Raid 1 array deleted, lost truecrypt partition

Discussion in 'encryption problems' started by ease, Jul 13, 2013.

Thread Status:
Not open for further replies.
  1. ease

    ease Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    7
    Location:
    United States
    Ok, I've been at this for a week. Here's a quick timeline :

    (2) 2TB disks in hw raid 1 on marvell 9128 controller, non system drive

    Entire volume encrypted in truecrypt no recovery disk or anything created, just know the password

    Updated (stupidly) raid firmware

    Windows 8 no longer can see raid controller/disks (try to fix to no avail)

    Break array hoping to boot to individual disks with partitions intact, nope

    Now have two empty disks with unallocated space (did not format or touch at this point)

    Use testdisk to attempt to repair partitions, tried it 100x different ways, never successfully get my drive structure back

    In one test disk attempt, ended up with a 250gb sized partiton on the drive, could not
    mount or anything with truecrypt

    Tried active partition recovery, and a few other programs trying to restore the volume to no luck. Never tried to mess with the data or anything like that, hopefully I still have header info on at least one of the discs


    I'm in way over my head here, and I need help, have photos on here that mean the world to me and my family. What should I be doing? I'd be willing to pay for any help.
     
    Last edited: Jul 14, 2013
  2. ease

    ease Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    7
    Location:
    United States
    So I tried opening the disk in winhex, finding the first sector with random data and copying a portion of it to a file. I am able to mount the file with truecrypt. When I try to view it, there is no file structure. I opened the mounted file in winhex, and I see some data and lines about a damaged MBR, and then a bunch of 'unreadable sectors'.

    Is this a sign that the encrypted data is intact? What should I do to recover it?

    Ideally I would like to modify the disk so I can just remount it again and get the photos I need from it. Is it possible just to edit the hex data on the disk so that the selected block is moved to the first sector and then is mountable?
     
    Last edited: Jul 14, 2013
  3. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    OK, that's normal behavior for the situation. The purpose of the test you just described is to locate and confirm the presence of an intact TrueCrypt header, and apparently you have found it, so that's a good start. Embedded generic error messages are normally found in the first sector of a functioning volume, and the 'unreadable sectors' error messages are expected in this case. They merely mean that TrueCrypt's header is reporting a much larger volume size than WinHex is able to find (because you only copied a very small piece of the volume when you created the test file).

    Most likely your data is intact and recoverable, although it will take some technical know-how to accomplish this.

    The first step should be to take one of the two RAID1 disks and set it aside as a backup, just in case you screw up the other disk.

    What is the actual physical offset of the TrueCrypt header on the physical disk? If it's located conveniently (for example, at the standard location 100000 hex, or 1048576 decimal) then the simplest approach would be to create (but not format) a new partition that begins at exactly that spot.

    If that can't be done (because the header's starting location can't be easily used as the starting offset of a new partition) then another approach would be to use WinHex to block-copy the entire encrypted volume (starting at the beginning of the TrueCrypt header) and use WinHex to save the entire huge block of data as a file. (It's just a much bigger version of the test file that you already created.) The resulting file should be mountable by TrueCrypt, and if you're lucky (i.e. if nothing important has been overwritten) then the file system should still work. However, if the volume mounts but the file system is damaged then you will need to use data-recovery software such as getdataback or photorec on the mounted volume.

    This option will require a large amount of formatted free space on a separate disk, but I suggest you resist the temptation to use your other RAID1 disk, as it's your only backup.
    Using WinHex to move the data to a different location on the same disk is doable, but it's hard to move gigantic chunks of data that way. It's easier and safer just to copy the desired data onto another disk.
     
  4. ease

    ease Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    7
    Location:
    United States
    Thanks for replying! Yes I agree I do not want to touch the second disk. I have disconnected it while messing with the first disk, although after failing to find any partitions with testdisk on the first, I did do some searching on the second and had no luck obviously.


    The truecrypt header is located at 152043520 decimal, and ends at 1999323004927. Edit : So when switching to hex, I notice it's at 00009100000. Is an even hex like that something that a partition could start at?

    http://i.imgur.com/oRyZ4Kd.jpg

    The block is 1.8tb if I try to copy it, and get an error saying you don't have enough ram.

    http://i.imgur.com/sHgHEd0.jpg

    I did not know that partitions need to be at certain offsets, and last night I wast trying to figure out how to create a partition starting at 152043520 but I never got anywhere and never tried writing anything to the disk. I will most certainly go out and buy a drive if I need to, do not want to risk hurting the other one.
     
    Last edited: Jul 15, 2013
  5. ease

    ease Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    7
    Location:
    United States
    Dantz I'm sorry but I went ahead and searched around for creating a partition with an offset of 145mb, actually found another of your posts with the method and tried it.

    Well, at first I could not mount the volume in truecrypt, but then I restored the header I had grabbed from the test in winhex and it worked. All my files are there.

    I don't know how to thank you enough. I would love to buy you several beers somehow. Let me know if I could paypal you a humble token of my gratitude.

    You seem to have helped saving many peoples important data with your help, and this is some very important stuff me, 7 years of my kids pictures! I can't tell you how priceless it is to me.

    Now to back it up proper, as I've learned my biggest lesson here. A raid 1 is not a backup!
     
    Last edited: Jul 15, 2013
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Well, I'm fairly amazed. I don't recall posting how to do that, in fact, I'd really have to work at it to make that happen, as most programs don't allow you to easily pinpoint the location of a new partition, and manually editing the partition table is even less fun. Mind telling me how you did it? Did you use TestDisk by any chance? Or a WinHex partition template? Diskpar?

    I had a whole alternative solution worked out and I was just going to post it when I read your post. (It involves using WinHex's Disk Clone feature to selectively clone the desired data into a new partition on another disk. So far I've got it working, but it needs some refinement before it will be easy to use.)
     
  7. ease

    ease Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    7
    Location:
    United States
    Sure, so in this post you had Rakoen create a partition with an offset of 1024 for 1048576 dec.

    So I divided my offset of 152043520 by 1048576 to find it at 145mb, or a 148480 kb offset. I followed the same procedure with diskpart, just substituting my offset for his.

    After verifying all the files I wanted were available, I did the same thing again to the second drive, and it worked exactly the same. I again had to restore the header extracted from the winhex file, but everything works.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Sounds good! Yes, I remember that post now. Hey, feel free to jump in anytime if you see another TrueCrypt user in trouble, as you seem to have a really good grasp of how to fix broken volumes.

    edit: left out the word "good" by mistake
     
    Last edited: Jul 16, 2013
  9. ease

    ease Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    7
    Location:
    United States
    Most certainly. I've been at this problem for about a week, googling and googling. I've learned a bunch about how hard drives and truecrypt works.

    I kept finding the answers I needed in your posts tho, so all credit to you my friend. Thank you!
     
Loading...
Thread Status:
Not open for further replies.