How to recover deleted Truecrypt Partition

Discussion in 'encryption problems' started by ptmoy2, Jul 16, 2014.

  1. ptmoy2

    ptmoy2 Registered Member

    Joined:
    Jul 16, 2014
    Posts:
    7
    Location:
    New York
    My hard drive had 3 partitions created using the win7 disk manager. The 1st and 2nd partitions were formatted in NTFS. The 3rd partition was encrypted using Truecrypt. I accidently deleted partitions 2 and 3, and now Truecrypt can't find the encrypted partition to mount. I've read several very informative threads on how to recover lost Truecrypt partitions. My situation is most similar to the one discussed here by slightly more complicated:

    https://www.wilderssecurity.com/threads/truecrypt-missing-partition-table.336671/

    Recovery methods discussed in the above thread as well as several others require finding the beginning location of the Truecrypt partition, and creating a block starting from this position using WinHex and storing into a file. My problem is that I don't know how to determine where the Truecrypt partition starts. The 2nd NTFS partition, which is now unallocated space was between the end of the 1st NTFS partition (which is still there) and the start of the Truecrypt partition.

    Please help.
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Did Partition 3 extend to the end of the disk (or as near as you could make it)? If so then you could possibly use a hex editor such as WinHex to visually locate the end of what used to be Partition 3 (look for a huge block of random data that either extends to the end of the disk or suddenly transitions into a smaller block of zeros), and then try to recover the embedded backup header (which is always stored a specific distance back from the end of the partition), and then use TrueCrypt to mount a file which begins with the embedded backup header in order to read the TrueCrypt volume properties, which include the exact size of the original volume in bytes.

    Once you have that number you can use it (along with your knowledge of the partition's ending offset) to grab the entire contents of the missing partition and save it onto another disk as one gigantic file. The file, if done properly, will be mountable in TrueCrypt and should contain your missing data.

    It's easier said than done, by the way. But that's the general approach.

    Don't mess with the drive in the meantime. Be especially careful not to run any partition recovery software, as it might damage the third partition. If you want to try that sort of software then you should clone the entire disk and then try it on the clone, not the original.
     
  3. ptmoy2

    ptmoy2 Registered Member

    Joined:
    Jul 16, 2014
    Posts:
    7
    Location:
    New York
    Dantz, thanks for helping me.

    Partition 3 did extend to end of disk. This is a 500GB disk. After I deleted partitions 2 & 3, Win7 Disk Manager Reports: partition 1 - 60.5GB; Unallocated - 405.26GB. But WinHex (evaluation copy) reports: Start sectors - 31.5KB; Partition 1 - 60.5GB; Unpartition space - 405GB; Unpartitionable space - 2.5MB. Unpartitionable space starts at 7470988200. But looks like there's a small block of garbage before it; see figure 2. Then some zeroes before that, then maybe encrypted data; see figure 1.

    Which part is the embedded backup header, and how do I go about recovering it?
     

    Attached Files:

  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Figure 1 shows a backup NTFS boot sector for an NTFS-formatted partition. This usually goes in a partition's last sector. However, it would not normally be visible at the end of a TrueCrypt-encrypted partition. Rather, you would see a solid block of random data which suddenly ends (becoming all zeros, typically) after the last sector of the last partition. The backup NTFS boot sector is probably there as the result of an accidental format of the 3rd partition, before it was accidentally deleted.

    Let's look back a little ways. Try this:

    1. In the WinHex directory browser, click once on "Unpartitionable Space" to place your cursor right after the (assumed) end of the lost partition.

    2. Navigation, Go to offset, 20000 Bytes hexadecimal, current position (back from), OK.

    If Step 1 placed your cursor just below the lost partition's endpoint then Step 2 would move your cursor to the location where TrueCrypt's embedded backup header begins.

    Look around the area. Go up a few screens, then go down a few more screens. (Press PgUp or PgDn to move one screen at a time.) What do you see here? Does your cursor seem to be immersed in a large block of completely random-looking data? Or is it just a bunch of zeroes?
     
  5. ptmoy2

    ptmoy2 Registered Member

    Joined:
    Jul 16, 2014
    Posts:
    7
    Location:
    New York


    Looks like large block of completely random-looking data.
     
  6. ptmoy2

    ptmoy2 Registered Member

    Joined:
    Jul 16, 2014
    Posts:
    7
    Location:
    New York
    Does anyone know how the embedded backup header (please see prior postings on this thread) can be used to recover the lost Truecrypt partition and encrypted data?
     
  7. billabq

    billabq Registered Member

    Joined:
    Sep 12, 2014
    Posts:
    2
    Excuse the interruption, but I have a related question about a truecrypt partition I foolishly deleted.

    On a 1TB drive I had 2 partitions, a win7 systems partition (~300gb) followed by a truecrypt partition (~700gb).

    I intentionally deleted the first partition (win7) and then mistakenly also deleted the truecrypt partition.
    The entire drive now appears as 1 unallocated space in disk manager

    I am wondering if for these large partitions it is feasible to locate and recover the truecrypt partition
    using the techniques in the excellent discussions here? Or if I should give up on this.

    Any suggestions would be much appreciated.
     
  8. ptmoy2

    ptmoy2 Registered Member

    Joined:
    Jul 16, 2014
    Posts:
    7
    Location:
    New York

    I managed to recover my lost partition using Testcrypt and Testdisk. First try searching for your lost partition using Testcrypt. If you're lucky, it'll automatically find the lost partition and mount it for you. If Testcrypt can't find the lost partition, then try running Testdisk to see if it sees the partitions. If yes, then you can use the C/H/S pertaining to start of partition found by Testdisk to pinpoint your search in Testcrypt, which is actually what I had to do to recover my lost partition.
     
  9. billabq

    billabq Registered Member

    Joined:
    Sep 12, 2014
    Posts:
    2
    Many thanks to Mr. Ptomy2 and to the developers of the magical Testcrypt program.
    Thanks to them my deleted Truecrypt partition was automatically located and loaded for me.
    All I had to do was copy the files.

    Marvelous!
     
Loading...