"Partition Unallocated Disk 0" trueCrypted HD, Help plz to recover

Discussion in 'encryption problems' started by fk21, Jan 20, 2014.

Thread Status:
Not open for further replies.
  1. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    Hello :)

    I really need you help please.

    My secondary HD (320go Ide) with all my datas is whole truecrypted.
    After low format my Sdd and reinstalling win 7 64 bit,
    I can see it in "disk management" as "Partition Unallocated Disk 0"? :(

    With TestDisk Data Recovery I get "No partition found or selected for recovery"
    Do you think I have lost all my data.
    I have spent 12 hours so far...
    What can i do please.
     
    Last edited: Jan 22, 2014
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    There's hope, but I need to know what type of volume it was before I can suggest a course of action. The question is, was it "entire disk", or "partition"? And the weird thing is, for some reason almost everybody gets this question wrong. I've had many, many users say it was the entire disk, when it turns out that they had merely encrypted the partition on a disk that contained only one large partition (i.e. a typical data disk).

    Here's are some ways to tell:
    1) In TrueCrypt, when you click on "Select Device", you see a list of disks and partitions. Your volume's host device used to be listed here. Was it listed as an entire disk, such as "Hard disk 1:" (or some other disk number), with no partitions listed under it, or was it listed as a partition on a disk, such as "\Device\Harddisk1\Partition1" (or some other disk or partition number)?

    2) When the volume was mounted, did TrueCrypt list it as "Partition0" (a disk), or "Partition1" or higher (a partition) in the main TrueCrypt screen?

    3) When you first made the volume, did you encrypt your data "in-place", without having to copy it in after creating the volume? (= partition encryption)

    4) Did Windows Disk Management ever notify you that the disk needed to be initialized? (= disk encryption)

    Also, have you tried mounting the volume using the embedded backup header? Try this first. (Don't try to restore the header, just see if you can mount the volume by selecting the embedded backup header option under "Mount Options".)

    (Edit) Very important: Until we figure out what's going on, don't write anything to the disk! You can easily make things worse, much worse, by trying to repair it without knowing what you're doing. Also, look at some of the other TrueCrypt threads that I've been posting in lately, as there are a lot of similarities to your situation.
     
  3. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    You are a gentleman Dantz!

    So much thanks for your help, very good post.

    You are so rigth :) about "The question is, was it "entire disk", or "partition"?"

    1/ yes "select device" and then "\Device\Harddisk1\Partition1"
    "listed as a partition on a disk" for sure.
    2/ I really don't know but i can check with another HD, same way of using TrueCrypt.
    3/ No i had to transfer them into the "hard disk" showing up.
    4/ I had some alerts form Windows telling me to back up as soon as po.
    Well yes very rarely, it did that few times few hours ago on one PC, i have tested the HD on 2 Pc and I get "Unallocated Disk" (90%)
    At the starting sometime the HD has a strange name with strange letters with a strange capacity too :)

    "Mount Options"
    Yes i tried i think but it asks me password but does not work.
    "the embedded backup header" is this at the end of the HD.
    I'm going to try this rigth away Sir.

    Okay i'm going to read your posts.
    I feel more relax now, all my data were in, all. After low format Sdd reinstalling win 7 I wished to to this back up. That's makes me... anyway loool. I had bad time the last 48 hours, very bad :)

    I also went to a local computers store and the young guy tried with Linux and Win, he told me he has pro tools, after 10 minutes,
    he said : "no luck, Smart Error/ Partionnement"
    He gave me the adress of a company who open HD with a With Chamber... very very expensive.

    After all my answears, what do you think please Dantz, very very bad or not? I go read your last posts.
    Deeply thanks for this full of hopes post.
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    OK, it sounds like it was definitely a partition-hosted container.

    The scenario that you are describing (if I understand you correctly) is a fairly common occurrence. This sort of thing can happen when the user leaves an encrypted data disk connected to the system while they reinstall Windows. It's one of the big "Don'ts", but for some reason the TrueCrypt User's Guide fails to mention it.

    This seems to happen because Windows doesn't recognize 3rd-party encrypted partitions as being valid, and thus it will sometimes (and especially during reinstallations) try to "fix" them. This often ends up with the partition being converted to unallocated space.

    It's quite likely that your data is still there on the disk. The real question is, are either of the headers still intact? If we can find either one then you will be in good shape. We'll start by looking for the volume header, as it's easier.

    Let's see if we can create a test file from either of the two common starting locations for a partition on a data disk. If we're successful then we will have located your intact TrueCrypt header plus the beginning of your lost volume (and partition), which is the most important part of recovering the data.

    To create a 200KB test file starting at offset 32256, try this:

    0. Download an evaluation copy of WinHex from here: http://www.x-ways.net/winhex/index-m.html

    1. Install and then open WinHex

    1a. "Options: Edit Mode", make sure you're in "Read Only" mode, then click "OK"

    2. Open the disk ("Tools: Open Disk"), then select your secondary disk from the list of Physical Media and click "OK"

    3. "Edit: Define Block" then enter the following numbers:
    Beginning: 32256
    End: 237055
    click "OK"

    4. "Edit: Copy Block: Into New File"

    5. In the "Save File As" dialog box, select a name and a location (on a different disk, of course) for the small 200KB test file that you are going to create. Name the file "32256 test.tc" and click "Save"

    6. A new tab for that file appears in WinHex. Right-click on the tab and select "Close"

    7. Close WinHex

    8. Open TrueCrypt

    9. Click on "Select File", then locate the newly created file "32256 test.tc" and click "Open"

    10. Assign a free drive letter, or accept the one that was automatically selected

    11. Click "Mount"

    12. Type in your usual password, and click "OK"

    Was your password accepted? If so, hooray! We're halfway there.

    If your password was not accepted (i.e. you saw the "Incorrect password or not a TrueCrypt volume" message) then repeat the above instructions, but change the numbers in Step 3, as follows:
    Beginning: 1048576
    End: 1253375

    Then complete the rest of the steps and try again.

    (At Step 5, name the file "1048576 test.tc")

    Hope this works!

    (Written mostly from memory, so it might not be perfect. Please let me know if anything doesn't seem right.)
    This might indicate data corruption or a failing disk. That's not good! But let's try to ignore that for now and see if we can recover your data. If it causes problems then you might have to clone your drive before we can move forward.
     
  5. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    Hello Dantz How are you today.
    Deeply thanks for this great post, very interesting :)


    "4. "Edit: Copy Block: Into New File""
    I get this : "With this evaluation version you cannot save files that are larger than 200 kb"
     
  6. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    First try with Beginning: 32256 End: 237055:
    "Incorrect password or not a TrueCrypt volume"

    Now i'm trying with Beginning: 1048576 End: 1253375
    90 min to wait...
    Hope it be okay, sounds not too good.
    I hoped first attempt would had been sucessfull.
     
    Last edited: Jan 23, 2014
  7. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    In View Disk Winhex the name of the HD ended with (298 GB, Raid)
    "Raid" is it strange...
     
    Last edited: Jan 23, 2014
  8. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    "It's quite likely that your data is still there on the disk. The real question is, are either of the headers still intact? If we can find either one then you will be in good shape."

    If not Dantz :)

    32256 test.tc
    1048576 test.tc

    no luck so far
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm too busy to respond right now, sorry. I'm swamped! I'll try to catch up later.
     
  10. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    Hello Dantz,
    Thank you, how are you, take your time :)
     
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm back! Sorry about the long delay.
    90 minutes!? It should take about 2 seconds. Might be a damaged disk, or you're doing something very differently than what I described. Just to see what happens, try defining a much smaller block, for example from 1048576 to 1068543.

    Before you save and test it, look at both ends of the block selection using the following menu commands: "Navigation: Go To: Beginning of block", and "Navigation: Go To: End of block". What do you see at the beginning? The starting point of the block (the highlighted portion) should appear to contain a solid block of random data. You probably can't tell that it's random just by looking at it, but sometimes you can tell if it's not. In the Hex column, do you see any patterns, such as a bunch of zeros? In the Text column (to the right of the hex column) is there anything identifiable in there such as words or patterns?

    Also look at the data just prior to the selected block, and sees if it looks any different. If we're in the right spot then there will usually be a transition point here between non-random data (such as a large area filled with zeros) and a solid block of fully random, unrecognizable data.
     
  12. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    Hello Dantz :)
    How are you, i'm back and i'm going to try what you asked, thank you sir.

    By the way, oddly, A pop up appearded, Windows asked me to make a backup of the "unknown" hard disque... Is it any good?

    I tried, not working grrrr lol
     
    Last edited: Feb 7, 2014
  13. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Your block is selected improperly because you've switched to Hexadecimal mode rather than Decimal mode (which is usually the default). My instructions were written for Decimal mode, so you're performing them in the wrong locations.

    Click once inside the "Offset" column to switch back to Decimal mode (it's a toggle, so every time you click within the offset column WinHex switches back and forth between the two display modes). Also notice that the information panel (to the left of your data) displays the mode, and it currently says "hexadecimal".
     
  14. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    Last edited: Feb 8, 2014
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Now that you have switched to decimal mode you need to do everything over again. Use the numbers that I provided earlier to reselect the test blocks, recreate the test files and test them again. Maybe this time we will see more of what we are looking for.
     
  16. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    At the Beginning of block, i get this :
    -The highlighted portion appear to contain a solid block of random data
    -In the Hex column, I see patterns such as a bunch of zeros
    -In the Text column there words as "error reading disk bootmgr Bootmgr missing compress"

    "Also look at the data just prior to the selected block, and sees if it looks any different. If we're in the right spot then there will usually be a transition point here between non-random data (such as a large area filled with zeros)
    and a solid block of fully random, unrecognizable data."

    Yes lines full of zeros and then random data.
    I went up to line 00009689536 there are random data, looks like the beginning.

    Here is an image of "Navigation: Go To: Beginning of block"

    http://s1.postimg.org/xmfz8k9q7/Pb_HD320giga_decimal_4_BDantz.png
    heberger image
     
    Last edited: Feb 8, 2014
  17. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
  18. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    -32256 test (200ko)
    -1048576 test (200ko)
    -1068543 test (19.5 ko)
    as you said about the size of the files, under 200ko :)

    I get : "Incorrect password or not a TrueCrypt volume" x3

    looking... bad or bad, tell me Dantz, need to know lol

    I red "Damaged truecrypt partition on 2nd hard drive after windows install"
     
    Last edited: Feb 8, 2014
  19. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    It looks like Windows overwrote your TrueCrypt volume header with partition boot sector code. Darn! We'll need to go to plan B, which is to try to locate and utilize the TC embedded backup header which is stored near the end of the partition. (This had better work, because there is no Plan "C".)

    I will post the instructions for that as soon as I can get enough free time to write them up. In the meantime, try this:

    In WinHex, double-click on the "Partition 1" entry to open it in a new tab

    Click once inside the data, then press Ctrl+End to go to the very end of the partition

    Does the data at the end of the partition look like random data? Also, scroll upwards a bit. Does all of the data still look random? (Hoping you will say yes.)
     
  20. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    Thank you let's try Plan B :)

    The offsets is "hexadecimal". As soon as i Ctrl+End I get this msg : "Switched to hexadecimal offset presentation..."
    (I post this but try to redo in "Decimal)
    Yes Dantz, they look like random data.
    "Also, scroll upwards a bit"
    Yes they still look random even if I there is a line with some zeros (4A85AFFE20)
    "Hoping you will say yes." I say YES :)

    http://s18.postimg.org/9rrfgwn3d/HD320_GO_Plan_B_Dantz.png
    hebergeur gratuit

    At the beginning of Partition1:

    http://s9.postimg.org/hxp71ckvj/HD320_GO_Plan_B_Dantz_beginning_partition1.png
    Hébergeur d'images
     
    Last edited: Feb 9, 2014
  21. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    (Sorry to take so long to reply. I've been quite busy, so I'm fitting you in when I get a chance.)

    It looks like you have a typical NTFS partition, with NTFS boot sector code in the first sector a backup copy in the last sector. This is not how a TrueCrypt volume is supposed to look. An encrypted partition would appear to be completely random from beginning to end. However, it's possible that the majority of your encrypted data is still present within the partition, even if some small portions of it have been overwritten by NTFS formatting.

    OK, let's see if your embedded backup header has survived. If so then we can use it to look for your data.

    Since WinHex is apparently switching to Hexadecimal mode after you advance a certain distance into your disk, I'll use that mode for all of my instructions:

    1. Open the physical disk in WinHex

    2. Double-click on "Partition1" to open that partition in a separate tab

    (You also could have opened the partition directly by selecting it from the list of logical volumes, but we'll use the first method, since that's what you have been doing it up to now.)

    3. Click once in the Offset column to switch to Hexadecimal mode, if this is not already in effect. (Note that the column headings will switch from all numbers, such as 0-31, to mixed numbers and letters)

    4. Click once in the data

    5. Press Ctrl+End to move to the very end of the disk

    6. Note the hexadecimal Offset number at the very bottom of the screen (it might say "Offset: 4A85AFFFFF"). Write it down, but use your own number, not mine, just in case I didn't calculate it properly.

    7. Navigation: Go To Offset

    enter "1FFFF" Bytes (hexadecimal)
    (Note: the Bytes button is a toggle. If it doesn't already say "Bytes" hexadecimal, click on it several times until it does).

    relative to "End, back from"

    Click "OK"

    (If your embedded backup header still exists then this might be its starting point, although you can't tell just by looking at it. However, it should appear to be totally random, so if it's not then there is a problem.)

    8. Edit: Define Block
    Beginning:
    in the right-hand drop-down box, select "Current Position"
    (your cursor's current location will appear in left-hand box)

    End:
    Paste in (or type in) the offset number that represents your disk's last byte, from Step #6 above.

    Click "OK"

    9. Now that the block has been selected, notice the "Size" indicator in the bottom right corner of the screen. It should show that the current block size is "20000" hexadecimal, which happens to be the equivalent of 128 KB. Thus, you're about to create a 128 KB test file.

    10. "Edit, Copy Block, Into New File"

    11. Create a name and choose a location for the test file. Make sure it's on a different disk. I suggest giving the file a ".tc" extension, but it's up to you. Click "Save"

    12. WinHex automatically opens a new tab that contains the contents of your newe file. We don't need this to be here, so right-click on the tab and select "Close"

    13. Close WinHex

    14. Open TrueCrypt, select a free driveletter, click on "Select File", select the newly created test file and see if you can Mount it using your password.

    If your password is accepted then you have found the fully intact embedded backup header and you can begin a preliminary celebration, although there is still more work to be done.

    If your password is not accepted then we'll have to think about what else we can try.

    (Hopefully the above steps are accurate. If you notice any discrepancies while you follow the procedure then please let me know.)
     
  22. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    espoir.tc

    It worked, really it did :)
    Believe me or not, i'm a bit crying, feels good.

    !!!! Dantz you so gentle, you better give me your personal adress, got to sent you a gift and i'm so glad to :)
     
  23. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Hey, we're not finished yet! This is a good start, though.

    Hmmmm. Since you have apparently located an intact embedded backup header in the expected location, I wonder why you haven't been able to gain some sort of access to your volume. In my first post I asked you to try using the embedded backup header, but you never posted your results. I think we'd better try it again. (If your password is accepted when you try this then it's possible that we've been working too hard, but ok, we're in the same place, it just took us longer to get there.)

    Here are the steps:

    Open TrueCrypt

    Click on a free drive letter that you will mount the volume to

    click on "Select Device"

    Select the partition that we've been working with, the one on your secondary hard disk

    Click on "Mount", then "Mount Options", then select "Use backup header embedded in volume if available", "OK".

    Enter the password as usual. Did the partition mount to the assigned drive letter? It might.

    If the volume mounted then the next steps will involve the use of data-recovery software to explore the mounted volume, as your volume's internal file system has been partially overwritten and it most likely won't be functional. (If Windows offers to format the volume, DON'T do it.) Some of your data will probably be recoverable, but you have to proceed carefully or you can make matters worse.
     
  24. fk21

    fk21 Registered Member

    Joined:
    Jan 20, 2014
    Posts:
    26
    Hello Dantz :)

    The deal is I can't see it : " Select the partition that we've been working with,"In "Select Device" I see Harddisk0, and right under it I can not see any
    \Device\harddisk\Partition1, this line is not appearing, it's empty.

    http://s13.postimg.org/fu4ckff9z/Capture_dantz.png
    Hébergeur d'images

    with \Device\harddisk\Partition0 won't work : "Incorrect password or not a TC volume".
     
  25. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    And yet WinHex shows a partition there. Strange. But ok, we can go from here. I'll post further steps tomorrow -- time to sleep.
     
Loading...
Thread Status:
Not open for further replies.