Failing hard drive encrypted with Truecrypt

Discussion in 'encryption problems' started by Agos, Jan 7, 2014.

Thread Status:
Not open for further replies.
  1. Agos

    Agos Registered Member

    Joined:
    Jan 7, 2014
    Posts:
    9
    I am trying to find a way to recover as much data as possible from my failing hard drive. This is a 1TB drive fully encrypted with truecrypt. I searched the TC site for some advice and followed the most obvious method which is to use chkdsk.
    I was able to rescue most of the data in my outer volume but not in my hidden volume. When I mount my hidden volume (which takes close to one minute or more for some reason) I cannot access the drive with Explorer and chkdsk does not work.
    I have read the threads explaining the option to copy the data to another drive using WinHex but I don't have 1TB space available for this data and would like to avoid the purchase of an other disk (if possible).
    My understanding is that I could use some of the available disk recovery tools that can address the unreadable sector issues. For example I have downloaded the Seagate tools for windows since I have a Seagate drive and I ma also checking the TestDisk utility.
    My problem is whether I should run these tools after mounting the hidden volume or on the raw unmounted disk.
    Has anyone tried this type of recovery and can suggest the best options?
    This is a great forum and I found a lot of good technical advice on this subject.
    Thanks a lot for your help
     
  2. Agos

    Agos Registered Member

    Joined:
    Jan 7, 2014
    Posts:
    9
    I wanted to add some information regarding a few steps I have taken so far

    First let me show the problem.
    Here is the mounted TC partition
    http://i.imgur.com/RhURRCY.jpg

    and TC Volume properties
    http://i.imgur.com/qEizvRj.jpg

    Here is the error I get when trying to open the mounted drive in windows (ver. 8.1)
    http://i.imgur.com/64mavan.jpg

    This is what I get when running TestDisk
    http://i.imgur.com/m5UvLJB.jpg
    http://i.imgur.com/NfYnUCu.jpg
    http://i.imgur.com/CZlMij5.jpg
    http://i.imgur.com/FtmXlKa.jpg
    http://i.imgur.com/NOAR9ap.jpg

    Also below a screenshot from looking at the partition with WinHex before mounting the volume in TC
    http://i.imgur.com/3EewmAH.jpg

    It seems that I cannot explore the partition with WinHex after mounting it as I get an error that the data is unreadable


    BTW: following is the disk info from CrystalDiskInfo
    http://i.imgur.com/DNWr50i.jpg

    What can I do next?

    Thanks a lot
     
  3. Agos

    Agos Registered Member

    Joined:
    Jan 7, 2014
    Posts:
    9
    I tried to run the Seagate tools on the disk. It was supposed to correct the bad disk sectors but I don't see any difference.

    I can still mount the volume using the "normal" password and access the files, but when I use the password for the hidden volume TC will mount the partition but I cannot access the files.

    WinHex takes a long time to open and when I try to read the mounted hidden volume I get the following errors
    http://i.imgur.com/Ja7eY3e.jpg
    http://i.imgur.com/yg02QtN.jpg

    Navigation with WinHex is very slow so I haven't figured out if the data is completely decrypted or not.

    Hope someone has some good suggestions for some other programs or ways that I can use to repair the MFT and disk structure

    Thanks
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I know next to nothing about Truecrypt.

    But there's one thing that I've picked up: don't do anything that writes to the disk.

    Search the https://www.wilderssecurity.com/forumdisplay.php?f=39 section for posts by dantz on how to make an exact copy, and avoid messing with the original.
     
  5. Agos

    Agos Registered Member

    Joined:
    Jan 7, 2014
    Posts:
    9
    Yes, agreed. I was looking for ways to recover the disk, but since it is damaged it makes more sense to just recover the files.
    I am still looking around this forum to find the best way to accomplish that.
    I guess the first step is to copy the data to another disk.
    Do I copy the raw data "encrypted" or do I copy the data after mounting the drive in TC?
    Also since WinHex is having problems accessing the disk (and it is not free to use) are there other programs that can be used to make a clone of the disk?
    Thanks a lot for the advice
     
  6. Agos

    Agos Registered Member

    Joined:
    Jan 7, 2014
    Posts:
    9
    I am still working on retrieving the data on my drive.

    I went to the following post from dantz https://www.wilderssecurity.com/showthread.php?t=336671&highlight=1048576

    and tried the first few steps
    Part 1
    created the test file. Actually when I used the number suggested in the post my test file did not work. I then tried to create the test file starting from 0 to 204800 and was able to mount it in TC

    Part 2
    I can mount the test file in TC using my normal and hidden password.

    Part 3
    I cannot display any data from the test file in WinHex. The program says that it reached the end of file and only shows "UNREADABLE SECTOR" in the data window.

    Part 4
    In win 8 Disk Management my partition is shown as a RAW Healthy Primary, so I skipped this part

    I am still not sure what I can do next. I thought about copying the data from this drive to another and I bought a 3TB disk. Is there a way to perform this copy without purchasing WinHex?

    Thanks
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I don't know what else to do :(

    Your best chance is getting dantz's attention.
     
  8. Agos

    Agos Registered Member

    Joined:
    Jan 7, 2014
    Posts:
    9
    Mirimir, thanks for your replies.

    I am currently trying using PhotoRec.

    I mounted the TC volume and searched the files with PhotoRec. The program works well and finds a lot of the data.

    The problem is that it retrieves the files without the original directory structure and with different names.

    This is a problem for me since there are thousands of photos and hundreds of videos in the disk. These are old scanned pictures and VHS converted videos. They were organized in a directory structure by year and family name. Retrieving the files is good, but I don't know if I will be able to reorganize the data in the correct way (and it will take a long time).

    I wonder if I should try some other tools, instead.

    The problem as I see it:
    1) the disk is fully encrypted, so I cannot use standard disk tools.
    2) after I mount the TC volume in Win 8.1, I cannot access the files in windows (I have not tried using Linux, yet)
    3) After I mount the TC volume in windows I can retrieve some files using PhotoRec (loosing file/directory names).
    4) TestDisk does not retrieve the files because the file structure is corrupted.

    I tried other windows tools like recuva and they cannot access the mounted TC volume because the directory structure is corrupted.

    Any suggestion from Dantz or other data recovery experts would be greatly appreciated

    Thanks
     
  9. Simpson474

    Simpson474 Registered Member

    Joined:
    Sep 7, 2013
    Posts:
    9
    One of the best tools for NTFS data recovery is GetDataBack for NTFS - unfortunately it is not freeware (free evaluation software with data preview exists). With disks having already defective sectors I normally start with ddrescue and to clone the disk: you can also try GetDataBack directly but there is the risk that the hard drive may fail completely. To start the analysis with GetDataBack you have to mount the disk in TrueCrypt and select "Systematic file system damage" in GetDataBack. Afterwards you have to select the drive letter used by TrueCrypt in GetDataBack: the option is somehow hidden in a small box called "Logical drives". After the analysis you should save the result of the analysis in order to avoid another analysis process if the program for example crashes.
     
  10. Agos

    Agos Registered Member

    Joined:
    Jan 7, 2014
    Posts:
    9
    Hi, I have downloaded the demo for GetDataBack and will give it a try.

    In the meantime I am running PhotoRec. It does a good job and already found over 6000 files with about 30 more hours to go .......

    The problem is that the files are retrieved without their names an directory structure and in my case it will be nearly impossible to reconnect all those files together

    The good news is that if PhotoRec can find the files it means that the volume is still decrypting correctly.

    Should I try to decrypt the volume from Truecrypt? Or try to rebuild the file structure on the mounted volume?

    Thanks
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I'm pretty sure that the path is to have a complete copy before writing anything.

    But that's about the extent of my Truecrypt knowledge :(
     
    Last edited: Jan 15, 2014
  12. Agos

    Agos Registered Member

    Joined:
    Jan 7, 2014
    Posts:
    9
    Since I have been able to retrieve most (if not all) my files with PhotoRec I feel like I can try to recover the file structure on the failing disk.

    The files I recovered are fine but since they lost their names and directory location I am having a hard time rebuilding the "family" photo/video archive. I just cannot always tell if a picture belongs to the APR-2011 directory or any other and the date of when the picture was taken is lost. I am also looking at some application that can find the file information looking at the header or any other data stored inside the file

    Will post updates as I move forward
     
  13. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    I'm following this thread and I think you're doing great. I can't offer much in the way of advice, as you're already beyond the parts that I could help you with. Good luck, and please let us know how it goes.
     
  14. Agos

    Agos Registered Member

    Joined:
    Jan 7, 2014
    Posts:
    9
    Hi Dantz, thanks for your reply and for all the work you put in helping people in this forum

    I have not tried to restore the MBR and file structure on the failing disk, yet because I directed my attention to another problem.

    The original backup of my files were on several different smaller disks in TC containers. Unfortunately as I needed some space for new projects I deleted those containers and I was planning to create new backups once I could buy a new storage unit.

    Anyway to make the story short I would like your advice on how a deleted TC container file could be undeleted. I checked various other posts here where the main solution seems WinHex if the file is not fragmented.

    I am fairly sure that at least 2 of the several other disks were not used since I deleted the TC container but it seems that the TC files in those disks are fragmented since I cannot find a contiguous big enough sequence of random data

    Do you have any experience with an undelete application that can find a deleted fragmented TC container? I tried Recuva, GetDataBack, Restoration, and NTFSUndelete, but none was able to find the TC deleted container.

    Do you have some success story on this?

    Thanks
     
Loading...
Thread Status:
Not open for further replies.