Help recovering list of files from encrypted USB drive

Discussion in 'encryption problems' started by marius7x, Apr 9, 2014.

Thread Status:
Not open for further replies.
  1. marius7x

    marius7x Registered Member

    Joined:
    Apr 9, 2014
    Posts:
    8
    Hi. So I have a(nother) TrueCrypt problem for you guys :(..
    I encrypted a few months ago an USB flash drive using TrueCrypt (latest version), but a couple of days ago I got the common volume header error (password & key were not recognized). Restored from internal backup (I didn't have an external backup of the header) and I was able to mount the drive successfully. But both drives (USB + mounted drive) are not accessible in Windows (the common "do you want to format?").
    The filesystem appears now as damaged, became RAW, and I could not recover data from it using any of TestDisk, PhotoRec, GetDataBack or Recuva. With testDisk I got until the Rebuild BootSector step, but it did not find anything after a many hours of searching.
    Any idea what else I can try? Do I have any chance of partial data recovery, or at least the list of files that were on the USB stick? Thanks in advance.
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Hmm, that's a strange one. Under the circumstances that you described, the last three programs that you mentioned will usually be able to find something. You got nothing at all, not even a recognizable file name or folder name? Are you sure you were examining the mounted volume?

    Try examining the mounted volume (according to its assigned drive letter) using a hex editor such as WinHex. See if you can find anything at all recognizable. Even a large block of zeros will be helpful, as it will prove that the data is decrypting.
     
  3. marius7x

    marius7x Registered Member

    Joined:
    Apr 9, 2014
    Posts:
    8
    I opened the mounted drive in WinHex. Got unrecognized filesystem error, but it opened.
    Seeing used space: 59GB, free: 0b (promising?). But the Text and the Hex displays have no recognizable repeating sequences.

    Regarding TestDisk or PhotoRec, I was also amazed that they did not find anything. In TestDisk I selected None as partitioned media, then selected both NTFS and FAT 32 (I'm not 100% if I really chose NTFS when I ecrypted the USB drive). In NTFS mode, pressing List at this point returns "Can't open filesystem. FS seems damaged." Choosing Boot, I see that the boot sector has status=Bad, backup BS=bad and "Sectors are not identical". Rebuilding the BS doesn't find a mft in 2h+ of running.
    I will keep scanning during today, also look deeper into WinHex options...
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Try using WinHex to search the mounted volume for a hex value of ten zeros, as follows:
    Start at the beginning of the disk, then select "Search", "Find Hex Values", "0000000000" (without the quotes), search "Down", "OK". (You have to type the zeros without spaces, but it searches for "00 00 00 00 00" as it will be displayed in WinHex.)

    Unencrypted data almost always contains numerous blocks of zeros, both large and small. I've had good luck using the above method, but you can use 8 instead of 10 if you want the search to run a little faster and you don't mind finding the occasional small blocks of zeros that will occur randomly in encrypted data.

    If you find any blocks of zeros at all then at least we will know that your volume is decrypting properly.

    If you can't find any blocks of at least 10 zeros then your data is probably not decrypting when you mount the volume. (Perhaps the header was restored to the wrong location. This can happen if, for example, a partition's starting offset has changed or has been lost entirely. Another explanation would be that the wrong header was restored to the volume.)
     
  5. marius7x

    marius7x Registered Member

    Joined:
    Apr 9, 2014
    Posts:
    8
    Scanned the entire day for mft, files or texts, but got nothing.
    Just finished searching with WinHex for the group of zeros (thanks for the suggestion btw) and found none.
    So the drive that is mounted does seem to not be decrypting properly, exactly like you said.

    Looked around TrueCrypt itself and decided to create a volume header backup (external).
    Got the following interesting warning at the end: "WARNING: This volume header backup may be used to restore the header ONLY of this particular volume. If you use the backup to restore the header of a different volume, you will be able to mount the volume, but you will NOT be able to decrypt any data stored in the volume (because you will change its master key).".

    The last part matches with what is happening to me (I can mount, but the mounted volume looks like garbage or encrypted).
    Not 100% sure what they mean by "different volume" (another PC?), but I remember that I initially encrypted the USB drive on a different machine (speed reasons). Then used it only on this one, got the unexpected password problem, restored the header (from the internal backup), twice when it did not work.
    Did I change the master key? Is it something I can repair or regenerate, for example using the other PC?
    I know I should've kept a header backup, but until the problem I didn't know about its existence :(.
     
  6. marius7x

    marius7x Registered Member

    Joined:
    Apr 9, 2014
    Posts:
    8
    Trying to simply restore the header using the original PC did not work unfortunately.
     
  7. marius7x

    marius7x Registered Member

    Joined:
    Apr 9, 2014
    Posts:
    8
    Wanted to try the WinHex steps covered in other posts here (e.g. this), but I'm not 100% if the cases apply (I didn't encrypt a container, I don't have hidden vol). And I did restore the embedded volume header "too many times", so not sure if finding its start sector helps or not. I'm pressed to decrypt until end of next week.
    Dantz, any other suggestion please?
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    You need not be concerned with that warning. TrueCrypt is just trying to prevent you from misusing the external backup header. If you create an external backup header (which is always a good idea) then you can restore it to the same volume that it was created on any time you need to, even if the volume has been moved to a different computer, etc.

    However, if you restore an external backup header to a completely different volume, not the one that it was created on, then the volume will mount but not decrypt, because the supplied header contains the wrong decryption keys for that particular volume.

    In your case you restored the embedded (internal) backup header, so you know that it's the right one. The question is, did it somehow get restored to the wrong location? This doesn't usually happen to flash drives, but let's take a look anyway.

    Try this:

    1. Mount the volume, then click on Volume Properties (in TrueCrypt) and write down the size of the volume in bytes. Add 262,144 to that number (to include the four 64KB headers) to come up with the total size of the TrueCrypt volume + headers.

    2. Dismount the volume, then open the flash drive (the Physical Media, not the Logical Volume) in WinHex. Look in the information panel to see the Total capacity in bytes. Is this the same number that you calculated in Step 1?

    I haven't worked with that many encrypted flash drives, but on all the ones that I've worked on, the TrueCrypt volume + headers fills up the entire drive, with no bytes left over. In this situation, TC has no problem in restoring the embedded backup header to the correct location. However, if your numbers don't match up perfectly then we can look into that.
     
  9. marius7x

    marius7x Registered Member

    Joined:
    Apr 9, 2014
    Posts:
    8
    Volume Properties in TC says "63333662720 bytes".
    The total is: 63333662720 + 262144=63333924864
    In WinHex, opened Disk, Physical Media, RM1: Corsair Survivor 3.0 (59.0GB, USB), total capacity in bytes shows as:
    63333990400, so with 65536 bigger. If this would be for instance a 5th 64th header (?), the numbers would match exactly.
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    That's interesting. Since your TC volume obviously does not fill the entire drive, we can assume that your drive either currently contains a partition, or it used to contain a partition which has been lost. Perhaps the partition's starting offset is (or was) at 65536 decimal. We'll see.

    Try this:
    If your TC volume is mounted, please dismount it

    Use WinHex to open your flash drive via "Tools: Open Disk", then select your flash drive from the "Physical Media" list.

    In WinHex, the area known as the Directory Browser is near the top of the screen, a short distance below the menu and toolbar. If your flash drive currently contains a partition it should be listed here. What do you see in this area? Post a screenshot if you like, or just describe it.

    If "Partition 1" is listed, look in the rightmost column and note down the starting point of partition's "1st sector". Then look in the information pane (usually on the right) and note the "Bytes per Sector". (You can multiply these two numbers together to calculate the partition's starting offset).

    You can also just click once on "Partition 1" in the directory browser, and you will be taken directly to that offset.

    Or, perhaps the partition was lost, in which case WinHex will probably not list it and we will have to examine the drive manually.

    While you have your physical drive open in WinHex, examine the first 64KB, focusing on the very beginning of the drive, but also scrolling down a little ways one screen at a time (click once in the data and then use the PgDn key, not the scroll bar, as it moves too fast). Let me know if you see anything recognizable such as large blocks of zeros "00 00 00 00 00 etc.", or words/abbreviations such as No NAME, FAT32, MSDOS, NTFS, etc. Look in the hex column for zeros, and the text column for recognizable words.

    Also examine the area around 65536 (decimal). See if you can spot any sort of a transition where one type of data (perhaps a bunch of zeros) ends and another type of data (hopefully a large block of completely random and unintelligble data) begins. We're just guessing at this point, but since we have to account for an extra 64KB of space, this would be the first place to look.

    You should also look at the very end of the drive. Press Ctrl+End to get down there quickly, then start scrolling up. If you see any large blocks of zeros down here then we will have to rethink things a bit, so be sure to mention it if you do.

    Let me know what you see, and we'll take it from there.
     
  11. marius7x

    marius7x Registered Member

    Joined:
    Apr 9, 2014
    Posts:
    8
    Hi. For the 1st part, there's no partition detected in WinHex (or other tools).
    http://s29.postimg.org/5z1c7l4pz/wh2.jpg
    Second: at offset 200, sector 1 of 123699200, a section of only 00 groups starts. Until this, no recognizable data (00 or words). The 00 section lasts until sector 128. So, to summarize, in the first 64Kb (128 sectors of 512b), the 1st sector is some kind of data, while the other 127 are with '00'. Scrolled past 65536 mark until sector 641, and indeed, a "large block of completely random and unintelligible data"
    began from sector 128 like you assumed.

    Scrolling up from last sector, I noticed that the last sector with data is 123699199 out of 123699200, then there's a blank area in the window (either an empty sector or something I don't understand in the numbering). Then nothing out of the ordinary in the 513 sectors I scrolled up from the bottom.
    http://s27.postimg.org/4tx4kjg9v/wh3.jpg
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    OK, I think I understand what'd going on. I can't be positive about this, but it looks like the first sector of your drive has been overwritten with a restored TrueCrypt header. TC normally writes the first 512 bytes of a header (which is all it really needs) when you restore a header from a backup. However, it's in the wrong location, so it isn't able to decrypt your data. It probably went to the beginning of the drive because you restored it to the disk instead of the partition (which is no longer defined, as the partition table has been overwritten by the header.) There's no telling which happened first - the partition table becoming damaged, or the TrueCrypt header overwriting it, but it doesn't really matter, as we can solve this problem without thinking too much about that sector.

    It looks like your lost partition probably began where we thought it did, at offset 65536 (decimal). I would try creating a small test file that starts at that sector. I've written the general instructions for creating and then testing this type of file in quite a number of my posts in this forum. Here is my latest effort, which partially applies to your situation:

    https://www.wilderssecurity.com/threads/truecrypt-volume-error.358446/page-3

    However, you can skip some of the steps, and you would use different numbers when you define your block. (It would begin it at 65536, and it could be considerably smaller, even 1 or 2 MB ought to be enough in most cases). I will post a modified version for you tomorrow, but I need to get some sleep now.
     
  13. marius7x

    marius7x Registered Member

    Joined:
    Apr 9, 2014
    Posts:
    8
    Thanks for the link to your other post. It's very descriptive and it was helful now that I was sure what start point to use for the testfile I kept seeing in your posts here.
    So, I did create and mount a 2MB test file. Then, did the full extraction (from 64KB and until end of volume), mounted and recovered all my files. And all in under 1h (for 60GB) using your detailed guide.

    So, Dantz, thank you again, I'm very grateful for your help :thumb:!
    You can add one more person to the countless others you helped here to get their data back successfully. And to think I was 99% sure I have no hope or option left ;)
     
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Wow, that's great. You're very welcome! Congratulations on getting your data back.
     
  15. LeeWaves

    LeeWaves Registered Member

    Joined:
    May 21, 2014
    Posts:
    1
    Dantz, my deepest gratitude to you too as I followed your above thread and similar to marius7x, managed to fully retrieve my data from an encrypted USB drive using WinHex once I had established where the offset should have been (common volume header error (password & key were not recognized), restored from internal backup).
    Thanks once again - I owe you big time :)
     
  16. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Congratulations! I'm glad that I was able to help.
     
Loading...
Thread Status:
Not open for further replies.