Reconstructing a Large Deleted Volume (TrueCrypt)

Discussion in 'encryption problems' started by Banannas, Nov 7, 2014.

  1. Banannas

    Banannas Registered Member

    Joined:
    Nov 7, 2014
    Posts:
    4
    Location:
    Western Mass
    This is a long story and I will just stick to the main points:

    (1) Several large (100GB to 924GB) TC volumes on different drives were deleted over the summer. (2) I thought all hope was lost then I stumbled upon this forum and others - especially lots of helpful information from Dantz. (3) on one drive, using WINHEX I was able to find the beginning and end of a contiguous 100 GB block, copy it as a file to a new drive and it mounted with all my data (Yay!). (4) I am having problems with the larger volumes.

    I have one 1 TB drive that has a large container (924 GB). I spent hours (days?) scanning for blocks using WINHEX. I could not find any blocks larger than 465.6 GB. My fear? The volume was fragmented. I finally stumbled upon the header in one block, copied part of it to a new file and it mounted! (of course it would not decrypt). I did some fairly detailed mapping of the drive and have found three blocks - not in sequence - that cumulatively add up to the 924 GB. The block with the header is in the middle of the drive (465.6 GB), there is a 455.5 GB block towards the end of the drive and a third block of 2.9 GB towards the front of the drive.

    Is there a way to copy these large blocks of data and append them into one file? I cannot figure out how to do that. If I can, I can probably sew the blocks back together and recover my volume. I have not given up hope, but to be honest it has just become more of an interesting puzzle and hobby than anything else.

    Help? Pleaseo_O?
     
  2. Banannas

    Banannas Registered Member

    Joined:
    Nov 7, 2014
    Posts:
    4
    Location:
    Western Mass
    Well, it been 10 days with some looks but absolutely no replies here. Either it is s stupid question, no one knows, or it is not that important.

    HOWEVER: for those that may be in a similar pickle here is what I have found so far on my own.

    Using Winhex, you can copy the individual chunks into individual new files by selecting the block and edit>copy block into new file. You can append these by using Tools>file tools>Concatentate (alt+k). It will ask for the name of the new destination file, then you enter the first block name (it copies that over) then it will ask for the next file to append (then it adds that one), and so on. It is a slow process since it needs to build each new file bit by bit and hundreds of GB takes hours.

    I also discovered that the first block that I found that has the header and Truecrypt will mount into a drive and attempt to decrypt. At least if you wait long enough it works. I think it takes so long becasue it will create a new drive the size of the original, fill it with the data it finds and fill the rest of the space with dummy data. Clever really. It will recreate the original volume to the extent that it can then fill the extra space with filler. For example, my header block that I had was about 465 GB and the mounted drive has is 924 GB with 465 GB of actual data. Again, Windows will not recognize the mounted drive, but you can load it into Winhex or testdisk (photorec_win.exe) and you can recover files. I was able to recover using winhex Tools>Disk Tools>File Recovery By Type. I was able to save a lot of files.

    I am currently creating the individual blacks and getting ready to concatenate them. This takes many hours or read/write time and lots of HDD space. I will probably begin the splice tomorrow and will report back if the spliced file decrypts or dies. Worse case I saved half of my data that was in the first block and will lose the rest. Better than nothing. Best case, I get it all back.

    Interesting puzzle.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    It's not that I don't care. I just can't help. Dantz was the TrueCrypt guru on Wilders, and I guess that he's still on holiday or whatever.
     
  4. Banannas

    Banannas Registered Member

    Joined:
    Nov 7, 2014
    Posts:
    4
    Location:
    Western Mass
    I know. I am just a bit frustrated. I try not to expect too much and take help where I can get it. Poor Dantz fielded a lot of these questions and is probably a busy guy. I would not have gotten as far as I have without reading his past posts! I am making headway. I should have the concatenated rebuilt file done later today. Then see if it mounts. If it works, great! If not, at least I saved half of my data.
     
  5. Banannas

    Banannas Registered Member

    Joined:
    Nov 7, 2014
    Posts:
    4
    Location:
    Western Mass
    It worked. The reconstructed volume mounted and I opened the mounted drive and my data was there. What started as mission impossible became mission accomplished. 924 GB
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Far out, dude :thumb:

    I nominate you for TrueCrypt support ;)
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    Congratulations, and could I impose a thought to confirm something? Essentially, it's that the TC header will go ahead and decrypt whatever blocks come after in the file - there is no notion of how big the volume is or whether it has any integrity checks - is that right? I suppose that's what allows things like hidden volumes/OS to work as well.

    One of the features I'd like in the progeny-of-Truecrypt is the optional ability to detect tampering or corruption of the file (which would clearly need a hash done every time so could get expensive), or maybe that could get done in sections somehow.
     
Loading...