Deleted TrueCrypt partition, need to recover | Help from dantz

Hi,

first I read already these topics,
https://www.wilderssecurity.com/showthread.php?t=350387
https://www.wilderssecurity.com/showthread.php?t=232599

There are several way how to do it, but I don`t want make something false. So please coordinate me.

To make long story short.

Before I had 3 disk, 2x 1TB and 150GB

1st 1TB disk |50GB DATA| 450GB DATA|150GB TrueCrypt partition|280GB Backup|

2nd 1TB disk |280GB Backup| 150GB TrueCrypt partition|450GB freeData|

3rd 150GB disk |150GB TrueCrypt partition|

3rd disk was resynced and disconnected from PC (my olny one rescue|

on 1st and 2nd disk - truecrypt partition (150GB) and backup (280GB) were mirrored in windows 8.

When I was moving my data to hardware raid, I accidently deleted partition before I break mirror. So backup and truecrypt were deleted from both disk.

With testdisk soft I was able to recover backup (280GB) partition, but still not able to recover TC partition. Most problem were, that was dynamic disk.

I was checking in WinHex both 150GB disk and 1TB disk and looking for TC partition. 150GB disk is working without any problem, but It wasn`t resynced since 1-2 months, so some data are missing

So question are:
1. how can I find header on working 150GB disk and then find it on 1TB disk in WinHex?
2. How and it is better way to find TC header of partition and save it to file and then mount it ?
OR
find start of TC partition on 1TB disk and copy header from 150GB disk ? Or create new partition with offset, where was original ?

Thank you in advance

 

Before I can answer your questions #1 and #2 I need to know how you created the 150GB encrypted partition on the 150GB disk. Did you create and encrypt that partition independently, or is that partition merely a clone of an unmounted TC partition from one of the 1TB disks? (Or vice-versa?)

 

first I created partition in windows and after that I encrypted it.

 

OK, it sounds like the TrueCrypt partition on your 150GB disk was encrypted independently, and thus it would not have the same headers as your other two (lost) TrueCrypt partitions, which means that we can't use it to help find them. The headers would be completely different, even if the passwords were identical.

I'm a bit worried that you used TestDisk to recover one or both of your 280GB partitions, as they border directly alongside your TrueCrypt partitions. If the 280GB partitions weren't put back exactly right then there is a risk that the TrueCrypt partitions might have been partially overwritten. I guess we'll see how that works out, but in the future, remember this: Never write to a disk that has lost partitions or lost files on it that you want to recover unless you already have a full backup of the disk.

Did you use TestDisk on both disks? I hope not. In a situation like this you should first break the mirror and then perform your recovery attempts using a single disk.

I also don't understand something. I'm not familiar with how Windows 8 mirroring works, so please explain this to me: Your two 1TB disks appear to have completely different layouts. How do you mirror these disks? Apparently Windows 8 allows you to mirror specific partitions, no matter what their locations? And if so, is the mirroring active at all times, whether the partitions are mounted or unmounted?

I will mention this: The techniques that I've outlined in some of my other posts for finding lost TrueCrypt partitions are almost identical to the methods I've described for finding lost container files. However, partitions have a better chance at recovery because there is no risk of their being fragmented. In both cases the procedure is the same: You have to find what you think is the beginning of the lost partition (or file), and then test it (by creating a small test file and trying to mount it with TC) to confirm that you've found the right spot and that the header is intact.

In your case the lost partitions should be fairly easy to locate, since they are sandwiched in-between your other existing partitions. If there were no partition gaps (which, however, can sometimes be present) then they would follow directly after the last byte of the previous partition and WinHex would be able to find them quite easily.

I need a bit more background information: What did you do to mistakenly delete the partitions? Did you delete all of them, and then recover what you could using TestDisk?

And for your information, TrueCrypt partitions are fully encrypted from beginning to end, and thus they have no identifying characteristics. This is probably why TestDisk couldn't find them.