Formatted external hard disk with truecrypt encryption

Discussion in 'encryption problems' started by Kernelus, Jun 18, 2014.

Thread Status:
Not open for further replies.
  1. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
    Hi guys,
    I accidentally formatted my 4TB external hard disk with trucypt encryption. I have been reading the forum for similar posts, but I found nothing and I did not know anything about the backup volume header until now, so I do not have any backup. I read, that the recovery tools do not work on TrueCrypt volume. Can someone help me with this problem or my files are lost forever?
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Quick format, or full format? And what OS?
     
  3. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
    Quick format, Windows 8.1
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    OK, there's a good chance of partial recovery. All non-system volumes contain a backup header located near the very end of the volume. (I'm assuming that you had an encrypted partition, not a fully-encrypted disk.)

    If you merely formatted your encrypted partition then you most likely overwrote the TC volume header and some of your encrypted data, but the embedded backup header will often survive a quick format.

    Have you already tried the "Mount options: use backup header embedded in volume if available" option?
     
  5. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Since you were trying to recover your header, I assumed that you were fully locked out of your volume and that your password wasn't being accepted, but apparently I was wrong, as your screenshot shows that you have mounted a volume. ("Harddisk1\Partition0")

    So what exactly is the situation? Is your password still being accepted? Is it that you allowed Windows to format your mounted volume and now you can't see any of your files?
     
  7. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
    TC accepted my password and yes, windows wants from me to format mounted volume and I cannot see files.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    A damaged header won't even accept the correct password. If the password is accepted and the volume mounts to a drive letter then the header is intact.

    If Windows offers to format your mounted volume this probably means that the volume's filesystem has been damaged.

    Could you be a bit more complete in your description of events? There are lots of different possibilities here, and I need to understand what's going on before I can propose a solution. Here are a few questions:

    When you first set up the encryption, what did you encrypt, an existing partition (perhaps with data already on it) or an entire raw unpartitioned disk?

    What did you accidentally format, the mounted volume (by running the format command against the mounted volume's assigned drive letter) or the encrypted partition while it was unmounted?

    Before you accidentally formatted whatever it was that you formatted, did you first initialize the disk and create a partition? Or was the partition already there?

    Did you always select the volume as Harddisk1\Partition0? (This usually represents an entire raw disk, not a partition).

    In TrueCrypt's Select Device screen, does TrueCrypt list any partitions under Disk1? I'm wondering what happened to the partition that you said you formatted. It should be listed there.

    Add anything else that you think might apply to the situation.
     
    Last edited: Jun 23, 2014
  9. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
    Yes, existing partition with some WD software on it.

    I executed shortcut for starting server and it does not found path to drive
    and it gave me error message and after clicking ok it formatted my external hard drive.

    Volume was not mounted in TC, just connected to PC.

    No Harddisk1\Partition0, there was something else but I do not remember what it was called :_/ .

    Yes there was partition I think under Harddisk1\Partition0, but as I said I do not remember what it was called.
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    If you recently formatted a partition then it should still be there, and you should see it listed under a hard disk in TrueCrypt's "Select Device" screen. Are you sure it's not there? Did you manually delete the partition? Did you perhaps restore the volume header into the wrong location and end up overwriting the partition table? Some users do that.

    OK, let's try to figure this thing out. Try the following:

    Mount your TC volume, even though it doesn't seem to be working properly. In the TrueCrypt interface, click on "Volume Properties" and write down the size of the volume in bytes. Then dismount the volume.

    Install the evaluation copy of WinHex.
    In WinHex, select Tools: Open Disk.
    Under Physical Media, select the 4TB external hard disk and click OK.
    In the information pane (sidebar), write down the "Total capacity" in bytes.
    Take the TC volume properties "size" and add 262144 to it to include the volume's four headers. The result will be the total size on disk of the complete (and unmounted) TrueCrypt volume.

    Compare the above number to the total capacity of the disk (from WinHex).

    Are the two numbers identical? If not, subtract the smaller from the larger. what is the difference?

    If you're not sure of the math then just post the two numbers here and I will look them over.
     
  11. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    You said that your partition isn't there, but I see that Device\HardDisk1\Partition1 is listed in the TrueCrypt screen. Isn't that it?

    It's a good thing you posted those screenshots. You made a typo (the WinHex number), and as a result your math didn't come out. I used the numbers from the screenshots and calculated a difference of 1048576 bytes, which is exactly where the default partition usually begins. So this shows that you had (or still have) an encrypted partition at the default location.

    I also noticed that you are now mounting Partition1. In your previous screenshot (in Post #5) you were mounting Partition0, which represents the entire disk rather than the partition. Perhaps this has added to the confusion. You should be selecting the partition, not the entire disk.

    If you mount the partition but you find that Windows Explorer cannot be used to view your files then it's probably because you quick-formatted the partition while it was unmounted. This would overwrite a portion of the encrypted partition's file system, thus making it unbrowsable by Windows Explorer. But much of your data is probably still there.

    The best approach at this point will be to use data-recovery software to explore the mounted volume to see what files can be recovered. I would expect you to recover quite a lot.

    WinHex is not the first choice here, but since you already have it installed, try this:

    In TrueCrypt's Select Device screen, select Device\HardDisk1\Partition1.
    Assign it to a free drive letter and mount the volume.

    Open WinHex, click Tools: Open Disk

    select the Logical volume that is identical to the drive letter you assigned in TrueCrypt, then click OK

    Your volume's data will be displayed as both hex and text, side by side.

    Let's see if we can find anything. Scroll down and see if you can find any large grouping of zeros ( 00 00 00 00 00 00 00 etc.) in the hex columns.

    Also, look for any recognizable words or patterns in the text column.

    I think you'll find both. When you're done looking, Exit from WinHex, as that's all you needed to see at this point.

    Although WinHex can be used for data-recovery, it requires a fair bit of expertise. I suggest you begin with programs that are more automated. Many users have reported good results with GetDataBack (at runtime.org), but there are many others, some of them freeware (i.e. Recuva and some others whose names I forget right now). If you aren't able to recover enough data using these programs then you can also try a data-carving program such as Photorec, as data-carving programs can operate even if the file system is broken.
     
  13. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
  14. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
    Recuva and GetDataBack want from me to format mounted volume, can I do it ?
     
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Your screenshots show that the mounted volume definitely contains decrypted data, so your volume is still there and TrueCrypt is behaving normally.

    The problem that you are facing is that a portion of your volume's file system was apparently damaged (overwritten) when you quick-formatted the unmounted partition. At every location where that procedure wrote to disk, the corresponding portion of the TrueCrypt volume will contain random gibberish. The untouched areas of the volume should still be intact, though, so there should be a fair bit of recoverable data remaining.

    No, don't format anything. If you format the mounted volume then you risk overwriting a portion of your remaining data. The best policy is not to write anything to the disk. All of your data is in free space now, so it is particularly vulnerable to being overwritten.

    Incidentally, I doubt if those programs actually "want" you to format the volume. They are probably just stating that the volume is not formatted and that this limits their ability to recover data. But laying down a fresh format will not recreate the old file system that used to contain references to your data, it will merely write a new file system that knows nothing about your still existing (but currently lost in free space) data. The MFT (master file table) stores all of the information about the name, size, locations and other attributes of your files, but you need the old one, not a new empty one.

    If Recuva and GetDataBack aren't able to do anything then try Photorec or other data recovery tools that specialize in data-carving. (They look for known file signatures on disk and attempt to reassemble the individual files that way, without relying on a working file system). If your lost files were not fragmented, and if your file types are supported by photorec (check the supported file types list) then you should get a lot of them back. (However, photorec generally cannot determine what the file names used to be, so you'll have to figure them out.)

    I also noticed that one of your screenshots showed a block of "UNREADABLE SECTOR". You should not be seeing this within a mounted TrueCrypt partition. It probably means that your disk contains unrecoverable errors and is starting to fail. I suggest you make a sector-by-sector clone of your disk right away.

    If your data is important then you should do this anyway, before you begin any serious data-recovery efforts. Most data-recovery software is read-only, but there are exceptions. And repair programs such as chkdsk, testdisk, etc. will usually write to disk. Ideally you will back up (sector-by-sector clone) the affected hard disk and then perform all of your data-recovery attempts and file-system repair attempts on the clone.

    Incidentally, I just wanted to let you know that I can't walk you through a full recovery here. I'm merely trying to provide useful advice and point you in the right direction. You're going to have to learn how these programs work, etc. on your own. I will try to provide tips and guidance, but I can't spare enough time to do much more than that.

    But do try Photorec. Hopefully it will be able to recover some of your lost data.
     
  16. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
    OK thank you, I will try it.

    WoW, it will take only 420 hours :D
     
  17. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
  18. Kernelus

    Kernelus Registered Member

    Joined:
    Jun 18, 2014
    Posts:
    11
    So, my data is completely lost ?
     
Loading...
Thread Status:
Not open for further replies.