Quick format of TrueCrypt 80GB partition on 500GB drive...close to recovery. Help please.

Discussion in 'encryption problems' started by Tedley, Apr 4, 2015.

  1. Tedley

    Tedley Registered Member

    Mar 19, 2015
    To any and all who have knowledge that may help my situation.

    Firstly, please keep in mind my typing is bad....OK horrible.

    Secondly, I need this data at any cost (not far from the truth). I just trashed 10 years of data.

    Any help or comments would be much appreciated. I have searched, read and re searched any information on quick format and true crypt.

    OK...yeah I have done what other have done and it is not pretty. I believe I am close to recovering the data, but am unsure as to how to find out if I am correct.

    So, I have a Western Digital 500GB drive (non OS primary) that I partitioned to about 385GB and 80.5GB (total usable size is 465GB). The 80GB partition was then encrypted with TrueCrypt 7.0. Everything was fine until I quick formatted the 80GB unmounted? (I don't remember). At the time I was thinking it was a small zone that was left over from something else. I used Acronis disk director 11 to quick format, in case it is of any help. I did not even realize I had done this until three days later, but hopefully since this is not a OS drive and since I use a 120GB SSD for my boot (defrag schedule is turned off, no drive is ever defragmented) that nothing serious changed in those three days.

    After looking at a lot of posts, I bought WinHex (X-Ways software). I made a sector by sector clone using WinHex of the complete drive onto another 500GB drive, I used WinHex to make a complete file (copy block to file using .tc file extension) of the drive and I also used Acronis true image boot rescue in boot mode to make a 2nd drive clone, just in case some programs are different. These I use to try and recover the encrypted drive while leaving the original alone.

    Information and back round:

    1-I believe when I split the drive into two partitions (disk director 11) and encrypted the smaller portion, I used all standard TC settings like FAT, but I can not be sure it was 3 years ago.

    2-With the cloned hard drive , I can see both the 385GB and the 80.5GB as logical volumes/partitions. The 80.5GB partition starts at 413,716,709,376 and ends at 500,107,837,439. This turns out to be 86,391,128,064 bytes.

    3a-If I make a 25MB test file using the start of the partition [logical volume/partition..partition 3, starts at 413,716,709,376] which should be the start of the encrypted data, it mounts the test file using my password and with out needing to restore the header from an internal or external source. The size of the data from the start of this partition to the end where the next region is listed as unpartitionable space (near the end of the drive) turns out to be exactly the correct size (86,391,128,064), which the test file lists it in TC properties as 86,390,865,920, plus the four headers of 262,144.

    3b-If I load the 80.5GB physical media and make a test file (25MB) from the start (at byte zero) it also mounts without any need for header restoration. It too is the exact correct size with the four headers (86,391,128,064). This drive seems to have no readable data visually when viewed in WinHex, just all garbled. Anyone know why in physical media it shows this as partition 3, but in TC it is \device\harddisk3 \partition 2? I really do not know much about hard drives. Partition conflict?

    4-Neither logical or physical media will mount a test file from what should be the correct end point going backwards in sectors making a 25MB test file. Do I need to find the correct end point? Should this not be the correct end since it is exact to the byte?

    5-Mounted files appear to decrypt the data since it shows readable characters (Such as sector 1 of physical media test file yielding "...NTFS...disk error occurred BOOTMGR is missing...." sector 2 yielding "B O O T M G R $ I 3 0..." and later on in sector 24"...!"#$%&' ( ) * +, 0123456789...ABCDEFGHI...." etc). In theory the data is decrypting, but I am missing something? Recovery software like R-studios and Recuva do not find any data. Am I the wrong distance from the correct start to correctly decrypt the partitioned data?

    6-Writing a sector by sector file of the correct size (down to the byte) of either the logical volume partition or the physical drive will mount using the password only, but is empty and recovery software indicates no data on deep scans. If I restore the MBR using testdisk, the drive recognized a partition and then become mountable with out the need to make a test file from WinHex, but again shows no data found with R-studio or Ruvura.

    I almost feel I am missing so simple and stupid here or that the shell of what used to exist is here and I am chasing ghosts. What don't I understand? This is why I need help.

    If I left anything out please feel free to ask me.

    Thanks in advance,

  2. Tedley

    Tedley Registered Member

    Mar 19, 2015
    OK, so the ability to update my post seems to not be an option now when logged in; was two days ago or so, I am left with replying to my own post in order to update it.

    I was wrong about (6) with restoring the MBR. A fresh cloned drive would mount the encrypted drive, but shows no data and can not recover any data. Also the volume seems to be decrypting as stated (5), but it seems at the time the drive was mounted and this is why the quick format placed the NTFS data at the start of this partition.

    A test of a 500GB drive zeroed out, formatted (NTFS), split into two partitions and encrypting a partition (FAT32) of 80.46GB yielded interesting results. After I made the encrypted partition, I placed some small files into the drive dismounted it and quick formated it with Acronis disk director 11. It removed 69,632 sectors from the start of the encrypted partition. Since a untouched clone does not have this deletion and it contains a NTFS file structure when mounted as a test file, it is likely to have been mounted at the time. Even with the quick format, testcrypt was able to find the encrypted partition. I restored the backup header, testcrytpt mounted it and the data files were intact. So, there is no data stored in the first 69,632 sectors.

    As far as I can tell so far, I have a partition conflict, that may or may not prevent me from recovering the data.

    testdisk initial results:
    testdisk image1.png

    Examination of the mounted partition:
    testdisk partition conflict.png

    I am unsure as to how to resolve the above conflict found by testdisk or what to do with it.

    Does anyone know the best way to remove the NTFS file structure installed during the quick format that seems to still contain the FAT structure? Testdisk shows a bad NTFS or EXFAT partition at the correct location, i.e. the start of the encrypted partition.

    Any help or a point in the right direction would be helpful.