Formatted external with truecrypt volume

Hi guys.I accidentally formatted my 1TB external with trucypt volume inside.I only had 1 partition. i have been reading the forum for similar posts but I have no idea about the header or rescue disk since I just encrypted all my files without any back up. Ive tried recovery softwares but they dont see the volume. What should I do to recover my files. thanks

 

According to my tests, all you have to do is put the RecoveryCD on the drive and it will be very easy for TC to find it's volumes , if the correct password is provided.

I'm not using TC anymore, but (IIRC) you only have to boot from the cd and there will be options to recover lost partitions. However, it may be impossible to do so if, on the formatting process, you overwrote the volume headers (I don't remember if there are backup headers, but I think there are).

I also think that ANY RecoveryCD can do the trick unless the single volume was done with FDE with a System installed on it (Full disk encryption).
You can read more: http://www.truecrypt.org/docs/rescue-disk

BTW: Forget forensics software, NOTHING except TrueCrypt will be able to find the volume. One tip would be to plug this external drive on a computer that has TrueCrypt installed, and select "Auto-Mount devices", you might get lucky with it.

 

Thank you for your reply. But I dont what the rescue disk is. Is it a CD? I dont remember even making one when i encrypted my truecrypt volume. I just created the volume from the truecrypt software I downloaded from bitsnoop. That's why I can't relate to posts mentioning header and rescue disks because i don't know what they are and can't remember even going through the process of making such steps.

I just tried mounting it on a PC with truecrypt and it says "incorrect password or no truecrypt volume found". i checked the options indicating :using back-up header" but the result is the same.

 

By the way, during the accidental format, all I did was right-clicked the drive from the My Computer list and chose format. instead of the drive which contained my corrupted 16gb usb, somehow the curser went a notch below and choose the drive J which contained my truecrypt volume. now it indicates the folder is empty with all 931gb in it. What should I do?

 

Seems that either the password is wrong or the headers are missing, but since it says that it's using the backup headers (I'd like a Print-Screen of that) I assume the 1st cause is the most probable.

Are you sure the password is correct?
You can try creating the Rescue-Disk, If I remember there's an option for that on TC. If not, I can upload my RD for you so you can try using that, although I think the problem seems to be incorrect password.

EDIT: There's an option on "Tools" where you can restore the volume headers. Try that, just in case.

 

I have attached the screenshots of the result. yes I am sure the password is correct and I have tried all the options available in TC including restore volume volume header but when I input the password, it still indicates "incorrect password or not a TC volume". btw, my external is a 1TB WD elements and the TC volume was named JPU1TB. Now if I look at the drives list, I can only see "Elements 931 GB free of 931 GB.

 

I've been up for 2 days now since the accidental format happened. i have tried Getdata Recover, Stellar, File scavenger, Recuva, Disk Internal but to no avail. the volume just can't be found. I'm trying Testdisk for almost 24 hours now and I am still getting 08% scanned result and Winhex but i have no idea how to go through with it. there seems to be so many figures and numbers. I am just constantly looking at forums and youtube tutorials just trying to figure an easier way since I am not technically well-versed with all these algorithm and recover methods.

 

This is what I get when I try to select the option for creating rescue Disk..

 

And this is the screenshot of the result I got from the drive when I have it read by Winhex. Unfortunately i have no idea what to do with it or what all the numbers and figures mean. i am just lost now and confused and tired...

 

The TC rescue disk applies only to system encryption (that is, encrypting a bootable operating system). Since you encrypted a partition on an external disk, (a data partition, not a bootable OS) then there will not be any rescue disk, so you can forget about that approach. The rescue disk is not an option here.

Recovery software will also be useless, as the data is fully encrypted. Even file and folder names will not be visible, as TrueCrypt turns the encrypted area (a partition in your case) into a giant block of fully random data from start to finish.

I'm sorry that your formatted volume's embedded backup header isn't working ("Mount Options: Mount volume using embedded backup header"), as that would be your best bet at recovering your data.

I'll see if I can be of any help, but first please answer the following questions:

What type of format did you perform: Quick, or Full? I'm asking this because a Quick format wouldn't usually overwrite the embedded backup header, which is located at the very end of the partition, so I'm wondering why yours doesn't seem to be working.

Did you ever perform a backup of the volume header? ("Volume Tools; Backup volume header"), and then save the backup as file? If so, it would definitely come in handy right now.

Was the partition always listed as "\Device\Harddisk1\Partition1", and is that how you selected it back when it was working?

And I just want to confirm this: When you first encrypted your partition, did it already contain data? So you encrypted your data "in place", as we call it?

One final note: You're trying a lot of different things right now without actually knowing what you're doing. Please slow down. If you make a wrong choice then you could completely destroy whatever small chance you still might have of recovery. The only way to access your lost volume is to find and use a fully-intact volume header. This header might still exist on the disk, and the last thing you want to do is corrupt it in any way. So be careful, and don't write to the disk!

(edit, days later: When I wrote this I was under the mistaken impression that you had encrypted a partition, which has since proved to be incorrect)

 

Thank you for your replies amarildojr and dantz. It's 242 dawn here in my part of the world and I'm still up trying to figure this problem I got myself into. To answer your questions dantz:

1. It was just a quick format. usually the one that i do when I want to format my usb storage, right click on the drive then choose format, then check the quick format box.

2. I did not do any back-up as far as I can remember. I have 2 other externals with TC and never did i make any back-up when I encrypted them. It's a lesson I am having to learn the hard way now.

3. Yes. When I tried to mount it on TC, the JPU1TB volume could no longer be found so I chose "select device" and I picked the "\Device\Harddisk1\Partition1. Then I was prompted to put the pw when I mounted. then the warning "the host file/device is already in use...continue mounting?" came up, i typed yes. then the "incorrect password or not a TC volume" message appears evrytime.

4. The 1TB external was bought brand new. I right away created a TC volume on it because i already had files I wanted to transfer from my PC. I am not sure about the size but when I allocated the volume size when I encrypted with TC, it normally did not reached 1TB, I might just have indicated 900GB for the volume created.

 

I am trying all these recover softwares out of desperation. But after so may hours of waiying scan after scan, the results all come negative for the volume. thank you for warning me. i am just going to stop experimenting as I might just cause more damage to my external.

i have not put any data at all since the format and I have made sure i have not made any changes on it since then.

 

By the way dantz, when I created the TC volume during Tc creation wizard, i just chose the first option "create an encrypted file container" and just went through with the encryption. The "never save history" box was xhecked by default. there was no prompt for creating rescue disk or header. which is why i can't seem to understand what the header and rescue disk is about.

I just did a back up of the volume header and the message "incorrect pw or not a TC volume" pops up again..

 

Is the data really-really important?
If the data is important, I'd research more on that, even creating a paid-email account and trying to get help on TC's forums.

Otherwise, if nothing helps, personally I'd create my data all over again.

That's one of the reasons back-up exists hehehhe. But you see, backup is good when this happens. If I have a really important piece of data that I want to keep I usually upload it to cloud services, everything encrypted. So, if anything goes bad I have those files read-to-download.

If you keep good practices this might happen fewer times on the future.

And don't forget, back up your data... and then make a backup of the backup.. and if the data is really important make a backup of the backup of the back up

 

thanks amarildojr for the advice. yes the data is really important. i am an architect by profession and records of my previous and present projects particularly the design, details and client accounts are there. pictures of projects. contracts, specification documents and videos. To sum it all up, almost 10 years of work is in there. Silly me for quickly clicking the format option without verifying the actual drive I was formatting.

 

I'm not completely sure which type of volume we are searching for, as you've made a few statements and performed a few actions which seem rather contradictory to me. There are four types of volumes that you could have created:

1) a container file (which is merely a large encrypted file that you create within an existing partition, and then copy your data into),

2) an encrypted partition (which begins as a normal, unencrypted partition which may (optionally) contain existing data. In this case you would encrypt the entire partition from beginning to end, which also encrypts the existing data "in-place"),

3) a fully-encrypted device (such as a completely blank hard disk that has no partitions, which you encrypt without ever creating a partition on it).

4) a system volume, which is an encrypted operating system. (This is what amarildojr thought you had, but I'm almost certain that he was mistaken.)

Anyway, I will post some of the quotes that don't quite agree with one another, and maybe you can sort it all out:

This implies that you encrypted your existing files "in-place". This would only be possible if you had encrypted an existing partition (#2 above).

This implies that you created a container file (#1 above).

It's not clear to me why you did that. You are apparently trying to mount an encrypted partition (#2 above). However, "JPU1TB" would never show up in the TrueCrypt device selection screen, so I don't know why you would be looking for it there. Plus, if you created a file-hosted volume then you shouldn't even be clicking on Select Device and trying to mount a partition, you should be clicking on Select File and selecting the encrypted file that you created. Was JPU1TB the name of the file?

OK, so maybe you did create a file-hosted container.

Please clarify things for me as best you can. Was JPU1TB the name of your container file? And then you mistakenly quick-formatted the partition? If so then it's possible that the lost file still exists on the disk in its entirety (or nearly so), although recovering it could be fairly tricky.

PS: I'm going out for a few hours, but will try to get back to you when I return.

 

Thanks dantz. Really appreciate the effort you and amarildojr are doing to help me.

To help clarify things, i'm pretty sure the volume I created is the no.1 among the 4 you mentioned

Maybe my words just mixed up but after I got my external (Elements (J: ), I immediately created a container file/volume and named it JPU1TB. then I transferred my files into the volume. So everytime I tried to access the volume, then I would mount it on TC. However, after the format on Elements (J: ), the volume JPU1TB disappeared and external "Elements (J: ) became empty (931Gb free of 931Gb as indicated on My Computer). So when I tried to mount it on TC, I could no longer find the JPU1TB file when i was prompted to Select File. Out of sorts, I just tried the Select Device option and chose the \Device\Harddisk1\Partition1 which I knew was my Elements (J: ) external in the hope that I could somehow find anything. But only the warning "incorrect pw or not a TC volume" keeps coming up. So I then resorted to recovery tools and checked on the forums for help which led me to you guys.

Hear from you soon when you back. Cheers.

 

TrueCrypt doesn't mount drives with the same letter unless you put them into your Favorites.

Could you try to remove the drive's letter? You can do it on Windows. http://www.sevenforums.com/tutorials/82994-drive-letter-add-change-remove-windows-7-a.html

And then, click "Auto-Mount devices" and type your password.

I think you're trying to mount the wrong drive here buddy

 

Hi amarildojr. Drive J is the default drive my external is mounted when I hook it up on my PC. I just used "Elements (J: )" on my reply to indicate that my external is Elements on my PC's drive J and that the volume inside is JPU1TB. There was no problem mounting the volume on Tc before the format because the file was there and I never chose the "select device" option, just the "select file" because Tc would just recognize the volume. It was only when I could no longer find the volume file that I tried using the "select device" option hoping to find anything. And when I tried "Auto-mount devices", I just chose "\Device\Harddisk1\Partition1' which I knew was the external. I'm pretty sure this is not a problem of mounting the wrong drive..

 

Could you at least tryit?

 

Yes amarildojr. I just tried it, went to disk management, removed the drive J, opened TC, chose auto-mount devices, put my pw and its the same message "incorrect pw or not a TC volume. I chose select device, found the \Device\Harddisk1\Partition1, mounted it and put my pw and voila, its the same message "incorrect pw or not a TC volume"...

On My computer now, the device cant be seen anymore maybe because it was no longer assigned to any drive.I'm going to put the drive back so i can see the device again on My Computer...

 

Dammit, I thought you had your problems solved hahaha.

I can't figure out how to help you. I'm currently testing openSUSE on a VM and I don't have an external drive. Sorry! I truly hope others can help you.

Regards.

 

Thanks for the effort and time amarildojr. really appreciate it. I really do hope others will be able to help me firgure this problem out. Regards..

 

FYI, the "Auto-mount Devices" command only works for "devices", which Truecrypt considers to be either partitions or entire drives. This feature cannot be used to mount container files. It doesn't look for them, and it doesn't find them.

Are you saying that the lost file is approximately 900GB in size? You basically made it almost as large as the partition?

 

Thank you. I never created any container on TC so I didn't know about this