Diskpart clean command on TrueCrypt disk

Discussion in 'encryption problems' started by omfgz, Feb 20, 2014.

  1. omfgz

    omfgz Registered Member

    Joined:
    Feb 20, 2014
    Posts:
    9
    So the other day i was trying to downgrade Windows 8 to Windows 7 and Windows setup won't let me do it because of different file system. So i went Googled how to solve this problem; solution was to clean the disk partition and recreate it. What i did not realize was my TrueCrypt drive was attached and i accidentally selected wrong drive and ran "clean" command on it, right after running this command i realized what i had done and i panicked. This drive had all the projects i had ever worked on and a lot memories and pictures.

    Drive is 500GB. Whole drive was encrypted with TrueCrypt and i also do not have backup headers. After reading on internet i found out that you could get it working it with help of WinHex but i was unsuccessful in doing so. I have already made a clone of drive using WinHex but i need assistance recovering my data. I was storing all my data on this drive dated back 2003.

    I'm willing to pay someone if they can successfully recover my data back. Any of you guys here offer this kind of service?
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I can try to help you online at no charge, but I won't accept any actual data disks. Too risky.

    If the entire disk (not just the partition) was encrypted, have you tried mounting the volume using the "embedded backup header" option? Can you get it to mount (that is, to accept your password?)

    If the partition was encrypted then I imagine that the partition definition was the first thing to go when you ran DiskPart Clean, but if you stopped the command before it wiped the entire volume then it might be possible to recover TrueCrypt's embedded backup header from the end of the volume and then use that to recover whatever is left of your volume.

    How long did you let the Clean command run? Was it "Clean ALL", which writes zeros to everything?
     
  3. omfgz

    omfgz Registered Member

    Joined:
    Feb 20, 2014
    Posts:
    9
    I really appreciate your help, this disk has all my life's work on it.

    I just tried the restore from embedded backup header option but that just gives me wrong password message. Correct, whole disk was encrypted.

    I used "clean" command not "clean all" it was instant no delay.
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The Diskpart Clean command (without the "ALL") doesn't wipe out that much, just the beginning and I think a little bit of the end of the disk, so there's still some hope remaining. It probably wiped out your TrueCrypt volume header, but it's possible that the embedded backup header still remains, as this is located approximately 128 KB back from the very end of the disk, or possibly even farther back if your volume was partition-based.

    We can search for your embedded backup header, but in order not to waste time I would first like to confirm which type of encryption you were using. I realize that you said that you encrypted your entire disk, but it's been my experience that most TrueCrypt users think that, and in the end we often discover that they were mistaken and that they were actually using partition encryption. And it makes a big difference in terms of the recovery effort.

    Here are some ways to tell:

    If, when you first set things up, you began with a RAW unpartitioned disk then you most likely encrypted the entire disk. (Relatively few users actually set things up this way. The vast majority of users end up encrypting the single, maximally-sized partition which almost completely fills their entire disk, and then they think that they have encrypted the entire disk.)

    If, when you set things up, you encrypted your existing data "in-place", then you encrypted a partition.

    Have you ever selected your volume by clicking on "Select Device"? If so, the way that you selected your volume can also show us which type of volume it was. For example, did you select a partition that was listed underneath a Harddisk number? Something like "\Device\Harddisk0\Partition1"? Then it was a partition.

    Or did you just select an entire disk, such as "Harddisk 1"? (It can be any disk number from 0 on up.) Then it was a hard disk.

    Here's another way to tell: After selecting the device and clicking "OK", your selection appears in the Volume window. What did you see there? Did the entry end with "Partition0"? Perhaps it looked something like this: "\Device\Harddisk1\Partition0". It could be any hard disk number, but it must be "Partition0" if you encrypted your entire RAW disk. If the entry ended in "Partition1" or higher then you encrypted a partition.

    One more way to tell: Did Windows ever recommend initializing your encrypted disk? This prompt will only come up if the entire disk was encrypted.

    On the other hand, if your disk contains an encrypted partition then Windows will generally ask you if you want to format it.

    I'm sorry to bug you with all of these questions, but it's hard enough trying to find the embedded backup header and we don't want to waste our energy looking in the wrong place.
     
  5. omfgz

    omfgz Registered Member

    Joined:
    Feb 20, 2014
    Posts:
    9
    I think encryption type was AES. I remember selecting "encrypt whole drive" option when i encrypted drive but it was not RAW drive there was data already on it when i encrypted it but i do remember seeing "\Device\Harddisk0\Partition1" while my disk was mounted under TrueCrypt. Windows never prompted me to initialize disk ever, always asked me to format the drive so now i'm begging to think it might have been partition not the entire disk.
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    It sounds to me like it was definitely a partition, which is actually better in your case, as it's more hopeful. Perhaps all that Diskpart Clean did was wipe out your partition table and some nearby data. We'll see. One way to find out is to use a hex editor to view the disk's contents.

    Try this:
    Download and install the evaluation copy of WinHex from http://www.x-ways.net/winhex/index-m.html

    Open WinHex

    Click on "Options: Edit Mode" and make sure you are in Read-Only mode

    Click on "Tools: Open Disk"

    Look under "Physical Media" and select the physical drive that contains your TrueCrypt volume, then click "OK".

    Below the menus and the toolbar is the "Directory Browser" area. Normally this area would list all existing partitions, folders, files etc., but in your case I think it will be completely empty, thanks to Diskpart. If you see anything in here then please let me know.

    Below the directory browser is the actual data, displayed in both hex and text format. Every row of hex characters is also displayed as text, usually to the right of the hex columns.

    The "Offset" column is used for navigation. If you click anywhere within the column then you will toggle back and forth between decimal display and hexadecimal display, so be careful where you click. Leave it on decimal display (normal-looking numbers, not hexadecimal numbers which use letters as well as digits) for now.

    We need to check a few locations. For starters, you should be seeing a lot of zeros in the Hex column ("00 00 00 00 00 00" etc.) and the text equivalent (".............") in the Text column, as this is how Diskpart Clean leaves a disk.

    Click once in the hex data, then press PgDn repeatedly to move one screenful at a time. Are you seeing a lot of zeros? You should be, as they're normal on this part of the disk, even without running diskpart clean.

    OK, you don't need to click PgDn all day, there are shortcuts.

    Most partitions nowadays (on data disks, that is) begin at offset 1,048,576 (decimal), and TrueCrypt stores its volume header at the very beginning of the partition, so we ought to look there to see whether or not Diskpart has spared your TC header. Try this:

    "Navigation: Go To Offset"
    Type "1048576" (without the quotes) in the "New Position" box. To the right of the box, make sure it says Bytes (decimal). (It's a toggle)

    relative to "beginning" should already be selected

    Click "OK" to go there

    What do you see? If you see a large block of zeros that suddenly changes into a large block of random-looking data beginning at offset 1048576, jackpot!

    I'll wait for your report before going any further.
     
  7. omfgz

    omfgz Registered Member

    Joined:
    Feb 20, 2014
    Posts:
    9
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    There's still hope. You need to look near the end of the partition to see if the embedded backup headers are still there, plus look for a large block of random data from that point backwards towards the beginning. I'll post some instructions tomorrow. Sorry, I don't have a lot of time right now, I'm just trying to catch up.
     
  9. omfgz

    omfgz Registered Member

    Joined:
    Feb 20, 2014
    Posts:
    9
    No worries i'm just glad your helping me out. :)
     
  10. omfgz

    omfgz Registered Member

    Joined:
    Feb 20, 2014
    Posts:
    9
    Hey sorry to bug you but i was hoping if you had got any time? i'm really desperate. :oops:
     
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    OK, I will try to get things moving, but I'm about to leave for 10 days, so there's going to be another pause. (Unless we can bring in another WinHex/TrueCrypt user who knows how to do this sort of thing!)

    Open your disk in WinHex, as before

    Double-click on the "Partition 1 H:" entry to open that partition in a separate tab

    Navigation: Go To: End of file
    (this takes you to the end of the partition)

    What do you see here? Hopefully it looks like a lot of random data. (If you see a lot of zeros here then the end of your partition probably got cleaned by the DiskPart Clean command, or you formatted the partition. An encrypted partition should be random from beginning to end.)

    Are your offsets in Decimal mode? If so, try this:

    Navigation: Go To Offset

    Fill in the "Go To Offset" box as follows:

    New Position: 131071 Bytes (decimal)
    relative to: End (back from)
    Click "OK"

    If the backup header still exists then your cursor should now be located at its very beginning. Your cursor should be in the leftmost column, and it should be just underneath a sector boundary (a line across the display). The data both above and below your cursor should look completely random. Hopefully that's what you see.

    Now we will take a "test sample" of this data and test it to see whether or not it contains a valid TrueCrypt header.

    Press "Ctrl+Shift", then tap the "End" key
    This selects a block of data from your cursor's location to the end of the partition

    Look in the bottom right corner of the screen. The block size should be 131072 bytes.

    Edit: Copy Block: Into New File

    in the dialog box, select a location on a different disk, give the file a recognizable name such as "EmbeddedHeaderTest1.tc", then press "Save"

    The newly-created file opens in another tab in WinHex. We don't need to look at it, so close the tab by right-clicking on it and selecting "Close"

    Close WinHex

    Open TrueCrypt

    Click on "Select File" and follow the dialog to select the test file that you just created
    In the TrueCrypt screen, assign (click on) a free drive letter
    Click on "Mount", supply the password and click "OK".

    If your password is accepted then a brief cheer is in order, as this would mean that you've found an intact backup header. (In this case the next steps will involve determining the size of the original partition, saving it as a file, restoring its header, mounting it in TrueCrypt and exploring its contents using data-recovery software.)

    However, if you see the "incorrect password" error then we'll have to reconsider things. Maybe you created a new partition by mistake? If so, it might be in a different location than the original, and this would explain our failure to find TrueCrypt's embedded backup header.

    I will be here until mid-day tomorrow, then I'm outta here, so try to post back before then.
     
  12. omfgz

    omfgz Registered Member

    Joined:
    Feb 20, 2014
    Posts:
    9
  13. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    What about the location where the embedded backup header is supposed to be? (131071 bytes back from the end?) What does it look like there? If you see random data at that location then continue the procedure, create the test file and try it.

    If that doesn't work then ask yourself whether or not you might have accidentally deleted and then recreated the partition, because if you did then the embedded backup header might not be where we thought it was. (Open the disk, not the partition, and try the procedure over again, just in case your previous partition extended to the very end of the disk).

    I have to leave now, sorry. I'll be back on the 16th. Good luck!
     
  14. omfgz

    omfgz Registered Member

    Joined:
    Feb 20, 2014
    Posts:
    9
    Still zeros! I don't remember formatting it, all i remember just unplugging it right away. I'm starting to lose hope. Thank you though!
     
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm back from my trip now. Is there anything further to report?
     
  16. omfgz

    omfgz Registered Member

    Joined:
    Feb 20, 2014
    Posts:
    9
    Nope everything you wanted me to check shows 0's. Is there a way you a can remote in to my desktop and guide me through? I know it is asking for a lot but i will compensate for your time. Please let me know. Thank you.
     
  17. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm super-busy right now and I barely even have time to visit this forum. Maybe when things ease up a bit I might have time to do something like that, but not now.

    Here's how an encrypted partition is organized: [Beginning of partition][64KB volume header][64KB hidden volume header, or random data if not used][Outer volume containing file system and user data (plus nested hidden volume if used)][64KB embedded backup header for outer volume][64KB embedded backup header for hidden volume, or random data if not used][End of partition]

    All of the above should look like a huge block of random data from start to finish, with nothing to indicate where one part ends and the next part begins. The only way you can "find" anything is to go to the location where you think it's supposed to be, and then test that particular data (if possible) to see if it behaves appropriately. For example, if you can figure out where a certain header is supposed to be, and you know the correct password, then you can copy off the desired data and then test it to see if you got it right.

    We mainly want to find your 64KB "embedded backup header for outer volume". Actually, all we need is the first 512 bytes of it, as that will be sufficient . However, your partition seems to have lots of zeros in places where there ought to be random data. It's possible that your embedded backup header got wiped out.

    Your only hope is that the partition definition may have changed. Maybe you cleaned the disk instead of the partition. This would remove the partition definition. Then maybe you created a fresh partition. If so, the new partition might have a different ending offset. Since the way we try to locate an embedded backup header is to look backwards a specific distance (either 64KB or 128KB) from a partition's ending offset, we might be looking in the wrong place. The question is, where is the right place? Where did the partition used to end? (This is a long shot, but it's all we've got).

    After running Clean, was your original partition gone? Did you create a new partition?

    Also, use WinHex to examine the rest of the partition. Is there still a huge block of uninterrupted random data filling most of the partition? There should be. (Unless you performed a full format, that is, in which case it will mostly be zeros.)
     
  18. rojer64

    rojer64 Registered Member

    Joined:
    May 3, 2014
    Posts:
    3
    HEy all, I'm glad I found this thread; very promising. My accident happened during a spring cleaning, (SSD, XP>8.1, alignment, recycling of backup drives (!). This happened just at the end of it, During the final backup and I lost it all, original and copy. That's 2TB I can't mount following similar circumstances. Diskpart starts HD# at 1, unlike the rest of us. I slipped and cleaned my TC data disk dead.

    Disk has backup header and so do I, stored somewhere. Restoring returns 'not a truecrypt volume or wrong pwd/key'. I suspect Windows did something to the drive: just after the 'initialize' question (NO), I still found the extended partition (100%) to have a drive Letter. I removed it but it looks like some damage was done... no formating though.

    Several attempts at restoring the header having failed, I find myself having to investigate and would love to have a clue where to begin : Winhex is a scary tool.

    Can someone think of similar instructions tweaked for a full disk? That's a non bootable data disk.

    Sorry I just happen to pass by and grab for myself; unfortunately, I have about nothing to bring along. Unless I can record a song ?

    Good luck to all with your precious data.
    Roger
    ;
     
  19. rojer64

    rojer64 Registered Member

    Joined:
    May 3, 2014
    Posts:
    3
    Oh, I failed to mention : I have made my case worse running testdisk and restoring a trace Intel partition I assumed was TC's. Not that I know much more now, but I plan to get there :)
     
  20. rojer64

    rojer64 Registered Member

    Joined:
    May 3, 2014
    Posts:
    3
    After a few hair pulling hours, I'm glad to say that I managed to get my data disk back, albeit with a 6 hours chkdsk ahead. What really happened is that the disk was write protected! Not in file system but in disk attributes ! TC would issue the same error message as in another pwd error, which makes sense in a security application, I suppose. This is why the backup wouldn't copy back to disk to primary BS.

    For those coming after me, I want to say that the truecrypt implementation looks incredibly robust to me. I played with both boot sectors (different copies, both bad) diskpart / cleaned the drive half a dozen times, just to make sure, until I triggered this file protection, which might be a design thing. I was playing like a child with too big a toy. TC wouldn't break. I concurrently formatted/repartitioned/ undeleted 4 other encrypted partitions on two similar 2TB disks that were part of the day's mess; ; None would break: I got all my files back. Try that with BL...

    So I suppose I'm done here. Just want to say thank you for this awesome piece of free software, and I mean free in the right sense, the one that matters: freedom.

    HAve a nice week end.

    Roger.
     
  21. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Thanks and congratulations. I doubt if I ever would have suspected that sort of thing. Nice going!
     
  22. C4lvin

    C4lvin Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    4
    Hey dantz,
    I did cheer just now. I deleted via "clean" (not "clean all") my truecrypt volume. I followed your description and found the end of the drive to be just zeros. if i scroll up, ich find short "markers" (what i call them for now, see picture) and i found the end of the partition (like you said just random stuff). I went 131071 bytes back (need to switch from hexadec to decimal, took me a while) and voila, the file from the pasted data worked for my password from truecrypt.

    now my first try was to use this file to restore the truecrypt volume via truecrypt itself. i think what it did is paste the first 64kb or so to the beginning of the volume and i can mount it now, but cannot open it (windows tells me to fromat, etc.)

    I would be amazing if you could take up where you left off before.

    Looking forward to it!
    Regards, Leo
     
  23. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm sorry Leo, I simply don't have time right now. I'm busy packing for a major hiking trip and will be gone for quite awhile. I'll check back when I return on October 5th. Please remind me then.
     
  24. C4lvin

    C4lvin Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    4
    ok, have a good trip! regardless i will tell you my actions before i forget them.
    after "repairing" my volume header via truecrypt i can now mount the drive, but windows shows "format drive..."
    i read here that you can recover data from the drive as long as its mounted via getdataback. I tried it with the NTSF version (since my drive ist 931GB i think I used NTSF) and while scanning (12h) it said it found a bunch of bmp user defined files. But the overall Result was "no filesystem was found". I selected the options suggested in the link above.

    i dont need the data fast, so i will just wait... maybe ;)

    regards
     
  25. C4lvin

    C4lvin Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    4
    So i tried recovering the partition table via testdisc, following this description, since i figured that this i causing my trouble, it did not work, but it did take like 30h. would be helpful to know how much bytes diskpart deletes with the clean command.
    Good night

    http://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume
    I used this description (recover under windows)
     
Loading...