Please help with another case of deleted partition & truecrypt

Hello,
I read as much as I could and now I am quite confused.
I did not find an exact situation in the forum.

Before "event"

Portable with 298Gb HD with 4 primary partitions.
P1: 13Gb, acer items, boot, D2D, ...
P2: 100MB, boot folder and bootmgr
P3: 73.2Gb, windows 7 64bits components
P4: 205,07, user data
6,67 unassigned
After partitions creation, pre-boot encrypted, TC 7.1a
(I believe P3 and P4 where NTFS ...)

"Event": pc does not boot; recovery non functional.
Unfortunately, no rescue disk

Actual situation:

I built a CD with UBCD4Win with TC 7.1a; I am able to boot the PC from CD.
I remember the pre-boot authentication TC password; so I am able to mount without pre-boot authentication P1, P2 and P3. P4 is not appearing in TC open window.

Disk management shows:
P1, 13Gb, right status, unknown partition
P2, C, 100MB, right status
P3, E, (D is currently a USB disk), 73,24Gb, right status
205,07 Gb, avaliable (a green box is displayed in this zone)
6,67, unassigned

(as the former P4 is not identified as a partition, I cannot mount it without pre-boot authentication with TC ...)

I am finishing a full drive security copy ...

I am not sure what caused the situation; P4 unavailable (perhaps a MBR entry deleted?) and why system does not boot (P1,P2 &P3 contents does not "look" damaged ...); could be a HW fault (not problems making the savage of a current image) but more probably it the effect of some kind of f*ckware ...

So, I imagine I have two issues here,
1-recover user data, P4
2-recover windows booting ... (at worst, I have a 7months ago unencrypted acronis image of P2)

I am really unsure of how to proceed. I believe major steps should be
a) recover P4
b) undelete HD
c) try to recover system (or image back old copy).

I am ready to use WinHex and alikes, but would need a step by step guidance, as I am quite confused about how TC works -master keys, their copies, etc- I imagine that the first move would be to create an entry in MBR for P4, somewhere information about start-end must be there as windows is able to clearly identify where it was ...

P4 contains (contained?) all photographs of my daughter; at least she has a backup dated last february, but if P4 is lost she will lose almost all 2013 ...

I will be rather gratefull !!!

CT

Note: I tried to follow https://www.wilderssecurity.com/showthread.php?t=352126 and others threads but to no avail ...

 

From your description I'm assuming you have a fully-encrypted system disk, not merely an encrypted system partition.

Are you're sure your 4th partition isn't an extended (but still primary) partition that contains a logical drive? Windows commonly sets things up that way when you create 4 partitions.

If so, be informed that TrueCrypt's "mount without preboot authentication" command cannot be used to mount extended partitions or any logical drives that they may contain.

I'm just guessing here, so I'm not sure if this will work or not, but try using UBCD4Win to examine your unmounted drive. Even though most of your system drive is encrypted, the boot sector & the partition table will not be, so those items should still be readable. When the disk is viewed this way, does Disk Management show all 4 partitions? (I expect that all of the partitions will appear to be unformatted, since they are fully encrypted). Can you confirm that all 4 are primary partitions and that there are no logical partitions present?

If we can't figure this out then you will probably have to decrypt the drive before you can make any further progress. Even though you don't seem to have the correct TC rescue disk, it's possible to use a different one for this task, as long as you are very careful NOT to use the disk to restore the bootloader or the key data. However, don't try it yet, as it takes practically forever to do it that way and there are certain risks involved.

 

Thank you Dantz for your fast reply.
I have read several threads where you guide other chaps to solve their similar problems, but I did not find anyone that where using preboot encryption. I tried to understand the mechanics of winhex, disk part, the test file way, ... (a little lost regarding the offsets, and backuping headers ...).

I had the impression that dd'ng P4 was not going to render back my data so easily, you know pinpoint to this topic of TC not handling offline extended partitions with preboot authentication ...

Answer and info:

Yes, I have a full HD encryption, pre-boot authentication.

I believed P4 was a primary partition. When I built the system, I tried to have a primary partion, but now it looks like that I built an extended partition, single logical one. Looks so as:
a) TestDisk states it is E extended (I am now using TestDisk to create an image.dd, so to try to rename it to P4.tc and try to open it with TC ...)
b) W7 Disk Manager identifies this space as a separate entity, with its assigned space, claims it to be available to "create" a logical partition ...

I cannot select that as a partition in TC to open it as "mount without pre-boot authentication", so this reinforces the point that it is an extended partition.

Now I imagine that I would not be able either to open P4.tc with TC ... (will try either).

I confirm that there are three primary partitions and what looks like an extended partition. Probably inside the extended one there is a logical partition but I under UBCD4Win cannot see it.

I have not any rescue disk at all (either this PC or other), but if needed I can encrypt another PC with pre-boot authentication and create a rescue disk. Should there be a simpler less time consuming way would be nice, but I was unable to get a google match to download one ... ideas welcomed ...

I continue trying to backup disk/ all partitions with a dd alike thingy -currently TestDisk- but I have not been successful as yet (I tried diskimage but failed miserably at 92% some 8 hours after starting). I had tried sysrescue CD and ubuntu 13.10 live but they do not boot in this pc (do not know why). I just downloaded bootmed to give a try (if TestDisk fails).

I can also try to image the HD with live cd acronis true image; I am unsure that it will be able to handle encrypted partitions but should be able to make clone images. And I have a 2TB disk free to keep copies ...

Let me please know how to unencrypt the full hd under this conditions. Encryption was convenient for a long trip abroad my daughter did, but not anymore, so it is an interesting approach.

Question: as I am able to offline open with TC P1, P2 and P3, there must be somewhere stored the headers (I use only one password); is/are there one or three different headers in my case? how can I backup them? can those be used to "patch" an "foreing" rescue disk?

Another approach could be to image back P1, P2 and P3. Although one year ago, they will work and allow perhaps to recover P4 ... (my initial problem is that W7 is not able to boot ...).

Thanks again,
CT

 

Most of my various "WinHex tricks" that you've seen in these forums won't work with full-disk system encryption. The partitions on a fully encrypted system disk are not free-standing entities with their own volume headers, rather, they all rely on the system volume header (usually found in physical Sector 62) to decrypt their contents. The volume header on your disk is still good, otherwise your password would not have been accepted when you used the "mount without PBA" command, so be careful not to break it, especially since you don't have a rescue disk to restore it with. (Although a full sector-by-sector clone should be an adequate backup.)

I think that decrypting your entire disk would be the simplest way of getting TrueCrypt out of the picture so you can focus on your remaining problem(s). You don't need to use your original rescue disk for this particular task. Also, be aware that it's possible to create another TC rescue disk without actually encrypting another computer. All you have to do is follow the procedure up to the point where you burn the new rescue disk, and then back out (cancel) before initiating the actual process of encryption. If you back out right at that point then the only changes that will be written to the drive will be 512 bytes (the system volume header) written to Sector 62. Normally this sector is not used for anything, so replacing its zeros with a few random bytes shouldn't cause any problems. I've never seen any ill effects from doing this. I suppose you could always check (using a hex editor) if you were worried that there might be something there.

Or, if you have access to another Windows 7 computer that is already set up with TC system encryption then you should be able to create a second rescue disk from within the TrueCrypt interface by using the "System: Create Rescue Disk" command.

PS: If possible I suggest that you use a different password when you create the new rescue disk, just to avoid any potential confusion. And when you boot to the rescue disk, always use your existing password, not the new password that the disk was created with. The new volume header on the new rescue disk should be ignored and never used for anything.

Note: Since your OS is Windows 7, I suggest you do not create your alternate rescue disk using a Windows XP system. I don't know if it would actually matter in this particular situation, but I do know that the disks for the two OS's are set up a bit differently.

Once you have the rescue disk, boot to it and follow the prompts to decrypt your system disk. I forget the exact details, but the menus are brief and it's not hard to find. (Make sure you use your original password, not the password that was used to create the disk). Whatever do, be careful not to use the new rescue disk to restore the "Key Data", as this will wipe out your disk's only valid copy of the system volume header and will replace it with an invalid one. Also, don't use the disk to restore the TrueCrypt bootloader or the original Windows bootloader, as they won't be the right ones for your system.

Two potential problems with system decryption via the rescue disk:
1) It's horribly slow. Based on the size & speed of the disk, it can take up to a full day or even several days.

2) If there are any bad sectors on the disk, really bad ones that for some reason can't be skipped, then the process is likely to "freeze" and you will be stuck for eternity with a half-decrypted and almost fully useless disk. (And be warned that the "mount without PBA" command cannot mount a partially-decrypted disk at all.)

As long as you have a good backup you should be relatively immune from the effects of issue #2. Good luck!

 

Thank you Dantz again!

I was unable to open dd'imaged P4 as file with TC. As you explained it, the volume header is not there as it is on the system volume header ...

I will try in a W7 PC the trick to create the rescue disk, as per your indications.

Should I be able to make a disk clone to an external HD, I will try to do a full disk decryption on that new disk immediately ... this was my last idea when I finished writing this post ...
(later edit: after several trials to do a disk clone, the most efective, free tool, iso live cd provided, that I found is http://www.osforensics.com/tools/create-disk-images.html)

= = = = = = = = = = = = = = = = = =

Previously I had though the following ideas ...

While full disk decryption looks promising and easy, I am frightened -not for the time (I am getting used to that ...) but because TestDisk found several read errors while making the dd'image of P4 -but finished without crashes; P1, P2 and P3 finished ok without errors. Also Acronis complained of errors. I am not fully happy with the backups -read down.

Before jumping into the full disk decryption,

1-Can I use safely any tool to check surface of the HD or to repair/mark bad sectors (safely means without breaking anything TC related ...)

If such risks cannot be really avoided, I would be balancing if using other options before full decryption, such as trying to open the W7 partition (P3) with TC without pre-boot encryption and tweaking it to try to boot it [there are some indications of how to use "previous" good configurations, or either replace full P3 contents with the decrypted backup copy of several months ago. This could allow me to boot the system and perhaps recover P4 (my maximum objective ...)]. Problem is ... that that would not correct boot sector problems (testdisk complained that P3 boot sector status is bad, as well as backup boot sector, and both are not identical ... - testdisk offers to rebuilt ... but ...?)

2-Do you think such approaches could be viable


Backups
=======

Anyhow, first all I need to have a usable backup of the HD; I mean that I can manipulate, and that I can write back to the HD in case of breking anything. I would like to have:

- full HD image (sector by sector)
- full partitions images, as current and of their contents in clear. Sector by sector, and, if possible, that contents can be viewed/extracted - if not encrypted obviously)
- initial part of HD (MBR, partition table, TC system volume header, etc.)

Presently I had mixed results:
- diskimage (roadkill) included in UBCD4Win did not finished all HD image, failed to save last part of P4 ...
- Have dd'images of encrypted P1, P2 and p3, no errors, done with TestDisk6.1.4 (I will stick to this, as sysrescue and ubuntu live cds were unable to boot; I have ready bootmed but seems not to be necessary).
- Have dd'image of P4, with errors ...
- Acronis True Image 17.xx crashed with any imaging operation I tried.
- I had prepared copies of Clonezilla live, but I am not a *nix kiddie. Also have had a look to drive image xml but I think I will see if I can try macrium reflect. I kill for being able to have a full sector by sector backup that I am sure I can write back to the HD ... not loosing the MBR, system volume header, etc. I disk clone would be ... ideal!!

3- can you advice of any tool to backup the initial part of the HD. I know some that will save the MBR/Part.tables, but what about the truecrypt boot code and the partition volume headers?

4- could be made a backup of the partition volume header? How? Perhaps with winhex? How can I locate the partition volume header? [later edit: no easy way and no future use, see PD below]

Opening dd'images
=================

I tried to open P1.dd and P4.dd, as files using TC. It complained no right pass/not truecrypt ... clear, there are no partition volume headers ...

5- could be posible to join that partition volume header with the dd'images to be able to open then with TC? [later edit: no way, see PD below]

Conversion of P4 from extended to primary
=========================================

I really do not understand how TC encrypts extended partitions. I did locate in their web the "limitation" concerning that extended partitions cannot be opened using "without pre-boot encryption". I am not sure this is a sw limitation or a imposibility resulting of TC architecture ... first case would be solved with a sw patch sencond none. But I am not able to publish in the TC forum as I do not have a paid-email box ;-)

I found at least two tools that claim that can convert an extended partition to primary: this
http://www.rodsbooks.com/fixparts/ and also easeus http://www.partition-tool.com/easeus-partition-manager/convert-logical-to-primary.htm

6-Would this make my P4 accesible to TC "without PBA"? [later edit: no way, see PD below]

Thanks again ...

TC

PD: in a later edit

I read carefully about the encryption scheme in http://www.truecrypt.org/docs/encryption-scheme
It states that "The first 512 bytes of the volume (i.e., the standard volume header) are read into RAM, out of which the first 64 bytes are the salt (see TrueCrypt Volume Format Specification). For system encryption (see the chapter System Encryption), the last 512 bytes of the first logical drive track are read into RAM (the TrueCrypt Boot Loader is stored in the first track of the system drive and/or on the TrueCrypt Rescue Disk)" ... and continues ...
What I do understand, for system encryption, is:
- The standard volume header ... is read into RAM from "the last 512 bytes of the first LOGICAL DRIVE" (I wonder where there willl be if there is no logical drive...)
- The TrueCrypt Boot Loader is stored in the first track of the system drive
- TrueCrypt attempts to decrypt the standard volume header; if successful, the primary master key and the secondary key (XTS mode) are retrieved from the decrypted volume header
So ... afaiu ...
1- keys are not at the start of the HD, but INSIDE the logical drive
2- better NOT to mangle with the extended partition or I will lose the keys to the volume ...
3- wtf, do not use extended partitions in TC system encrypted disks!!!

Looks that some of my above questions above are already answered ...

CT

 

I read all of your previous thoughts & adventures. I could comment on the various merits & failings of each approach, but I don't have time right now. Oh ok, very briefly:

1. I wouldn't recommend it. It's much safer to clone the entire disk before trying to "fix" it.

2. No.

3. As for backing up all of the data in Track 0 (the first 63 sectors including the MBR, partition table, TrueCrypt bootloader and TrueCrypt volume header), I just use WinHex to copy the whole thing (which is usually included under "Start Sectors") to a file. Select the desired block and then "Edit: Copy Block: Into new file". Whatever portions you need can be hand-pasted back in later on if needed. I'm sure there are more elegant solutions, but I haven't really looked into them. Cloning the entire disk should also work, of course, unless Track 0 contains bad sectors. Incidentally, Track 0 is likely the only portion of your disk that isn't encrypted.

4. Since you are using full-disk system encryption, none of the partitions have TC volume headers (unless you also encrypted your partitions separately, but if you did then I think you'd already be experiencing that right now, except for the 4th partition, which is currently inaccessible.)

5. You mean by using the system volume header with the individual partitions? Tricky but doable, except for the fourth partition which I'm not sure how to handle.

6. That's an interesting approach, but I doubt if those tools would work under these conditions. Don't they need access to the partition? I'm pretty sure that at the very least they would need to write new partition boot sector code.

Notwithstanding any of the above, I think you're currently on the right track. Since your HD's physical health is questionable, the safest approach is to make a sector-by-sector clone of the entire disk and then attempt to decrypt the clone by booting it from the TC rescue disk.

If your cloning software has difficulty handling the bad sectors then you might want to try using ddrescue (on the Trinity rescue kit), as it was specifically designed to deal with this situation. Although actually, I am a little surprised that roadkill had problems. Sure you had it set up correctly?

The decryption of the entire disk needs to run in serial order from back to front, according to the "scope of encryption" (the size of the encrypted area in bytes) and the encryption starting point (the starting offset), both of which are stored inside the TrueCrypt volume header. The overall size of the volume needs to remain the same and the data on the disk needs to remain in exactly the same order, otherwise the data will not decrypt past the point of alteration. In other words, the only correct approach, which you are now doing, is to make a sector-by-sector clone of the entire disk. It's ok to replace any bad sectors with zeros (or whatever other filler you wish to use) if you must, but you can't leave any "gaps" in the disk or it will break the encryption.

Backing up your individual partions separately probably won't be that useful. It would be difficult (but not impossible) to decrypt them as stand-alones, and if you attempted to reassemble them to recreate the original disk then you would have to worry about any unaccounted partition gaps (i.e. unallocated space) that might have been present, as these would alter the total size of the disk.

At least your volume header is still good, so you can be thankful for that.

 

Thank you again for your reply, even more in this busy time of the year.

Surely you are fully right that I am lucky that the volume header is intact.

Just a short "status report"

I am following the track to trying to decrypt the HD.

osfclone.iso took more than one full day to clone the HD from the PC to an outside Sata-3.5"-HD mounted via USB. There were quite a lot of retrials in the P4 (user data one), but it finished the work. I checked the clone in another W7 PC, track 0 was fully copied without any bad spot. On the user side, I am unsure how big is the damage ...

I tried to fit the cloned HD to the PC, but form factor did not let me to connect it cleanly. I dismounted the electronics, but finally the PC was unable to recognize it or the rescue disk was not seeing it. I also tried to mount the clone in yet another desktop but was not recoginized either (the desktop motherboard is not able to recognize Sata2 HDs but only sata-1 and the disk has not a jumper selectable speed.

Anyhow, as the portable HD is so damaged I had to purchase a new 2.5" one, so I did, and now I am cloning to the new one. At 35M/s, and as there are no badspots now, this will be 3 hours ...

Then, I will try the uncrypt with the rescue disk ...
[later edit: As Dantz advised, it is going sloow ... some 1.8MB/s, that would imply 2 days for the 320GB disk ...; not finished at the time of writing this update]


CT

 

Thank you Dantz for all your help.
It took 2.5 days decrypting the HD.
Finally I were able to recover P4! By the way, there were two logical disks inside (I had forgot).
I will be imaging-back last february backup of the system partition as system is not booting ... but this is now a completely different topic.

Good 2014

CT

 

Congratulations! And yeah, good 2014!