I moved a partition inside my FDE disk

Discussion in 'encryption problems' started by RPG83, Jan 4, 2015.

  1. RPG83

    RPG83 Registered Member

    Joined:
    Jan 4, 2015
    Posts:
    4
    Okay, so this is a little old thing but I guess time doesn't hurt in file recovery.

    In May 2014 I had a 2 TB disk with Truecrypt FDE. The disk had multiple partitions and one of them (C:) had my OS (Win 7). Unfortunately though, I was young and stupid. I wanted to extend my partition H. I couldn't do it with Windows' own tools so I used some third party software to move the partition H to the start of the unallocated space with intent to extend it to the end of the disk afterwards.

    This was the situation before I did anything (Sorry, it's in Finnish but the visual language is a universal language):

    http://i57.tinypic.com/2m66f5j.jpg

    Well, the partition H became unaccessible immediately after moving it to the start of the unallocated space. I can't say for sure moving partition H didn't affect any other partitions but I don't think so. I stopped at that point.

    After that I went to the store and bought myself a 3 TB drive for the recovery operation. I started copying the still working partitions (or rather their content) to the 3 TB disk, not all at once but one partition in every few days. I managed to back up partitions C, D and E.

    One day my Windows decided to reboot itself and Truecrypt bootloader came normally. I entered the key and things moved on. Instead of loading Windows and getting to the desktop I got to a screen looking like when you install Windows. There was a some kind of error shown and I was asked if I wanted Windows to try fixing it. I let Windows do what it wanted but it said it couldn't fix the error. I don't have exact memories about what happened after that but I do know that I bought a 240 GB SSD disk for reinstalling Windows.

    After reinstalling Windows to the SSD disk I tried using Truecrypt to decrypt the whole 2 TB disk with no success.

    Current situation is this:

    http://i62.tinypic.com/8z1xn4.jpg

    What I would like to achieve is the recovery of the 2 TB disk. Preferably as a whole but hopefully at least partitions F, G and H.

    No, I did not have a back up of the partition table but I do have a Truecrypt rescue disk. I have looked at the wonderful advice provided by "dantz" and got some clues from there but the big picture is still a little unclear to me.

    I have some questions:

    1) What is the most likely thing that has happened? What parts do my initial ** possibly offensive word removed** and letting Windows fix things play? How bad does the situation look?
    2) How should I continue? Should I buy a yet third disk so that I can copy the whole 2 TB disk to it as I have already used some of the 3 TB disk I originally bought for data recovery? Then I could experiment completely safely with that new disk, right?
    3) What program should I use to get a fully accurate copy of the 2 TB disk as safely as possible?

    If you have anything else to add, please feel free to comment.
     
    Last edited by a moderator: Jan 4, 2015
  2. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    I haven't used TrueCrypt so I may be way out in left field but, can the third party software 'see' the H drive contents (after the move)?
    If it can, what about trying to move it back from whence it came?

    The other question is: starting at the beginning, why not decrypt H and then move it and then re-encrypt it?

    J
     
  3. RPG83

    RPG83 Registered Member

    Joined:
    Jan 4, 2015
    Posts:
    4
    No, the partition H went immediately to RAW after it was moved. So absolutely it was not (and is not) readable. In spite of that I believe your method might work but I wonder a few things:

    A) I don't remember what program I used to move the partition. Chances of success would be the highest with using the same program, I guess.
    B) Partition table must have been modified by the program as I can see the H drive (even though it is in RAW) but not access to it, right?
    C) What did Windows do when it tried to fix itself? Did it do other damage to the partition table?
    D) If Windows didn't cause any more damage trying to fix things, why don't I see the partitions D, E and F? (Take a look at the first screenshot, the second one is taken only after the move and after Windows tried to fix itself.) I'm 100% positive that at least D was readable right after moving the partition H so I guess Windows running around fixing things is the culprit in the disappearance of partitions D, E and F.

    I tried to google but I didn't find anything strictly prohibiting so I did what I did. Stupid, I know. Only now I'm starting to understand Truecrypt better. Though I wonder if that would have worked as the whole drive was encrypted with full disk encryption. I believe I should have decrypted the whole drive instead of just one partition, then do the move and after that encrypt the whole drive again, which would have taken a few days.


    ----------------------------

    I want to make a good backup of the whole drive before doing anything not to worsen the situation. Even then I would much rather work on the backup and not the original if at all possible.

    Does anybody have any idea if using Winhex to copy a whole partition into a file (as Dantz has suggested in some of his posts) on a different disk is feasible in my situation? Does the FDE make things more complicated or could I use the same method to get access to the RAW partitions?
     
  4. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    No doubt you've seen the following thread but if not...
    https://www.wilderssecurity.com/threads/truecrypt-whole-disk-encryption-problem.371764/

    of course that's no help now unless you can get the H moved back to the end of the disk and hopefully then the TC header will work and you can decrypt the drive and then start over by moving H to the new location and then encrypt partitions individually (and back up the TC headers).
    If you were to try to copy the original disk, I think that you'd need an identical drive for backup, with all partitions starting end ending at the same sectors so it's a true 'image'/mirror/whatever.
    If anything was 'off', TC might still not recognize it.

    So in a sense, go back to the beginning, install the 2TB original disk and hope that when:
    windows didn't change anything and you (theoretically) can move H back to the end if you can find software that will do that (WinHEX?).

    You could give this a try
    http://www.partitionwizard.com/

    anyone else want to jump in and help?

    J
     
    Last edited: Jan 6, 2015
  5. RPG83

    RPG83 Registered Member

    Joined:
    Jan 4, 2015
    Posts:
    4
    Jwcca,

    I had seen that thread before but now that I read it properly it looks like the missing partitions D, E and F might not be missing after all! Thus Windows might not have broken anything too meaningful while fixing itself (I hope).

    I did some research on the files I had managed to copy after moving the H partition and before Windows "fixed" itself. It seems to me I managed to copy only a fraction of the partition C (Windows rebooted while copying it's contents to another disk?). What's interesting is that this name came up from program files: EaseUS Partition Master 10.0. It's installed around the time I did my mistake. However, there are only folders starting with letters from A to G in the program files so I don't think I managed to copy the whole program files. Thus one can't be sure if EaseUS is the program used but that's the one I would bet on.

    Does such thing as an "identical drive" exist? I don't have very much knowledge about harddrives but I do know that a 2 TB harddrive doesn't have 2 TB of space after you format it. The question is if a similar drive (same manufacturer, same product series, same size, same firmware) would work or if even they have differences?

    Is it possible to create such a drive by using some software? Like a virtual hard drive. I found some info about it and they also mention a program called 'Acronis True Image'. I recall it being used by someone in these forums to make a back up.


    -----------------------------------


    I read this thread not too long ago. They talk about a "100 mb reserve partition". When looking at [http://i62.tinypic.com/8z1xn4.jpg]the second (after) screenshot[/url] in the first message of my thread I realized one thing: the first partition (100GB) of the 2TB disk had my OS. Well, the disk management window shows the capacity ('kapasiteetti') as 100GB and the free space ('vapaa tila') as 99.89GB. There must be some kind of connection between those things! Either it's really good or really bad, IMHO.

    I also wonder if @Palancar got anything. Did you, Palancar?


    And let me state once more: I have a Truecrypt Rescue Disk. I'm a little unsure if it's the right one but I think it is. It's from late 2013 so at least it's fairly recent and I don't remember doing any major modifications to my encryptions for a long time. It may very well be that I just realized "Why don't I have a rescue disk!?" and made one. I have to test that at least the password is correct. There's a step-by-step guide for that written by Dantz.
     
  6. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    In this case I meant another 2TB drive from the same mfr with the same part number, for example I have a lot of 2TB Western Digital Green drives part # WD20EZRX which have identical specs (obviously I guess).
    I use these for backing up movies, each has 4 partitions of 476,928MiB (=465.75GiB) with 8MiB unused at the very end. So in my case (I think) I know exactly where the partitions start and end. (=1871GiB).

    Boot to the SSD, install the partition manager of your choice, attach the 2TB encrypted disk and try to see all your partitions... I hope you can move the H back 'home'... good luck.
    J
     
    Last edited: Jan 6, 2015
  7. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    How did it go?
     
  8. RPG83

    RPG83 Registered Member

    Joined:
    Jan 4, 2015
    Posts:
    4
    @jwcca

    I still haven't done it. I should get a grip on myself and go buy a 3TB disk to make a full copy of the 2TB disk and then find a similar 2TB disk to experiment with. I want to evade overwriting anything (more) on the original 2TB disk until this situation is solved. If it's not, I will just let the 2TB disk sit on my shelf waiting for a better time - a time when I may be rich enough to afford hiring Christophe Grenier to work on it. :cool:

    The 2TB disk shows up as "WDC WD20EARS-00MVWB0 ATA device" in Windows. I couldn't find too many of them new but Ebay seems to have about a hundred of them so I may be able to find a similar drive. The drives on Ebay had at least two different kinds of labels on them so I will check the label on my 2TB disk before I make a purchase. I will still buy a 3TB disk first to make a copy of the original 2TB disk to the new 3TB disk as I will have to detach the 2TB drive to read the label. I am way too unlucky to just detach the 2TB disk before making a copy. If I did, the disk surely wouldn't work at all after that. :D

    I hope to meet a relative who knows something about computer security on the weekend. I don't expect too much from him but I hope to get a suggestion about what program to use to make that copy of the 2TB disk and if there are major risks I should be aware of. I have heard good things about Acronis True Image but I think the Winhex has the capability to copy every single 1 and 0 from the disk to a file, too. Do you have a program suggestion for the copying of the 2TB disk?

    BTW, only now did I realize Testcrypt has a dedicated forum! I will definitely go there and look for any info I can get.
     
Loading...