Help! TrueCrypt Bootloader Overwritten. Is recovery possible?

Discussion in 'encryption problems' started by Ickenham, Sep 15, 2013.

Thread Status:
Not open for further replies.
  1. Ickenham

    Ickenham Registered Member

    Joined:
    Sep 15, 2013
    Posts:
    2
    Location:
    Canada
    1. Dell XPS 15 L502X
    2. Microsoft Windows 7 Professional 64-bit
    3. Seagate 750GB HDD
    4. As-shipped Dell factory partition configuration.
    5. Hard disk drive encrypted with TrueCrypt.
    6. TrueCrypt password is known.
    7. TrueCrypt Rescue Disk unavailable (may not exist or location unknown).

    Earlier this year, my wife's employer mandated and implemented additional security measures for employees' PCs and devices used to access workplace resources (e-mail, VPN, et cetera). In order to comply with the new regulations, my wife brought her notebook in to her employer's IT services department and a staffer there encrypted the HDD with TrueCrypt. As of this writing, I do not know whether he created the unique TrueCrypt Rescue Disk for her PC, and if he did so, whether it can be found.

    In a rash and foolhardy act, I downloaded from Dell a "recommended" firmware update utility, intending to update the firmware of the Seagate HDD in my wife's employer-provided (but not employer-maintained) notebook PC.

    The Seagate firmware update utility is a Windows GUI executable, but it created a temporary bootloader in order to run at boot time and then automatically restarted the PC.

    Upon restarting, "Seagate _" was displayed for many minutes with no indication of progress (I've run the firmware update utility successfully on other PCs of this model).

    Eventually, I panicked and shut down the PC, waited for the HDD to spin down and then powered it up again.

    "No operation [sic] system"

    Booting from USB into Linux (Parted Magic), I found that the hard disk firmware had not been updated. I ran the HDD's built-in Short Self-test and Conveyance Self-test and both passed in the estimated time.

    The GUI partition manager found no partitions on the disk, but the disk is readable in the CLI hex editor, hexedit.

    Parted Magic includes the Linux TrueCrypt GUI, and I attempted to mount the drive using the known password, but TrueCrypt did not recognize the drive as a TrueCrypt volume.

    Any suggestions as to how best to proceed? It may be necessary for me to work on a copy of the data if my wife's employer chooses to wipe the drive and reinstall. I'm thinking I'll make a bit-for-bit copy of the drive to a larger capacity drive over E-SATA (dc3dd if=/dev/sda of=/dev/sdb progress=on) and then make recovery attempts on copies of that first copy. UPDATE: I have now done this, having copied the drive to a 3.5" 1TB WD Caviar Black (512-byte sectors).

    Is there any method by which I can recreate the TrueCrypt volume header and key without access to the unique TrueCrypt Rescue Disk created when the disk was encrypted? As stated above, the password is known.

    I have access to two other PCs of the same model, which should have similar partition schemes, although they'll differ based on disk size, one has a 500GB Seagate HDD and the other has a 256GB Samsung SSD, neither of which is encrypted with TrueCrypt.

    I am most grateful for any assistance you are able to offer.
     
    Last edited: Sep 15, 2013
  2. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Yes, if you have the disc that they make you write when you first start to encrypt. You can use to to re-fix the boot-loader. :thumb:
     
  3. Ickenham

    Ickenham Registered Member

    Joined:
    Sep 15, 2013
    Posts:
    2
    Location:
    Canada
    After reading the following:
    You replied:
    Thank you for replying to my question. You are, no doubt, having a laugh at my expense. Dry wit you have there.
     
  4. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I was just offering you the solution. You need the boot truecrypt boot disk. I hide mine under my air filter so if there is ever a problem its in such a remembered place I can always find it. You really need to keep track of your disk. I am sure someone may have an idea how to get it back without, but really its your best option. Replying only bumps your thread up too, so maybe someone else will know.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    I would recommend going back to your wife's IT guy. I have a couple of comments, which I hope you'll accept.

    1. TC is not designed for corporate use and any IT guy that would employ it and not maintain rescue disk ISO's for the machines should be summarily discharged. The corporate environment begs for the use of an Enterprise approach software, where IT has Admin backdoor access. There are great products out there for that. Its too late now in this instance. I really question any IT dept that would employ TC such as you describe.

    2. If your wife did this herself that is another story. There are lots of sales type folks that want their machines encrypted for obvious protection. In those instances they would bear the responsibility to maintain access.

    You DO HAVE some options. If you pull the sata from the laptop and take it to one of the other TC encrypted machines you should be able to open the drive using options in their TC panel. Its easy to do. So, you get your data back as a minimum. If the TC encryption happened locally you might well get the iso image (contains the bootloader stuff too) which is stored in the default location. Using that image you can burn a new rescue disk ISO and you are back and running easily.

    Again, I just can't imagine the IT folks wouldn't have anticipated this and have what you need ready to go already.
     
Loading...
Thread Status:
Not open for further replies.