"Partition Unallocated Disk 0" trueCrypted HD, Help plz to recover

Is it still looking okay

Bonne Nuit, good night

 

Sorry about the delay, I have been very busy lately. Anyway, the next steps involve confirming the original size of your lost partition, and then taking a "test bite" to see if we're correct, and then trying to recover the whole thing. You will probably need to use data-recovery software on the recovered partition, as it seems to have been partially overwritten by Windows (perhaps it was just a quick format, though, so there should be a lot of data left).

Mount the last test file that you created, the one that contains the embedded backup header, then in the TrueCrypt interface click on Volume Properties and note down the Size in bytes.

This number is the size of the original volume. We can add 256KB to that number to account for the four 64KB headers that surround the volume, and the resulting number should be the exact size of the lost partition. And since we already know the partition's endpoint, we can use that to find it's starting offset. (WinHex is already displaying this, but I want to see if TrueCrypt agrees with it, as they will sometimes differ.)

Also, quick question: The lost partition appears in WinHex. Does it also appear in Disk Management? If so, I'm not sure why TrueCrypt wouldn't be able to see it. TrueCrypt will usually see it even if you remove the drive letter, and even if it's not formatted. So I'm a little puzzled here.

 

Glad to hear from you Dantz
Thx always happy to read, very interesting

Size tc : 320 070 221 824 (the size of the original volume) +256
WinHex : 320 072 933 376
"WinHex is already displaying this, but I want to see if TrueCrypt agrees with it, as they will sometimes differ"
Grrrrrr Dantz it does looool, Ho no!
Why do i collect all the oddities...

"Does it also appear in Disk Management?"
yes.
http://s8.postimg.org/b9y3v3401/Disk_Management_Dantz.jpg

"TrueCrypt wouldn't be able to see it"
no.
http://s14.postimg.org/tr2o3pr59/Harddisk_0_Dantz.jpg

 

I can't make out your Disk Management image. It's too small to show any detail. Is it showing a partition, or just the whole disk?

 

looks like a whole disk.

Sorry me Dantz my mistake.

Disk Management image
http://s11.postimg.org/vy98xzmdf/Disk_Management_image_dantz.png
heberger une image

TC selecte a Partition or Device
http://s2.postimg.org/6zdsejdjd/Harddisk_0_Dantz.png
hébergeur d image gratuit

 

OK, here's the math: According to TC Volume Properties your original TrueCrypt volume was 320,070,221,824 bytes. If we add 262,144 bytes to account for the four 64KB headers then we arrive at the original size of your lost partition: 320,070,483,968 bytes.

WinHex shows that Partition1's total capacity is 320,070,483,968 bytes (a perfect match with the TC info)

WinHex also shows that Partition1 begins on sector 2048 (x 512 = 1,048,576), which is the standard location, so this should be easy.

WinHex shows the capacity of entire disk is 320,072,933,376 bytes, which is 2,449,408 bytes larger than Partition1.

Since the partition begins at offset 1,048,576, this leaves 1,400,832 bytes unaccounted for. However, WinHex shows that there are 2,736 surplus (unallocated) sectors at the end of the disk, x 512 bytes per sector = 1,400,832 bytes. So everything matches perfectly.

The situation appears to be very straightforward. You had a typical partition that began at offset 1,048,576. You encrypted it, then you accidentally formatted the partition (hopefully it was just a "quick" format, which doesn't erase that much, but we'll see), then you somehow broke the partition table. Much of your encrypted data is probably still there, but TrueCrypt's volume header was overwritten when you formatted the partition, which is why our initial test file from offset 1,048,576 didn't work. Luckily your embedded backup header survived, so we will use it to recover the volume. Here's the plan:

Part 1: Make a backup header
For safekeeping, make a backup copy of the test file that was based upon your embedded backup header, the one that you were able to mount successfully. (Give it a slightly different name, and set this file aside.)

Open TC
Click on "Select File"
Select the test file that I just mentioned above. (Not the backup copy)
Click on "Volume Tools", "Backup Volume Header"
Enter the password when prompted
Click on "The volume does not contain a hidden volume"
Enter a name and a location for the header backup file and save it. (Name the file "Partition1 backup header.tc")

Part 2: Create a test file
Use WinHex to open the Physical Media, then create a new test file that begins at 1,048,576 (decimal), and make it as large as possible. Since you are still using the evaluation copy of WinHex, you cannot yet exceed 200KB, so your block settings should be as follows:

(first, make sure you are in decimal mode)
Begin: 1048576
End: 1253375
Press "OK". The size (seen in bottom right corner of window) should be 204800
Save the block as a new test file (call it "1048576 test.tc")
Close WinHex

Part 3: Restore the backup header to the test file
Open TC
Click on "Select File"
Select "1048576 test.tc"
Click on "Volume Tools", "Restore Volume Header",
Select "Restore the volume header from an external backup file"
Click "Yes"
Select "Partition1 backup header.tc"
Enter the password when prompted, and complete the steps to restore the backup header to the test file.

Part 4: Test the test file to see if it mounts, then look for decrypted data
Open TC
Click on "Select File"
Select "1048576 test.tc"
Click on "Mount", select a free drive letter, provide the password and mount the volume
Open WinHex
"Tools", "Open Disk"
Select the Logical volume that corresponds to the drive letter you mounted the volume to with TrueCrypt
Click "OK"
Ignore any WinHex error messages, just click through them. Error messages are expected at this point. The actual test volume is much smaller than the size that TrueCrypt reported to the operating system, and WinHex has noticed the discrepancy. The test volume also contains an incomplete file system, so WinHex will warn you about that. (This is just the test volume, so we don't care about those problems yet.)

Once the data appears, examine it closely. We desperately want to find some non-random data in order to prove that the header is working and that some of your volume's original contents have survived.

In the text column, look for any recognizable words, abbreviations, or patterns. Things like "NTFS", "a disk read error occurred", "NTLDR", ".........", any known file names, etc.

In the hex columns, look for any obvious patterns such as large blocks of zeros "00 00 00 00 00" (probably much larger than that). If you don't find anything right away then scroll down one screen at a time by clicking once within the data and then pressing PgDn repeatedly.

If you scroll all the way down to the end of the actual data then you will hit the "UNREADABLE SECTOR" region. There's no point in going any further, since there's nothing more down there. It's just imaginary space, really.

I'll wait for your results before I type anything more. However, if this works then the next step will be to recover your entire partition, not just the little test snip that we took earlier. Then you will be able to mount the entire volume and run data recovery software on it to see what can be recovered.

 

I'm impressed, great tutor, thank you to make it easy for me.

Dantz, from Part1 to part4 gladly it went with no worry. But.

"In the text column, i have found nothing
and no "00 00 00 00 00" In the hex columns to "UNREADABLE SECTOR".
I have checked more than 4 times.

Here WinHex can exceed 200KB if this can help.

I'm going to redo it to see if any better (It did not)

(WinHew text colum Hard Disk 0, I read : Invalid partition table Error loading Operating system Missing operating system" i did not notice that before)

Some images not in "Miniatures" this time

http://s28.postimg.org/amf0muuct/Strange_page_Dantz.png
Télécharger des photos
http://s7.postimg.org/nbvnlll3v/Strange_page_Dantz2.png
hébergement gratuit d'images
http://s8.postimg.org/czklzoixh/Text_Colum_strange_Dantz.png
image gratuite
http://s10.postimg.org/wdw20ovyh/Unreadable_Sector_Dantz.png
hebergement d image

Thank you Dantz for this promenade, hope to hear form you soon

 

No, these are great results. It's just what I was hoping for. I guess you just don't quite realize yet that there are all sorts of obvious patterns in your Text column. I'm seeing things like "FaFbFcFdFeFdFeFfFgFh", "X X X X X X X X", "Z Z Z Z Z Z Z" and "0\1\2\3\4\5\6\7\8". That's not random at all!

If it were all just purely random data then you'd be seeing something like this: "ÿUM˦›‹X=;§Àö@xºÕ—ZÐF£!öý~íÀòw–ÒltúÍÖXl¥’ÙíqŠ`8a™œ×pMì$á‰¸Ô·x;ëKÍ<ƒþrÊÖ"

That's a normal embedded error message. It's supposed to be there.

 

Dantz Ho this is a good news, thx i'm so happy to read this, can't believe it
According to you... how it looks now, good or very good.
I can't wait for the next level.

"to see what can be recovered"
How much Go may have been lost out 320Go.
One day i have tried to run the HD with another pc, did not want to start as usual, after a big 15 minutes i have turned off the pc, hopefully it did not format the data for that period of time.
Can't wait to read you, Genius Dantz

"OK, here's the math: According to TC Volume Properties your original TrueCrypt volume was 320,070,221,824 bytes. If we add 262,144 bytes to account for the four 64KB headers then we arrive at the original size of your lost partition: 320,070,483,968 bytes."
(+ this rest of this part of explanation).
This is so smart, Art...

 

Sorry, I am super busy at moment. Will get back to you soon.

 

Ho thx,
well I wait for you, i read some other threads, I don't dare trying in case i do something so wrong.
Take your time Dantz

 

Since your lost partition is in the standard location, there are two ways you can go now. The first method is safer, but it is also more resource intensive. The second method might work, and it's very quick and easy, but it's also somewhat risky and I don't really like to recommend it.

Option 1: Use WinHex to make a giant version of the test file, just like the other ones that you've created, by defining and saving a huge block of data which begins at offset 1048576 (decimal) and ends at the ending offset of your lost partition. Then use TrueCrypt to restore your external backup header to the file. The recovered file will encompass your entire lost volume, including all of your data, and it will be mountable by TrueCrypt, just as your successful test files were. However, keep in mind that your volume was probably partially overwritten by whatever accidental formatting took place, so you might not be able to browse through your data. You might need to use data-recovery software to explore the mounted volume and recover whatever you can.

So this option requires a spare disk to copy your entire partition (the "test" file) onto, and then another disk to copy your recovered data onto. Lots of disks! But it's the safest approach. If anything goes wrong you can go back to the original source disk and start over.

Option 2: Use either Windows Disk Management or DiskPart to recreate the previously-existing partition definition on your existing drive, and then restore your external backup header to that partition. (It's easy to get the beginning of the partition right, but the endpoint can be tricky.) The whole job can be done in 10 minutes or less. However, if you screw it up or something goes wrong then you can end up causing additional damage to your data, so I don't usually recommend this method, but I'll leave it up to you, as you know the value of your data better than I do.

If your data is too valuable to risk then then you could still follow this approach if you wanted to, but first you should make a sector-by-sector backup image or clone of the entire drive, just in case something goes wrong. However, I would only recommend doing this if you were already fairly familiar with the process of imaging and cloning, as well as restoring images to drives, otherwise the image or clone might not be made properly.

And of course, if you're going to go to all the trouble of making a full clone of your disk then you might as well just go with Option 1, as there will be no savings of time or disk space if you need to clone the entire disk first.

And as with Option 1, you will most likely need to use data-recovery software to explore your mounted volume and then copy your recoverable data onto a spare disk.

Here's one thing that you should know about me: I'm very cautious with other people's data. Many users would just jump into option 2 without even making a backup copy, and if it didn't work and they ended up causing further damage then they might regret their choice, but they'd be stuck with it.

My approach is much slower and is much more cautious. It might take a lot longer, but it usually works, and if it doesn't work then you still have the option of trying again, perhaps using different tools or techniques.

edit: I forgot to mention that you won't be able to perform Option 1 with the evaluation copy of WinHex, as it has built-in limitations to prevent that sort of thing. It's either purchase a license or use a different tool.

 

Great, happy to read you Dantz, hope everything going well for you.

"My approach is much slower and is much more cautious. It might take a lot longer, but it usually works, and if it doesn't work then you still have the option of trying again, perhaps using different tools or techniques."

+1 Option 1, the clever and safe option
I have everything. I'm ready to Hex 'n Roll.

"You might need to use data-recovery software to explore the mounted volume and recover whatever you can."
Sorry to say that Dantz i have no clue how to do that.

 

OK, let's do this! We're basically just creating a gigantic version of the test file that you created earlier, so you already know how to do this.

However, I think we'd better set yours up using hexadecimal numbers, as I recall that on your disk WinHex was automatically switching to hexadecimal mode when you got near the end of the disk.

Here are the steps:

1. On a separate disk, prepare an NTFS formatted partition that's large enough to hold a 320GB file, with a bit of extra space (for "good luck") if possible. Hopefully the disk is connected to a fast interface so this won't take all day.

2. In WinHex, ensure that the offsets column is displaying in hexadecimal mode. (The offset numbers themselves should contain some letters, and the column headings will display letters to the right of 0-9. Also, the "offsets" item in the sidebar should say "hexadecimal".) If you're not in this mode then click once inside the offsets column to switch to the correct mode.

3. In WinHex, click on "Edit: Define Block" and use the following settings:
Beginning: 100000 (hex)
End: 4A85BFFFFF (hex)

4. Click "OK"

5. Look in the lower right-hand corner to confirm the block size, which should be 4A85B00000. (This equals 320,070,483,968 decimal, which is the exact size of your lost partition).

If all is well then it's time to save the block as a file.

6. "Edit: Copy Block: Into New File"

7. In the Save dialog box, choose your empty formatted partition as the destination, and give the file a descriptive name such as "RecoveredVolume.tc", then click "Save"

This is a big operation, so it might take awhile. Quite awhile.

8. When it's finally finished, close the extra tab that opened in WinHex (for the newly created file), then exit WinHex

9. Open TrueCrypt

10. Dismount any open volumes

11. Select a free drive letter that you will (hopefully) mount your recovered volume to

12. Click on "Select File"

13. Select the newly created file "RecoveredVolume.tc"

Let's see if the embedded backup header will work! If my numbers were correct, and if the WinHex operation went perfectly, then it should:

14. In TrueCrypt, select click on "Mount", then select "Mount Options: Use backup header embedded in volume if available", then click "OK".

15. Enter the password. Was it accepted? Did the volume mount to the specified drive letter?

16. If the answers to #15 were "Yes" then it's time to try looking inside the volume using Windows Explorer. This may or may not work, based upon how badly your volume's file system was overwritten during the accident.

Use Windows Explorer to examine the mounted volume by double-clicking on its assigned drive letter. (A shortcut to doing this is to double-click on the name of the mounted volume from within the TrueCrypt interface).

17. If Windows replies with a "This volume is not formatted, would you like to format it now" message (or similar) then Cancel, say No, do NOT format the volume. In this event we'll need to use data-recovery software to recover your data.

I'd suggest starting with GetDataBack, although there are also many others. GetDataBack has an evaluation copy that you can try first to see if it can recover any of your data. But we're getting ahead of ourselves; first let's see what sort of outcome you get. I'm hopeful!

 

Hello Dantz, thank you, very kind explenations.

Everything went great point 1 to point 17.

I little tried GetDataBack, all i can get back, it's only 19 mb.
What happened, is it bad as really bad.

Some images to come in a sec.

 

May i add this for readers:

"3. In WinHex, click on "Edit: Define Block" and use the following settings:
Beginning: 100000
End: 4A85BFFFFF "

Whitout the "hex"
There is a message saying the letter 'x' is forbidden.

GetDataBack
Step 1 :
http://s14.postimg.org/qpejqm5pd/Get_Data_Back_Step_0_for_Dantz.png
heberger une image
Step 2 :
http://s24.postimg.org/3ttda33t1/Get_Data_Back_Step_1_for_Dantz.png
hébergeur d image gratuit
Step 3 :
http://s12.postimg.org/976pc2sq5/Get_Data_Back_Step_2_for_Dantz.png
hebergement d image
Step 4 :
http://s11.postimg.org/xersn2k8z/Get_Data_Back_Step_3_for_Dantz.png
photo libre

+1 Nice to know that :
"Use Windows Explorer to examine the mounted volume by double-clicking on its assigned drive letter. (A shortcut to doing this is to double-click on the name of the mounted volume from within the TrueCrypt interface)."

 

Well, at least you are recovering some of your data, and this proves that you have access to your volume, so we've gotten you that far, anyway.

Apparently your volume's MFT (master file table) must have been partially overwritten by the new MFT that Windows wrote on top of it. This happens sometimes.

GetDataBack is one of many data-recovery programs that can work with a partially-damaged file system. I was hoping that it would find enough working pieces of your MFT to reassemble some of your data. However, I wouldn't give up on it yet. Try other options. Try other programs. Data-recovery generally requires a lot of patience and persistence.

Another way to go, if it turns out that your file system is too damaged to be useful, is to use a data-recovery program that specializes in "file carving". These types of programs merely walk the drive from beginning to end and attempt to find your lost files by looking for their known file signatures. PhotoRec is a good example. It will often recover a ton of files, and it will save them according to their file types, but you have to go through the recovered files one by one in order to figure out what each one is, and there will be a lot of "duds", especially if your lost files were fragmented. So it's labor intensive, and the results are less than perfect, but you should get something back. WinHex can also do this, and it offers the advantage of being able to see what you are doing (if you are able to interpret what you are seeing, that is).

My main area of expertise is in walking you through the recovery of a lost or broken TrueCrypt volume to the point where you have regained full access to the volume and you can begin the recovery of your data. Sometimes the file system is intact and everything works normally, but at other times the file system and/or the data has been "stomped" on and the user is forced to run data-recovery software to recover what he can.

However, I'm not as adept at running all of the various data-recovery programs that are out there. Plus, every situation is different, so it's hard to know which program will be the best match for your particular situation. I can provide generalities, but that's about it. You're going to have to try a variety of programs, and try them with different settings. If you seach the forums here at Wilders you'll find various data-recovery software recommendations from the members.

Generally speaking, I will say that it's best to try to recover all of the data that you can before you try to repair any of the broken file system components. In my experience, repairing the file system isn't really that useful.

You can get more specific data-recovery advice by posting on the various user forums that are associated with each data-recovery program. Good luck!

 

Dantz I will get back to you a little later.

Guess what genius and carefull Dantz, i've got back ALL, 100% of my data.
May i give you a kiss...

Get back to you tonite, got to thank you for real

 

Are you around Dantz?

Let me deeply thank you, one more time and so on and on...
Such a nice person you are

 

Sorry, I've been backlogged, plus my production PC broke down and I had to rebuild it. But I'm back now. So how did you manage get all of your data back? That's wonderful news!