Ooops....how to access truecrypt drive recovered through GNU DD_Rescue?

Discussion in 'encryption problems' started by jimster99, Jun 28, 2014.

Thread Status:
Not open for further replies.
  1. jimster99

    jimster99 Registered Member

    Joined:
    Jun 28, 2014
    Posts:
    8
    - edit - please ignore this thread as I have posted too much irrelevant information. I am going to restart a new more concise thread (which will hopefully garner some responses). The new thread can be found here: https://www.wilderssecurity.com/thre...ypt-hidden-volume-on-external-3tb-hdd.365533/ Sorry and thanks! --end edit--

    Hello! First time post and I would be very grateful for some assistance from the wise people on this forum regarding my data recovery problem.

    My problems relate to a 3 TB truecrypt encrypted external USB harddrive which I stupidly knocked on the ground and which appears to be slightly damaged. It is used for data only (it is not a system drive and contains no OS).

    I believe when I set the drive up I formatted the entire drive using truecrypt. Whenever I have connected the drive to windows it has always asked me "would you like to format this drive?" so I assume this means it was formatted in "raw" mode. However it is also possible I might have simply encrypted the partition.

    All the data is in a "hidden" volume inside the outer volume.

    The drive does spin up and sounds OK (but takes a bit longer than before). I can still mount the hidden truecrypt volume in windows. I can also open the root folder of the mounted volume and then explore down into the subfolders, so the drive is somewhat functional, but Windows then hung when I did this. I didn't want to risk causing damage to the drive, so I did not explore further and planned to make a clone as soon as possible as I have a lot of family photos that are valuable to me.

    After much research I have booted into linux mint and am currently attempting to pull all the date off the drive using GNU DD_Rescue onto a new 3TB drive.

    Because it's a truecrypt drive, I mounted the hidden volume and then typed the command "lsblk" into the linux terminal. There are several levels showing for the damaged drive as follows: (i) dev/sdd (disk), (ii) dev/sdd1 (partition) and (iii) truecrypt-1 (dm-0).

    I was hoping to use dd_rescue to copy the unencrypted hidden volume from level (iii) onto the new drive, thereby ending up with unencrypted usable files. But this wouldn't work for some reason. When I tried, Ddrescue started and finished in a few seconds, giving me "1 error" with a filesize of "4096 bytes" and copying 0 files. I couldn't figure out what I was doing wrong.

    The command I was using (which didn't work) was: "sudo ddrescue media/mint/truecrypt1 media/mint/backupdrv/image.img /media/mint/cdrive/image/log"

    NB In the command above, the drives were as follows:
    * "Truecrypt1" is the hidden mounted truecrypt volume on the damaged 3TB truecrypt drive
    * "backpdrv" is the new back-up 3TB drive which I want to copy the recovered data onto
    * "cdrive" is the c drive on my computer (where I am saving the log file)


    My next attempt was to copy at level (ii), i.e. "dev/sdd1" (partition). This seemed to work (it is copying the drive now) and I am hoping to end with a mirror image file on a new blank 3TB drive.

    The command I used to do the copy is as follows: sudo ddrescue /dev/sdd1 /media/mint/backupdrv/image.img /media/mint/cdrive/image/log

    The drives referenced in this command are as follows:

    * "SDD1" is the only partition on the damaged 3TB truecrypt drive
    * "backpdrv" is the new back-up 3TB drive
    * "cdrive" is the c drive on my computer (where I am saving the log file)


    So far the copy is going at 6 megabytes/second and is 102 gigabytes done after about 6 hours, with 36 errors (2,250kb error file size). So I am hopeful that I will get almost all the data back. It will take a few days to complete but I guess this is normal when you're copying one 3tb drive to another using USB 2.0.

    Once the copy is done I plan to re-run ddrescue using the "-r" command to fill in any gaps (so far as possible). I will then back-up the back-up before attempting to recover the data.

    NB I also have a copy of the backed up truecrypt header file for the original damaged encrypted 3TB drive, which may be useful.

    So my questions are these:

    (i) am I going about this data recovery task in a sensible way? In particular, am I being sensible by copying the encrypted truecrypt partition in this manner? Or should I be trying to get ddrescue to copy the hidden volume directly?

    (ii) Will DDrescue copy all the necessary bits for Truecrypt to work properly and allow me to access the backup image file?

    (iii) once the damaged drive is (hopefully) backed up successfully, how do I get truecrypt to mount the backed up image and release my encrypted files? Will I need to "mount" or fiddle with the image file in some way before using it? Or can I simply open the image file in truecrypt, type in the password, and then happily continue using my files (after backing them up)?

    (iv) Will the backed up truecrypt header file be needed to access the file? Should I build some other kind of recovery disc?


    (v) I know I can pause and resume the ddrescue process. If I do this, is there anyway I can test that I can access the files in the image file without destroying the data?

    (vi) Do you have any other advice for me?


    If you're still reading, thanks for sticking with me! And I really appreciate any help you can give me ;)

    PS And yes, I will keep better backups in future, and I won't use encryption any more (especially not truecrypt now it is discontinued). I'd rather other people could steal my data, than lose it completely...! :eek:
     
    Last edited: Jun 30, 2014
  2. jimster99

    jimster99 Registered Member

    Joined:
    Jun 28, 2014
    Posts:
    8
    Following on my post above, I have done further research and I am concerned that my approach will not replicate the master boot record of the original damaged drive. It seems that if I don't do this, Truecrypt won't allow me to access the image file and therefore I would be wasting my time (and risking the data on the drive).

    Therefore I am inclined to stop the copy (which is currently at 100 GB copied, 2,600 GB to go :() and then restart using a method which is more likely to work (once I figure out what that would be...). So any suggestions or ideas....please?
     
    Last edited: Jun 28, 2014
  3. jimster99

    jimster99 Registered Member

    Joined:
    Jun 28, 2014
    Posts:
    8
    Further update - I have decided to "go for broke". I paused the ddrescue image process (I can restart if necessary using the logfile), mounted the damaged truecrypt volume, and am now directly copying the folders from that volume straight into my back up drive, starting with the most critical data.

    Obviously this approach is risky (if there is drive damage this could exacerbate it) and potentially tiresome (if/when the transfer fails because of read errors/bad sectors I'll have to manually identify which files did not get copied and restart the process), but so far I am pleased to report that it is chugging along at 14 MB/sec, with 30 GB of the most critical 200 GB (family photos and videos, mainly) safely recovered. The drive is making no noise at all so far.

    And I think it is better to get the most vital data off quickly today, than spend 5+ days imaging the entire drive with no idea whether i'll be able to access or decrypt the truecrypt image once the process is completed.

    **edit** So far I've had errors on 2 photos out of 11,000 files copied...I can live with that. I just hope the rest of the copying goes as smoothly...
     
    Last edited: Jun 28, 2014
  4. jimster99

    jimster99 Registered Member

    Joined:
    Jun 28, 2014
    Posts:
    8
    Using linux, I managed to copy 160 GB of unencrypted usable data from a physically damaged 3TB truecrypt drive, but then truecrypt dismounted, somehow damaging something, so the hidden truecrypt volume doesn't mount in linux anymore, and gives me an error message saying I need to run fdisk.

    However I can still mount the drive in windows and access the hidden volume file system (although it is unstable) so I assume the essential truecrypt stuff is still there. I therefore think I am going to create a ddrescue image of the entire drive onto a backup 3 tb drive. Once I have created the image (if it works...), I will then copy the image to a new drive, and attempt to restore the truecrypt hidden volume (and extract my data!). Hurrah! Hopefully.

    So my questions:

    (i) the truecrypt drive appears to be in a partition (not the entire drive) as when I connect the drive into windows, it loads a "RAW" drive and asks if I want to format it. When I connect the truecrypt drive in linux, it shows a 2.7 TB drive and a 2.7 TB partition (and I have to select the partition to unencrypt the hidden volume). So my question is this - should I use ddrescue to image the drive, or the partition? Does it matter?

    (ii) how do I mount the image file so as to be usable with truecrypt? Is this actually possible? I do have a back up of the truecrypt header volume saved to a different file. I understand I may also need to use winhex (and I'm happy to learn this if necessary) but would appreciate if this could be confirmed.

    (iii) will the ddrescue image + truecrypt backup header contain everything I need? Or do I need to pull extra data from the original damaged drive (like the MBR or other specially formatted data used by truecrypt)?

    (iv) I am a bit worried the new 3tb drive will not be quite large enough to hold the image (as I am copying a 3tb drive), but I believe that if the backup drive gets full, I can simply copy the image to a 4tb drive and resume as I am using ddrescue with a log file. Is that right?

    Thanks for any assistance anyone can provide!! :)
     
    Last edited: Jun 29, 2014
Loading...
Thread Status:
Not open for further replies.