My data's So Private I can't get to it

Discussion in 'privacy technology' started by Philchenevert, Aug 30, 2008.

Thread Status:
Not open for further replies.
  1. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    I have TrueCrypt encrypted 40GB external drive that has bad headers or footers or something caused by Windows trying to initialize it. (thanks to this site for explaining this to me)
    The internal fix programs say they restore it but when I mount the volume, the only message is "Do you Want to Format this drive?" There is no option for "no, I just want to see my data please please please?" tsk.

    The whole drive is encrypted so there seems no way to access my data even though I have my password.

    I am looking for suggestions from you good people on Data Retrieval programs or methods before I am forced to accept the fact that everything is gone forever. If this is the wrong forum I apologize. o_O
     
  2. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Hmmm not sure what you have in that container but maybe trying it on another computer, or getting someone to try it for you would be the best option for now, maybe its just a bug in your pc.
     
  3. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    I didn't explain very well. The Hard Drive worked fine as an TrueCrypt encrypted drive on my PC running XPsp2, but when I tried to open it from my laptop, (also running XP sp2), the laptop somehow corrupted the header and would not open it.

    When I then moved it back to the original PC, the one on which it was encrypted and had been working for over a month, the same problem is there. It would not mount, saying the header was damaged and to run the restore program. I did this and it mounts but the volume can't be opened; windows explorer sees it as an unformulated drive.

    I've created trial TrueCrypt volumes to see if the program has a problem and they all work fine.

    I was going to try it on another computer as you suggested this afternoon but the hurricane shut down our computer club. rats.

    Many thanks for your suggestion. When Gustav blows over I'll head to the club and see if someone else can get at the data.
     
  4. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Always encrypt your personal data using anything, eg Truecrypt container, Winrar, PGP etc. And then back that data onto external HDD or DVD.

    In this way, if anything happens that forces a new install of Windows, you still have your personal data encrypted and backed up.

    And who told you that Gustav will simply "blow over". It is going to cause devastation.
     
    Last edited: Aug 31, 2008
  5. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    Regarding Gustav, I know well how much devastation these things cause, I've been through many in my life and was siting here waiting for it to hit when I wrote that. Just trying to make a rather lame joke about it. In fact we have been without electricity and phones for a week until just a minute ago. :(

    About the backup advice, you are of course absolutely right and now I know (sadly) what I SHOULD have done. <sigh>.

    I still am looking for a way to get that data out of the external HD but at least it is not going anywhere.
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    It sounds as though you can mount the drive, which is a really good start, but unfortunately the drive itself no longer contains a valid filesystem. In this case the best thing to do is to mount the drive and then run some type of data-recovery software on it. Many TrueCrypt users have had good results with runtime.org's GetDataBack, and I think they offer a demo version.
     
  7. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    Thank you Dantz, that does indeed sound like the way I will have to go. Your note that 'many TrueCrypt users have had good results' seems to indicate that this is not an isolated incident and I don't feel so stupid about somehow scewing things up. If those good folks at runtime.org can get my data back I will gladly pay them!

    BTW, the 2 small test volumes I created to test TrueCrypt on my PC harddrive seem to now be having the exact same problem so maybe I should uninstall TrueCrypt and reinstall? Thank you again. Phil



     
  8. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    This is exactly why I use the TrueCrypt travelers mode and only mount an encrypted file. Mine is 4GB and contains all my personal emails, portableapps thunderbird, portableapps firefox, portable aMSN etc.

    So all my personal emails, bookmarks, documents, photos, internet activity etc is all stored in my 4GB TC file. The rest of my Vista doesn't store or contain any personal data.

    I found this method is safest and best as then I avoid any potential problems like you have now.
     
  9. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    Follow up note:

    GetDataBack could not see the file system either and came up blank.It scanned just fine but at the end could not help. The tech help said that's the way it goes sometimes because the encyrption is doing it's job. Easy Recovery Professional, another recovery software also came up blank. It could not even SEE the drive mounted or unmounted! geeezzz

    Since the TrueCrypt forum is back up (yeah) I found another user who had the same problem. He is a true expert and used lots of tools like WinHex and DiskEXplorer for NTFS and RoadKill Sector Editor to poke through his 'lost' HD and found that when restoring a header it puts it at block 0, which TrueCrypt can read, unencrypt and mount, but when it gets to block 63, the real data, the decryption stops and it stays RAW.

    He switched to the root directory and was able to go in with DiskExplorer and save the files he wanted somewhere else. I presume TrueCrypt could then mount and decrypt them. I am not that smart and so sit here with my little drive still locked tight. Just though you other encryption fans would like to know about this . o_O sigh.
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I've been away for a week, and now that I'm back I see that you're still having trouble recovering data from your TrueCrypt volume. I recommend mounting the volume and then viewing its contents with a good hex editor such as WinHex. I believe that a free trial version is available.

    I'm surprised that you've had such poor luck with other data-recovery software. Did you mistakenly format your volume at some point? That would do it. Otherwise you should definitely be able to recover something, although this varies hugely based on how much damage has occurred, the type of filesystem in use, how fragmented your data was, etc.

    We need more details: Apparently you encrypted an entire drive. What filesystem did you specify when you created the volume (NTFS or FAT); what version of TrueCrypt was used; what version are you using now; did you save a backup header; can you mount the volume normally without seeing the "incorrect password or not a TrueCrypt volume" prompt? (The damaged filesystem is a separate issue, but first you must at least be able to mount the volume and assign it a drive letter.)
     
  11. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    :) Hey, thanks for being interested.

    More info: entire 40GB drive encrypted using NTFS, TrueCrypt 6.0.
    I did not save a backup header but I can still mount the volume on the 4th or 5th try but cannot open it to see what's there.

    the GOOD NEWS: (I think) is that using EasyRecoveryProfessional was able to extract RAW data to my main drive while the volume was NOT mounted. I now have four folders labled DIRO.GZI; DIR1.JPG; DIR2.ARJ and DIR3.TOC. Each of these has from 3 to 7 folders inside of them and apparently all are zipped in some way. The JPG I recognize, and is a good sign since JPG pictures were on the drive, the rest I don't.

    I presume that these files are still encrypted so should I make a new TrueCrypt volume, put these folders inside it and see if it decrypts?
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    It's impossible to recover files or folders from an unmounted encrypted volume. All you can do with an unmounted volume is back it up in its entirety. This is normally done using an imaging program. I'm not aware of the capabilities of EasyRecoveryProfessional, but there's no way it will be able to see any of your encrypted files, so I doubt very much if the jpg folder contains any of your actual jpg files.

    Your last paragraph shows that you don't understand how TrueCrypt works. I don't have time to respond to that right now, as I have to get going, but will get back to you later.

    I just want to reemphasize that all data recovery operations need to take place on a mounted volume. Even if your drive is failing, you should mount the volume first and then run your data recovery software on the volume's assigned drive letter.
     
  13. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    The interesting thing is that the data recovery software, (both EasyRecovery from OnTrack Data Recovery and GetDataBAck from RunTime Software) cannot see the mounted drive. They scan my system and see every other drive but not that one....when it is mounted. I admit that while scanning, they both stop to report "Windows - Drive Not Ready. exception processing message" and I must manually tell it to continue.

    Unmounted, when Windows Explorer cannot see it as existing at all, EasyRecovery spotted it, scanned it and pulled out 20+ gigs of stuff from it in RAW format I mentioned earlier. It's probably just junk as you said but it is still frustrating. Why can't they see the mounted volumeo_O

    I notice that when my unmounted drive is attached via USB as is usual, Windows Explorer sees it as Local Disk G, with zero capacity.

    When I can find a program that will see the mounted drive, I will proceed as you have recommended. Thanks again. BTW, I'm an old retired guy so I don't have to report to work like you good people. But then again I don't get any money so ........ HA
     
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    If this were my drive and it contained important data, the first thing I would do would be to image the entire drive and save the image file onto another drive. Be aware that since your drive is fully encrypted, the imaging software will be unable to compress your data or skip nonessential files, so the image file will be the same size as your source drive. Thus, if your encrypted hard drive is 40GB, your image file will also be 40GB.

    If you can't image the drive, you should at least back up your volume header before proceeding any further. If you do anything that damages your header you'll be totally sunk without a backup.

    You might also want to consider installing the drive internally, as the USB interface could very well be interfering with your data recovery software.

    That said, I suggest you try using a hex editor on the mounted volume. WinHex can perform data recovery operations and it should be able to freely browse the volume, even if the filesystem is damaged. You may or may not recognize what you're seeing, but as long as the drive is mounted WinHex should be able to find some of your data. How much depends on how damaged your filesystem is and whether or not the drive hardware itself is malfunctioning.
     
  15. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    My last comment and I'll stop bothering you:

     
  16. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Did you mount the volume first? If so, your unencrypted data has now become accessible and there's nothing to decrypt. You still may not be able to read your data, but that's most likely because your filesystem is damaged, not because your data is still encrypted. If it looks like gibberish, that's probably due to the way data is stored on your hard drive. This is where your data recovery programs and/or hex editors come into play.

    One way to confirm that you are indeed looking at unencrypted data is to scan through it with a hex editor and look for areas that contain patterns or recognizable text such as words or fragments of words, long strings of zeros, large empty areas, repeating characters or blocks of characters, etc. A fully encrypted drive will not look like that - it will be completely filled with random, unpredictable data from start to finish.
     
  17. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    Dear DAnz;

    The volume was indeed mounted as drive U, but the data is not accessible. The Hex file shows complete gibberish from start to finish so it is still encrypted. I know this is not supposed to happen but there it is.

    Interesting side Note: When I Auto-Mounted the DEvice as usual earlier this afternoon, it came up showing that TWO drives were mounted: Drive G and Drive U both with the same parameters of 37.3GB. They both show on my Explorer and both can be explored with WinHex but of course neither will open.

    The hex file of drive G has a blank first 24 sectors (just dots) but the rest is still encrypted while the hex flle for drive U is entirely gibberish.

    <sigh>
     
  18. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    You have an external drive that's fully encrypted, right? I'm not sure how you've set up automount, so just manually mount the volume to a single drive letter, then use your data recovery software on that drive letter.

    You mentioned earlier that some of your data recovery software couldn't see your mounted volume. If that's still a problem, and if your external drive can be removed from its case and installed internally, then I suggest you try doing that, as some data-recovery software (including GetDataBack) will work better if it doesn't have to go through a USB interface.

    Also, carefully browse the mounted volume using WinHex. Select Tools / Open Disk / Logical Drive Letters, and then select the drive letter you mounted the volume to. To make browsing through the text easier, choose View / Text Display Only. Also, try searching for text by choosing Search / Text Passages. You can also choose Search / Find Text and type in a simple text string that ought to exist somewhere on your drive, for example "error" or "the " or "log".

    Is WinHex seeing any filesystem at all? Are there any file or folder names? Are you finding any text at all? You mentioned it was all gibberish and thus you thought it was still encrypted, but normal, unencrypted data can often look like gibberish to the untrained eye. Perhaps you didn't scroll down far enough or slowly enough. 37GB is quite a lot to scroll through.

    Another possibility is that when you originally set things up you created an encrypted partition withing the encrypted drive, or something like that.

    If you're not finding anything that can be recovered, I have to wonder what has happened to your filesystem. Is your hard drive failing? Maybe you should run the manufacturer's diagnostics on the drive to see if you have any bad clusters or other errors.
     
  19. markymoo

    markymoo Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    1,212
    Location:
    England
    The drive is encrypted from after the MBR to the finish no hex editor or data recovery software is going to help you, you needed to have made a TrueCrypt restore disk at the time or mount it or repair the header(which is stored at the end of the drive) within TrueCrypt which you still need the password. Take a RAW image of the drive and store it on a fresh drive and send it off.

    A lesson is to manually backup the first track(0-62 sectors) as a extra precaution.
     
    Last edited: Oct 17, 2008
  20. Philchenevert

    Philchenevert Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    17
    Location:
    Baton Rouge,Louisiana
    Thanks Markymu and Dantz and everyone. I have decided that it is impossible to get the data back. I now know to backup my header etc. etc. etc. :rolleyes:

    be cool.
     
Loading...
Thread Status:
Not open for further replies.