New Win7 to clean SSD install damaged 2nd encrypted HDD

Hi, my name's Ed & like a number of other visitors, I didn't take my 2nd fully TrueCrypt encrypted HDD out when I did a new Win7 install.

The encrypted D: drive was originally the boot drive that came with the computer but I did a clean Win7 install onto my first SSD and then reformated D drive and encrypted it. Yesterday I did a clean install onto a 2nd, larger SSD. The other times I've reinstalled I cautiously didn't have my 2nd drive in. This time I got lazy & have paid for it.

Before finding this forum I tried restoring the header from the end of the encrypted partition and now I can mount the volume but Windows doesn't think it's partitioned and is offering to format it, I've said no.

I also tried using TestDisk
Among other things it said

I can post the full log if it'd be helpful


Based on some of Dantz's helpful posts I've found or done the following.

TC Volume Properties: Size in bytes 750153105408 bytes

WinHex Volume Info:

Total Capacity: 750156374016 bytes
Bytes per sector: 512
​

At 1,048,576 decimal there is a transition from a long string of 00 to other data

WinHex lists two Partitions,
start sector <blank> 1.0MB
Partition 1 NTFS 669 GB
Partition 2 ? 76.0 GB
unpartitionable space <blank> 1.9 MB


A large block of zeros ends at offset
1826049520

I successfully created a 200kB .tc files from offset 1048576 and was able to mount it but not access any data (and it thought it was 699GB big)

There is some plain text information I found near the beginning that appears to be Exif or ebook data as well as a playlist in the middle. I've found little readable data elsewhere but the d:/ drive was about 95% full and most of it was compressed files (videos, jpg, camera raw images).

I tried using the demo version of GetDataBack Simple but it couldn't see the mounted D:\ only the physical disks.

I've followed parts 1 - 4 in this post as they related to my situation and can confirm that my mounted volume has real data (itunes playlist info & some exif data) and have backedup my d: drive's header data.

I've purchased WinHex & will attempt to backup the whole volume to a different drive.


It seems like my next two steps are
1. Back up drive.
2. Follow the directions here

Please let me know what more info I can provide or if there are better /safer steps to follow.

Much thanks to you who give up time from family, friends or sleep or other valuable things to help out folks here.

Thanks
Ed

 

Next Steps?

I've completed a bit-wise backup using WinHex to an external harddrive but I don't have a spare drive that I can wipe & image it to, to try some of the methods suggested in other posts.

The bit-wise backup opens with TrueCrypt but like the original, does not appears to not be a readable filesystem. But there are recoverable files on it. The files I'm most concerned about are camera raw files & a large TC container file, neither of which are supported by PhotoRec.

Are there steps I can take to repair the MFT to be able to be able to access the files directly or can someone recommend some file recovery software that can also recover directory structure & file names? (assuming that's even possible in a case like this.)

Thank so much
Ed

 

Well, since you already have WinHex ...
Mount the volume, ignore windows attempts to 'help' you, and copy out whatever files winhex sees -

 

The best data recovery programs that I have used are:
paid
Ontrack Easy Recovery
Active@ Data Studio; especially "active partition recovery" is superb for scanning/recovering damaged or overwritten ntfs file tables.
free
Recuva

Panagiotis

 

Sorry I haven't been able to contribute yet. Too busy. Hopefully I'll get to you soon.

 

dantz, thank you for your time when you have it.

Ed

 

I'm trying Active Partition Recovery on the mounted partition. We'll see how that goes.

Ed

 

I mounted the encrypted partition and then ran Active Partition Recovery "Super Scan" of the mounted drive, checking only the NTFS check box since I know it was an NTFS drive. After 24 hours it is complete.

It has listed a lot of bad sectors but did not find $MFT or $MftMirr.

Any suggestions for next steps?

Ed

 

Active Partition Recovery - no good

Used Create/Fix Paritioning

* Confirmed clearing the partition table (deleting all volumes) on the disk: Virtual Fixed Disk 0
* Confirmed fixing MBR (replacing with a typical one) for the disk: Virtual Fixed Disk 0
* Successfully fixed MBR (replaced with a typical one) on the disk: Virtual Fixed Disk 0
* Failed to convert Partition Style on the disk Virtual Fixed Disk 0. Device is not initialized
* Successfully completed backup Partition Changes for the disk Virtual Fixed Disk 0 to the file [X:\Virtual Fixed Disk 0 Partition Changes 2014-02-19.ROLLBACK]
* Successfully updated disk: Virtual Fixed Disk 0

Still can't read anything off the device.

Ed

 

Hi Ed,
Since you now have a mountable volume (which contains a broken file system), and since you are actively using data-recovery tools to try to recover your files, you have already gone beyond most of the volume-recovery advice that I offer in these forums. However, I can suggest a couple of things:

1. Since your volume's file system is broken and apparently can't be recovered, you should focus on using the various types of file-carving software such as PhotoRec and others like it (sorry, I can't think of the names right now, but I will post them when I do).

2. Your (currently lost) large TC container file which is stored within the volume might be fully recoverable, but there is no off-the-shelf software that can find it, since it presents no file signatures whatsoever (and this behavior is by design). The lost file will have to be located manually, and it can get damn tricky sometimes. Have you been using WinHex to look for it? You need to find a large (and hopefully contiguous) block of random data, and then find its starting point and test that location for the presence of the TrueCrypt header. Here are some tips on doing this:

Actually, the first thing you need to do is recognize what encrypted/random data actually looks like, as a lot of people are fooled into thinking that unintelligible data = random data, which is not necessarily the case. In WinHex, I find the "Analyze Block" tool to be very helpful in determining whether or not the block of data that I am looking at is actually random, or if it just looks that way to the naked eye. (Actually, the tool merely tests for byte distributions, but this is adequate for our needs, as one of the hallmarks of random data is its fairly even byte distributions, especially if you are examining a large enough block.) I usually select blocks of at least 10KB, and 20KB or larger is even better, and I take "samples" at various locations until I have determined that my cursor is currently located within a very large block of random data, then I search backwards for its starting point.

One way to do this is to use the "Search: Find Hex Values" tool to search backwards for a block of 10 zeros "0000000000", which is the equivalent of "00 00 00 00 00" in the hex display. Once you hit the zeros you will know that you have just left the block of random data, so you can then attempt to "fine tune" your way back into it so you can hopefully locate the very beginning of the encrypted block of data. Sometimes it's obvious, and sometimes it's not, based on whether or not the beginning of the lost TrueCrypt file happens to be adjacent to other random (or random-looking) data on the disk. Sometimes the task even appears to be impossible, but in that case there is always the option of going to a programmed solution that walks the disk searching (and testing) for the lost volume's header.
-dantz

 

Thanks so much Dantz to the time for me & the others you've helped. This gives me some tracks to run on.

I had not started using WinHex since I didn't know what I was trying to do with it..

Dantz or anyone else:
If I use truecrypt to mount the copy of the drive and then use WinHex to copy that onto a brand new drive and then used some of these Pratition recovery tools on this now unencrypted data, it would that make a difference or not?

Ed

 

If your volume can already be mounted successfully to a drive letter, and if the recovery tools that you want to use on it can already access the mounted volume without problems, and if you are seeing familiar file names / folder names in the output of the various data-recovery programs that you've tried thus far, then I see no advantage in creating a plaintext copy of the volume elsewhere.

However, if it becomes necessary to do this because certain programs that you need to use won't function properly in TrueCrypt's virtual environment then for cloning purposes you can consider the entire mounted volume to be a partition. It's been awhile since I did this, but I think these are the steps I used:

Create an empty, quick-formatted partition of the correct size and of the same type (i.e. NTFS, FAT32, etc.) on a separate disk. The purpose is to set up the partition table correctly so it will support the volume that you're about to create there.

Mount the TC volume

Use WinHex to copy the entire contents of the mounted volume into the new partition. (This will of course overwrite the existing quick-formatted contents of the newly-created partition, but we don't care about that). I would probably use WinHex's "Clone Disk" command for this, but certain other cloning programs might be able to do it as well. (However, be aware that not all cloning programs can use a mounted TrueCrypt volume as their source.)

However, I'm not positive that the above steps are entirely complete. I'd have to play around with it for awhile to see whether or not I left out any crucial details, and also to determine which method works the best. But unfortunately for you there's no way I'm going to get to it anytime soon, as I am swamped with projects at the moment.

If you want to try this then I would strongly suggest doing a small-scale practice run first, just to make sure that everything behaves as expected.

 

If I have an older copy of my truecrypt container, is it possible to get some identifying signature from that file to help me find it in my messed up D:? If so, how?

Thanks
Ed

 

By "it" I assume you mean the lost TrueCrypt container file that exists somewhere within your broken volume? Yes, if you have a backup copy of that file (even if its contents have changed) then you can certainly use that. Just locate the file in your current backup, open it (the unmounted container file, that is) in WinHex, copy the first 8 bytes or so and paste them into a search string to find those same 8 bytes in the broken volume that you're trying to recover.

(Select the desired bytes, press "Ctrl+Shift+C" to copy them as hex, then click on "Search: Find Hex Values", paste the values into the search box, then search Down.)

The above assumes that your backup copy is an actual copy of the original file, and it was not created independently by TrueCrypt.