Need Help - Truecrypt Raid6 Lost Partition

Discussion in 'encryption problems' started by ManOki, Sep 1, 2013.

Thread Status:
Not open for further replies.
  1. ManOki

    ManOki Registered Member

    Joined:
    Sep 1, 2013
    Posts:
    2
    Hi,

    i have a LSI Megaraid Controller with 8*2TB Drives and configured a Raid6 with almost 11TB. On the virtual drive is a single partition, created with windows 7 and GPT. I used Truecrypt 7 and formatted/encrypted the complete partition.

    Some days ago, the first drive crashed and after i changed with a new one and completed the rebuild of the raid, windows couldn't find the partition with the truecrypt filesystem anymore. I already read some threads in this forum and downloaded WinHex.

    Random Data on my drive start at an offset of 119996416 bytes and ends at 11999064227808 bytes. I've also created some screenshots.

    http://i.imgur.com/ljV5Yx1.png
    http://i.imgur.com/QWziUgQ.png
    http://i.imgur.com/uu4ha8q.png
    http://i.imgur.com/gp1x08y.png

    Now i need some help to recreate/recover the partition table and access the data of the truecrypt filesystem. Atm i'm not able to copy all data to a second place and i hope, it won't be necessary.

    Thanks to everybody & please help me :)

    ManOki
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    It should be possible to use Diskpart or Diskpar to recreate the lost partition, but I'm not expert enough to guide you safely through that process.

    I'd start by using WinHex to copy a block of data that begins at offset 119996416, including another 5MB (approximately) of data and saving it as a file.

    You can see the exact WinHex procedure and menu commands in various other threads that I've contributed to here, but it's basically "Edit: Copy Block: Into New File". But use your own offsets, of course, not what I've written for other users.

    Then try to mount the test file using TrueCrypt. The point is to see if you've located the actual header (which is always stored at the very beginning of the volume) and whether or not it is intact. If your password is accepted then the header is intact. The you can dismount the test volume and breathe your first sigh of relief. At this point I'd suggest making a (file-based) header backup using the test file as the source, as it will most likely come in handy later.

    If you use Diskpart to recreate the partition then it will wipe the existing TrueCrypt header, so you will need to restore it using the header backup.

    The Diskpart commands are not that difficult, but I'm not confident that I could get it exactly right on the first attempt, especially for a GUID partition on a RAID 6 setup, which I am completely unfamiliar with. The risk is intensified by the fact that you don't seem to have a backup.

    I think your best approach, once you verify that the TrueCrypt header is intact and thus you've found the beginning of the partition, will be to acquire another disk and then copy your data over, saving it as a file (if done properly it will be a functioning TrueCrypt container file), then mounting the volume and copying your data onto another disk. So you're going to need a considerable amount of extra storage to do this safely.

    PS: If the previously mentioned TrueCrypt test file doesn't mount then you will first have to try to recover the embedded backup header from the opposite end of the volume, and then redefine the block of data that needs to be recovered by viewing TrueCrypt's volume properties of the mounted volume and noting its exact size in bytes. Let me know and I will try walk you through that one. Sorry I can't be of more help.
     
  3. ManOki

    ManOki Registered Member

    Joined:
    Sep 1, 2013
    Posts:
    2
    hello dantz,

    thanks for your response. i used winhex to extract some data from that offset, but truecrypt said "wrong password". i have also read some documentation about truecrypt volumes, about the header backup at the end.

    http://www.truecrypt.org/docs/volume-format-specification

    is it enough to extract and mount the 65536 bytes for the header to prove if an header is intact? i have extracted both headers, the first and the last bytes of the "rubbish" data and they are completly different. and sadly truecrypt said both times "wrong password".

    you are right, i don't have backup for all of my data. :(

    greets

    manoki
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Hold on, I think we need to start over. I notice from your first screenshot that there is already an existing partition in the default location. (Sorry, I should have realized this earlier). Is this partition in exactly the same location as your encrypted TrueCrypt partition? Is it, in fact, the same partition?

    When TrueCrypt encrypts a partition, it encrypts the entire partition from beginning to end. The volume header begins on the partition's first byte. If this was your TrueCrypt partition then the beginning (and the volume header) have obviously been overwritten. Or was your TrueCrypt partition was located elsewhere?

    Anyway, it looks like your next step will be to try to locate the embedded backup header. I don't know if that block of random-looking data that ends so cleanly (in screenshot 4) is the end of your lost TC partition or not, but I guess it has to be tried.

    Apparently you've already done this? I'm not sure what approach you used, but here's how I would proceed:
    1. In WinHex, place your cursor on the last random value in the block ("5D", near the bottom of screenshot #4)
    2) Navigation
    3) Go To Offset
    4) New Position 1FFFF bytes (hex)
    5) Relative to: Current position (back from)
    6) OK

    Hopefully you are now on the first byte of the embedded backup header. Then block select a block of approximately 20KB (5000 hex) or larger, save it as a file and test it using TrueCrypt.

    (Apparently you've already done this. Did your file start in the same place mine did? Which one of us got it right, I wonder?)

    A little practice never hurt. I suggest you create a very small file-hosted TrueCrypt volume to play around with, just to ensure that your technique is correct. See if you can successfully extract both headers using WinHex. (Just open the file in WinHex, not the entire disk.)

    Yes, as long as your test file exceeds the minimum volume size (which I think is a little under 20KB) then the header should be mountable, assuming that the header's first 512 bytes are intact and they are positioned at the very beginning of the test file. This is just to prove that you have located an intact header and have supplied the correct password, nothing more.

    Actually, all you really need to find is the first 512 bytes of the header, then you can add some padding (zeros, for example) out to about 20KB and create your test file that way. However, grabbing some or all of the remainder of the 64KB header also works, and it's a convenient way to do it, since it's already right there.

    The volume header and the embedded backup header should look completely different, that's normal. It's all part of TrueCrypt's attempt to make each TrueCrypt volume relatively unidentifiable.
     
Loading...
Thread Status:
Not open for further replies.