Deleted truecrypt partition and expanded other partition across it.

Discussion in 'encryption problems' started by Paladin Knight, Jul 22, 2015.

  1. Paladin Knight

    Paladin Knight Registered Member

    Joined:
    Jul 22, 2015
    Posts:
    2
    I looked and saw other people posting about deleted truecrypt partitions, but none were quite the same as my situation.
    Here is the problem: I had a 2TB drive with a 500 GB system partition and a 1500 GB data partition, give or take.
    I was messing with a VMware guest system and had expanded its virtual drive, but I needed to expand the partition from the disk management panel on the guest os. Unfortunately I made an unbelievable noob mistake, and brought up the host system's disk management, and proceeded to delete my encrypted data partition, and then expand the system partition to fill the whole drive.
    I'm terrified that this is unrecoverable, please tell me I'm wrong. The drive has little of value in monetary terms, but it has half my life on it, emails and chat logs from people who are no longer with us, family photos, several old projects. Please, I... If I can't recover this drive it will be like my history is gone, my whole life just... never happened.
    I realized what I'd done immediately after expanding the system partition, when I noticed the size was 1800 GB instead of 100, and immediately shut my system down.
    What do I do now?
     
  2. Paladin Knight

    Paladin Knight Registered Member

    Joined:
    Jul 22, 2015
    Posts:
    2
    Since no one has replied to tell me it's hopeless, I have to proceed on the assumption it's possible to salvage it.

    So I'm following the procedure outlined in other threads about lost truecrypt partitions. I bought a new 3TB drive and I'm currently copying the drive I screwed up on over to the new drive using a debian live standard (No GUI) disk, using the command "pv /dev/sda > /dev/sdb" where /dev/sda is the old drive and /dev/sdb is the new drive.

    pv is literally just cat with a progress meter, so this is a byte by byte copy. It'll take about 3 hours.

    After that, I'll disconnect the old drive again and keep it on air-gap protection until such time as I've either rescued the data or established beyond all doubt that it's lost forever, and start going over the point at which the partition I deleted originally began with a hex editor, trying to find a likely spot, and then start copying out 21kb blocks into a file on a third drive (Or the persistent storage allocation on the live usb key, whatever), and attempting to mount them as truecrypt volumes, advancing the start position by a byte each time, until (Hopefully) Truecrypt lets me mount the resulting file with the partition's passphrase.

    After that I have to find the end point, and copy the whole shebang out, mount it, and get my files.

    Fingers crossed, and let me know if I'm overlooking anything, thanks.
     
Loading...