Flash Drive Mounts Using TrueCrypt But Can't Access Files

Discussion in 'encryption problems' started by JohnP624, Mar 15, 2014.

Thread Status:
Not open for further replies.
  1. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    For some unknown reason I was having difficulty mounting my TrueCrypt flash drive. The entire drive was encrypted with TrueCrypt and I never had a problem. The error message stated that I should restore the header which I did using the embedded backup header. I then entered my password and the flash drive mounted perfectly. It mounted as \Device\Harddisk1\Parition1 and was assigned logical drive "p". The only problem is that I can't access any files on the drive; I get a "Need to Format" error. I'm not a guru in this area but I know enough that I would lose my data if I attempted formatting. I have tried the Windows repair function by right-clicking on the mounted drive, iCare Recovery and GetBackData but the Windows repair yielded a "RAW' error and the latter two apparently accessed the actual USB drive and not the monted logical drive "p". Please help.
     
  2. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    2 different tools that probably will help you recover your files: restorer ultimate / diskinternals partition recovery. i'm willing to bet you can get your files using one of these tools *puppy*
     
  3. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    Thanks for trying to help me. DiskInternals provided me with an empty restored files folder; Restorer Ultimate resulted in identifying close to 5 million sectors all showing descriptions using hexidecimal and hieroglyphics. The restored file information may be there but I haven't a clue as to how it might be retrieved.
     
  4. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    with diskinternals, using the recovery wizard at startup, make sure to choose to scan the drive letter that the truecrypt volume is mounted with, not the letter of the raw disk that contains the encrypted partition. the program may list it as nt_mapped_file "w", or whatever letter you have the drive mounted with.

    it may take a good 15-40 minutes for the program to scan the disk (obviously be sure the drive is mounted with truecrypt before doing the scan)
     
  5. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    Yes, I did exactly that. I had Restorer Ultimate try to recover the logical drive "p" that was assigned after I mounted the flash drive. As I said, it found close to 5 million sectors all identified with hexidecimal coding and weird heiroglyphics. I don't know where to go from this point.
     
  6. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    Dantz I need your help... I'm dead in the water. I haven't had a response in over a month.
     
  7. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    OK, mount your volume to "P" and then examine the contents of logical drive P using WinHex (via Tools: Open Disk).

    Look in the Text column for anything recognizable such as known words or abbreviations like "NTFS", "FAT", "error", any other known words, obvious patterns such as 12345, abcde or anything like that.

    Also look in the hex column for any strings of zeros such as "00 00 00 00 00" or longer. The point is to see whether or not your data is decrypting. If it's not then perhaps your header was restored to the wrong location, or your partition has a different starting offset.

    With the volume mounted, click on Volume Properties (in TrueCrypt) and write down the size of the volume in bytes. We will try to use this information to figure out where the starting offset of your volume is supposed to be located.
     
  8. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    I have searched the text and hex in the mounted "P" drive and found neither a string of characters nor a series of 00's, respectively, that might suggest some data is decrypting. The Volume Properties in TrueCrypt states the volume size to be 63,835,766,784 bytes.
     
  9. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    I have been abandoned!!! Please help!!
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I get busy sometimes. Will try to help more this weekend.
     
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Dismount the volume if you have it mounted.
    Open the physical media (not the mounted volume) in WinHex.
    Look in the information pane, and note down the drive's "Total capacity in bytes"
    Subtract the size of the TrueCrypt volume (from your previous post) from this number.
    Subtract another 262,144 from the above result (to account for TrueCrypt's four 64KB volume headers).
    What is the final result? If done right, this should indicate the starting offset of your volume.

    Also in the information pane, please confirm the "bytes per sector" (probably 512)

    And while you have your drive open in WinHex, look in the "Directory browser" (as they call it) near the top of the screen. "Partition1" will probably be listed. Look on the right side of that row, in the "1st sector" column. What is the first sector?

    We're just trying to confirm that your volume's actual location and your partition definition are in agreement. If they are then we will change our approach and look for signs of an accidental overwrite instead.
     
  12. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    Thanks Dazntz. Here are the results. The arithmetic computation you requested had a final result of 45,056. The "bytes per sector was confirmed to be 512. The "Directory Browser" did not indicate "Partition 1" but rather "Unpartioned space" with "0" in the "1st sector" column. Hope this helps get to the bottom of the problem.
     
  13. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    Dantz, you left me hanging again. It's been almost a month since I posted the results you requested. Please help!
     
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Oh no, not again! I'm losing it, man. I can't keep track of all the threads. OK, hold on while I read through your thread again.
     
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Your numbers aren't matching up with what I was expecting to see. Please confirm that the size of your mounted TC volume (as seen in the TC "Volume properties" screen) is 63,835,766,784 and the total capacity of the flash drive (displayed in WinHex, but calculated by me based upon your reported results) is 63,836,073,984.

    Before you open the flash drive in WinHex, first dismount the TC volume, then open WinHex and make sure that you are selecting the flash drive under "Physical Media".
     
  16. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    OK, Dantz, there was an error. My calculator can't handle those huge numbes- it apparently truncated the numbers without me realizing it. The mounted TC volume is showing as 63,835,766,784 as I previously stated; the WinHex unmounted total capacity is showing as 64,156,073,984. Doing the arithmetic by hand, subtracting the two numbers than subtracting another 262,144 as you had requested, yields 320,045,056. Please get back to me as soon as you can so we can figure out how to gain access to my much-needed data. Thanks!
     
    Last edited: Jun 6, 2014
  17. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Thanks for the new numbers. I guess we're going to have to do this one the hard way, as the numbers aren't that helpful. Your lost TC volume takes up most of the drive, but there are about 300 MB unaccounted for. Apparently you used to have a partition which didn't quite fill the whole drive. Let's start by looking at the typical starting location for a partition (but flash drives are sometimes done differently, so it might not be there).

    In WinHex, open the physical media, then scroll down to offset 1,048,576 (decimal). Make sure the offsets are displaying in decimal mode (numbers), not hexadecimal mode (numbers plus letters). You can click in the offset column to toggle back and forth if needed.

    Can you see any sort of an obvious transition here between a large block of zeros and a large block of completely unintelligible (random) data?

    Also, click once in the data, then press Ctrl+End to go to the very end of the drive. Are there any zeros here? Scroll up a bit and keep looking. If you see them suddenly change into random data, write down the location. Maybe we can find one end of your volume. Either end will do.
     
  18. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    OK Dantz, here's what I found. There is a block of random data between offset 0 and 448, inclusive. Beginning with offset 512 and ending with offset 00320044992, inclusive, there is no data- just clear space. Then, beginning with offset 00320045056, there is a continuous block of random data until the end, which is offset 64156073920. There are no offsets shown after that. I hope this helps get to the bottom of this mystery. Also, I am currently working with the trial version of WinHex. Let me know, as we move forward, if I will need to purchase this app because of copying and pasting limitations. Thanks!
     
  19. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The large block that you described is almost exactly the same size as your lost TrueCrypt volume. The endpoint is most likely correct, and if so then the beginning is only off by 64 bytes. Which makes me wonder: What is in the 64 bytes directly preceding the block? You left those bytes out of your description. They could be the beginning of your damaged volume header.

    It's time to create a test file (using WinHex) and then see if it decrypts. You can still use the evaluation copy of WinHex for this part. I will write up a procedure and get back to you soon. I'm working on right it now.

    While you wait, please back up your volume headers to a file. (Volume Tools: Backup volume header: [follow the screens to create the small backup file]). We will need to use the backup header during the test.
     
  20. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Here are some brief instructions. We're trying to locate the beginning of your lost volume, and the only way to do that is to create some sample files, see if they can be mounted in TrueCrypt, and thensee if their data is decrypting. Try this:

    Open WinHex

    Tools: Open Disk: (select the correct physical media)

    Edit: Define Block
    Beginning: 320044992 (just type or paste in these numbers)
    End: 320244991

    Click "OK"

    In bottom right corner of screen, "Size" should be exactly 200000. (If not, check your numbers in the "Define Block" menu and try again.)

    Edit: Copy Block: Into new file

    Give the block a filename, and store it on a different drive. For a filename I suggest "320044992 test.tc". Save the file.

    An extra tab containing the contents of the new file will open in WinHex. We don't need to see it, so right-click on the tab name and select Close.

    Exit WinHex

    Open TrueCrypt

    I don't think this is going to work quite yet, but just for the heck of it, click on "Select File" and select your new file, then select a free drive letter, then click on Mount and enter the usual password. If the password is accepted then I will be surprised. More likely you will see the "Incorrect password etc." screen.

    With the file still selected, click on "Volume Tools", "Restore Volume Header", "Restore volume header from external backup file". Select your external backup file and use it to restore the header.

    Now repeat the previous steps, that is, click on "Select File" and select your new file, then select a free drive letter (how about "X"), then click on Mount and enter the usual password. The test volume should definitely mount.

    Keep in mind that this test volume is only a tiny fraction of your original volume, so it cannot contain a working file system. Also, it will generate several error messages when you try to open the mounted volume in WinHex.

    Our only goal right now is to see if the mounted test volume contains any decrypted data. If it does then we can go on to the larger recovery.

    Leave the test volume mounted to "X" (or whatever drive letter you used, but I will call it "X").

    Open WinHex (after WinHex opens, close any tabs that might be open from the last session.)

    Tools: Open Disk: under "Logical Media", select "X" and open it. (Ignore /click through any error messages.)

    OK, now we want to see some decrypted data! Start at the beginning and look carefully in the hex column for any blocks of zeros such as 00 00 00 00 00 (or longer). Click once in the data and then go down one screen at a time by using the PgDn key. (The scroll bar will move you too fast).

    In the text column, look for any recognizable words, especially right at the beginning of the mounted volume. Words like NTFS, partition, error, or anything at all that's readable/understandable.

    If you see decrypted data then hooray! We've found the beginning of your lost volume and can begin the recovery, which is basically just a larger version of the same procedure.

    If you can't find any decrypted data then close the tab in WinHex and then dismount the test file in TrueCrypt.

    Repeat the procedure using different numbers. This time set the block's beginning as 00320045056. Leave the other numbers the same (and don't worry about the block size being slightly different). When you save the file, call it 00320045056 test.tc and then run it through the same procedure. (First try to mount it in TC without restoring the header. If that doesn't work then restore the header, then mount it, then open it in WinHex and look for decrypted data near the beginning of the volume.

    Note that while you are examining the mounted test volume in WinHex, if you scroll too far down then you will transition into an area filled with "UNREADABLE SECTOR". There's no reason to look beyond that point, as that point represents the end of the test volume's data. The entire test file is approximately 200KB , and it will only contain about 70KB of viewable data (if any).

    Hope some of this works! Let me know how it goes. If you see or suspect any errors in the above instructions then please let me know.
     
  21. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    Dantz, I think we may be on to something. The first test file did not work- it didn't open with the password and it did open with restored header file. Examination of the text area showed no strings of 0's or any readable character strings. So I tried the 2nd test file with the beginning block set at 320045056 and the end of the block as before (320244991). I was able to open that test file with my password without having to use the saved header file. When I opened the unencrypted file there was no data present. I hope that's OK. Carry on!!!!
     
    Last edited: Jun 10, 2014
  22. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The zeros would be in the hex columns and would look like 00 00 00 00 00 etc., but probably much longer than that. But ok, we'll go on...
    That's very promising!
    By "no data present" you mean what? Were there any blocks of zeros? Was it all totally random looking?
     
  23. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    Double clicking the opened (unencrypted) logical drive in TC yielded "This folder is empty". That was shown in Wndows Explorer. I wasn't using WinHex.
     
  24. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The test file is just a tiny fragment of your lost volume, so it doesn't contain a working file system. Windows Explorer won't be able to read it. We can't use Windows Explorer yet. This is a job for WinHex.

    Please select and mount the test file using TrueCrypt, and then open the mounted volume in WinHex, as described earlier. (Ignore the error messages). Once the mounted volume has been opened in WinHex, look for blocks of zeros in the Hex columns and/or recognizable text in the Text column. All we need is just 8 to 10 zeros in a row, or one or more words in the right place, to show that we are seeing decrypted data and to confirm that we are on the right track. Then we can work towards recovering the full volume.
     
  25. JohnP624

    JohnP624 Registered Member

    Joined:
    Mar 15, 2014
    Posts:
    15
    Location:
    USA
    I'm encouraged, Dantz. I think we're getting somewhere. Here's what I find using WinHex on the test file:

    On the first text line (offset 0) I find "MSDOS5"; on the next text line (offset 64) I find "NAME FAT32" both have a little gibberish before and after including some blank space ending at offset 3068. This block, including the pre and post gibberish and empty space, repeats once beginning at offset 3072. At offset 16384 I find a string that looks like "øÿÿ ÿÿÿÿÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ". Then beginning at offset 16512 I see a block of numerical sequences and alphabetic sequences that continues ending at the end of offset 17472 (I guess that would be offset 17532). Then this enire block repeats many more times beginning at offset 17536 and ending at offset 50172. Then another block of gibberish, numbers and letters repeats and so forth to the UNREADABLE SECTOR area. If you need specific details let me know how I can get that to you. Keep going; you're doing great.
     
    Last edited: Jun 11, 2014
Loading...
Thread Status:
Not open for further replies.