Guide - truecrypt recovery

Discussion in 'encryption problems' started by FriendlyNeighbor, Aug 13, 2014.

Thread Status:
Not open for further replies.
  1. FriendlyNeighbor

    FriendlyNeighbor Registered Member

    Aug 12, 2014
    I had several disks in my computer and unfortunately quick-formatted the wrong one. It has irreplaceable data on it, and I've now spent upwards of 16hrs reading all available posts. Although I haven't been successful yet, I've still got plenty of options left to try.

    I've seen a lot of people with the same problem and no responses, not just on this board. The lack of consistent answers is one of the biggest issues I've encountered. I wanted to put together a thread with some of the most promising and verifiably successful information I've come across, rather than posting it all in response to each unanswered thread.

    1. Back up an image of your disc IMMEDIATELY. That way when you're editing it, dismounting and remounting it and generally tampering around, you've always got an original copy.

    2. Testcrypt is one of the most important tools and I've read multiple success stories, including one a few posts above yours, about quick-formatting a drive and being able to restore the encrypted partition.

    3. Active@ has the most powerful, yet user friendly interface for partition recovery and data retrieval. It also has a thoroughly powerful hex reader/editor. I've also used and read about testdisk, but my experiences haven't been as seamless; perhaps as it's DOS/UNIX rather than a GUI.

    4. GetDataBack seems to be the most recommended file recovery software for usage with damaged filestructures.

    5. The user dantz here is incredibly informed and helpful. I found this thread (although no successful outcome) and this one (successful, incredibly) to be very useful.

    Given my issue has nothing really to do with bad partitioning, I don't have a real guide for partion map repairs. However, the tools listed, especially Active@ and Testcrypt, along with the myriad of other users and their posts should definitely point you in the right direction.

    It also looks like there needs to be a combination of tools in play to properly retrieve a reformatted Truecrypt drive, which appeared to me at first as a catch-22. You need to mount the Truecrypt partition to recover the data, but you can't, because you need to recover the Truecrypt data first, which you need to mount properly... so on.

    However, it seems as though Testcrypt supports a whole-disk "mount" with your password. Here, one of the creators of Testcrypt responds on the official forum (which is primarily in German, unfortunately) to a similar ticket with:

    "There is one big difference compared to the other threads: your partition is not only deleted but also formatted. In this case you need recovery software like GetDataBack or R-Studio (better results in the last months especially for formatted volumes) in or in combination with TestCrypt: use TestCrypt to mount the header via right click context menu and afterwards use the recovery software on the mounted volume."

    So the process for any quick-formatted drive should look something like this, passing on to each next step if no success:

    - attempt to use backup volume headers
    - use testcrypt
    - use testcrypt to mount device, use data recovery software to restructure files
    - use specific hex editing techniques to find/clone/repair header via dantz' instructions in this thread

    Additionally, racoon_tc has two interesting points.

    "According to the docs (and further docs) you must try to mount the volume with several attempts in a row.
    Also, make sure to choose the correct partition ("\Device\Harddisk?\Partition0" represents the entire disk)."

    Always make multiple mount attempts.

    It's important to select the entire disk rather than any specific partitions, and if your quick format created a partition, I've read that it must be deleted before Testcrypt can be successful. As long as your changes are backed up, you can experiment - I'm not proclaiming to be an expert, but rather compiling all of the information I've gleaned over this ridiculous process.
Thread Status:
Not open for further replies.