How to find encrypted system partition using TC Rescue Disk?

Discussion in 'encryption problems' started by wiktorrr, Sep 27, 2015.

  1. wiktorrr

    wiktorrr Registered Member

    Sep 27, 2015

    I have a "little" problem and kindly ask for your help :)
    I accidentally overwritten MBR using Ubuntu installer and can't find tc headers. I have been using TestDisk, TCHead and other "rescue" programs without success.

    I have found python script to determine is sector a tc header (after decrypt first 4 bytes contain "TRUE" - I've checked it on other disks and it really works). I modified it to search for tc header through all disk but it takes too long

    My disk partitions looks like:
    part. 1 or 3: Linux system unencrypted - about 200GB
    part. 2: full encrypted partition - about 450GB <-- this partition I need most!
    part. 1 or 3: encrypted Windows system: about 60GB

    I have an idea: if I would know where encrypted Windows system is, I could find part. 2 header (first or backup header - depends on where windows system are).

    So, I have TC Rescue Disk for encrypted Windows system and I know where is backup header on cd disk. TrueCrypt Volume Format Specification says that header contains size of the volume and offset of the start of the master key scope - with this data my problems will be solved!

    BUT! I it not so simple, because encrypted system header after decrypt does not contains any "TRUE" ascii string! It seems like TC uses other encryption for systems then for partitions.
    Unfortunately I can't find any information about this in tc official doc.

    NOTE: Using True Crypt program for test header from TC Resc Disk I find out, that I have to check "Mount partition using system encryption (preboot authentication)" - maybe this will be some clue?

    Any help will be very very welcome :)

    PS. I know that my English is not very well, so ask me if you do not understand some text.