8C A9 BE D6 00 00 55 start Œ©¾Ö U


I found a pretty large block of zeros starting at offset 69769610624, all the way to 69769612272
After these zeros are some lines of characters with patterns 6E 6E 6Exxx, then B9 B9 B9xx, these patterned lines go on about 30 lines before returning to gibberish, gibberish continuing until the end where I see the disk read error lines that I posted above.

Wot next? I would be relatively astounded to see any data be resurrected from this volume, thanks windows

 

No, this is good news! The volume is still decrypting, so now it's just a matter of using the correct type of data recovery software on it. There will probably be lots of recoverable data, but it will involve some effort on your part. But I need to sleep now, so I'll post more info on that tomorrow.

 

Dantz, I really appreciate your help - I was able to recover all my data using Restorer Ultimate. I mounted the volume in truecrypt, then Restorer scanned the volume and found my directories and recovered them in tact.

Now the question is, why does windows write files to disks other than the one you specify during installation? Would it not be understood by them that this could cause people alot of trouble, time and lost data? I also have a 500 gig wholly encrypted truecrypt volume - I'm lucky it didn't write files to that one rather than the 80 gig disk, I guess i'm "lucky" in that respect.

So if you have disks in your case that are whole encrypted volumes, I guess you have to open up your computer case, unhook them, and then install windows, then reconnect them? Seems a bit strange in this day and age... But I guess if you don't want to go to that trouble, watch the hell out !!

Thanks again

 

So let me see if I understand this correctly... say you've got 2 terabyte hard drives encrypted at the partition level with truecrypt. When you want to install windows, you had better unplug those drives from the system first, because windows will, without your permission and without you having any choice, write some files to one of your disks, effectively destroying your encrypted partitions?


Also, regarding my data recovery, nearly everything was recovered, but a couple files that were quite large, disappeared without a trace, the recovery programs find no trace of them at all (though there are similarly sized files that recovered without problem). Anyone have any insight into this?

thanks

 

One possibility is that the missing files are of a type that is not automatically supported by the recovery program you used. Most data-recovery programs will perform a certain amount of signature-based file recovery, but not all file signatures are in the program's database. Sometimes you have to customize the recovery by adding your own signatures so that it will search for those file types as well. Could that be what's happening?

You could try some other data-recovery programs. Photorec is quite good at signature-based recovery (and that's all does), but you need to check the supported files list to make sure your file types are on it. GetDataBack is better at piecing together partially-damaged filesystems, as long as there is enough left to work with. There are many other programs, of course. Even WinHex can do certain types of data-recovery, and its big advantage is that you can see what you're doing as you try to recover the file (but you have to be a fairly good WinHex user to understand what you're seeing.) I don't have enough personal experience with other data-recovery programs to specifically recommend them. I'd suggest searching the forums to see what others have successfully used.

As for your questions about why and how Windows interacts with (and sometimes damages) TrueCrypt volumes, I am currently writing a post that I hope we can put up as a sticky, and it should answer most of your questions.

 

Dantz

I have followed your instruction from various threads and found them very useful. I had a 1tb hdd that a windows image was copied on to from my 500gb C Drive.

Using the tc recovery disk I was able to decrypt the hdd. However after rebooting my pc booted from the image on the 1tb disk. The previous 500gb C drive says that the disk is not formatted.

The remaining 500gb of decrypted data on my 1tb disk is unreadable. Movie files that wont play and word docs that are unreadable and .gz files that are unreadable.

Any advice help would be appreciated.