I Stuffed up my TrueCrypt Volume...Quick Format

Discussion in 'encryption problems' started by Rhad, Jul 28, 2014.

Thread Status:
Not open for further replies.
  1. Rhad

    Rhad Registered Member

    Jul 22, 2014
    :confused:I’m at my wits end trying to retrieve files from my hidden volume after I accidentally formatted the drive that had my TrueCrypt outer/hidden volume on it.
    I’ve been reading and sweating for the last month after I accidentally quick formatted my external Hard Drive with a TrueCrypt partition on it. The HDD is 1TB and the TrueCrypt partition is/was 931GB. The partition had a hidden volume in it which I used, in fact I didn’t even use the outer container (and have forgotten the password for it).
    I don’t have a volume header backup.
    I'm using Windows 7.
    I cann't remember what I formatted the partition or Drive as (i'm guessing NTFS).
    I know the key files and password for the hidden container, but not the outer container. I’m assuming knowing the key files and password for the hidden container will work the same as using it for the outer container in the test file below?
    Before I did anything I cloned the Disk to another drive (sector by sector). This clone has remained intact.
    I have tried various methods of recovery (obviously with no successes) on the original drive,
    Tried Delete volume then re partition without formatting.
    Tried various data recovery tools (being encrypted this didn’t work)
    Tried to copy the entire partition 931Gb and saving it as a TrueCrypt file (still couldn’t open hidden volume even using the back up header embedded in volume), not sure if I did get the whole partition. Fairly sure about the start, not too sure about the end.:oops:
    I used the below instructions (From Dantz https://www.wilderssecurity.com/threads/accidentally-deleted-truecrypt-partition.357892/, seems to be a magician) to find the start of the encrypted partition. Then continued to help create a test file to see if the headers were intact.

    5. Grab the WinHex scroll bar and drag it down about 5% to 10% of the distance to the bottom. Don't go too far or the backwards search will take too long. Look at the displayed data and make sure you can't recognize and words or patterns in either the hex or the text. If you do see words or patterns or zeroes then we're not inside the lost file, in which case you can try dragging the scroll bar a little lower and trying again. Once you seem to be in random data, go to the next step.

    6. Search: Find Hex Values

    7. Type "0000000000" (ten zeroes, without the quotes) into the search box

    8. In the "Search" box, change the direction of the search to "Up".

    9. Click OK and let it run.

    I hope that this will place your cursor in the vicinity of the beginning of your lost file, in which case we can test it to see if the header is intact. Something that looks kind of like this would be an ideal outcome:

    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    9F 4D BD FE F4 42 1B CF 96 80 74 E6 3B F5 1A ED
    D5 52 01 BE FF 86 76 A3 71 F9 1B 7B EA 15 AB 36

    PART I:
    1. Tools: Disk Tools: Clone Disk

    2. Set Source = Drive J
    (if necessary, click the first of the two buttons and select the desired partition if it's not already listed)

    3. Set Destination = [target partition drive letter]\CC840000 10MB test.tc
    (Click the second, "filename" button to set up the pathname. Feel free to choose a different pathname if you like. It's just a small test file.)

    4. Uncheck the "Copy entire medium" box

    5. Set "Start sector (source)" = 164,643

    6. Set "Number of sectors to copy" = 20,480 (this should result in a 10MB test file)

    This successfully created a test file for the encrypted Headers however, I couldn’t open this file with trueCrypt using the hidden volume password and Key Files, got the message:
    “Incorrect Keyfile(s) and/or password or not a TrueCrypt volume”
    I guess this means the Header is not intact or corrupted in some way?

    I've just tried TestCrypt with no luck as well :'(
    My question is:
    If the Headers at the start of the encrypted partition are corrupted (as mine seem to be) can I use the backup header embedded in volume (at the end of the encrypted partition)?
    And how do I do this?
    I have read heaps of different opinions and the only place that seems to have any success is here (especially with Dantz), any help or suggestions would be greatly appreciated.
  2. FriendlyNeighbor

    FriendlyNeighbor Registered Member

    Aug 12, 2014
    This seems like it may be too simple of a suggestion, but have you used the option "restore backup headers" and selected restore in the hidden disk?
  3. Rhad

    Rhad Registered Member

    Jul 22, 2014
    Yep, Tried this with no luck:'(
Thread Status:
Not open for further replies.