Recorded Backup to a full & and wrong HDD - 'need t. truecrypt container back

Discussion in 'privacy problems' started by martin28, May 26, 2009.

Thread Status:
Not open for further replies.
  1. martin28

    martin28 Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    i recorded an acronis backup to the wrong hdd.
    now i have overidden a full 186 gb hdd where an truecrypt container was on it (110 gb) with a 5 gb backup.
    can i rescue the old truecrypt container?
    how?
    please help!
    regards martin
     
  2. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    If you have overwritten all the data on the hard disk, it is extremely hard (I would say impossible) that you will be able to get any of your data back, no matter if it is a truecrypt volume or anything else.
     
  3. martin28

    martin28 Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    i have only 5 gb overwritten. and maybe i didn't hit the container.
    but i dont know how to identify the 100 gb container.
    recue tools didn't find him.
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Not everyone uses the same terminology, so just to clarify things, please describe your TrueCrypt container. Is it an actual 110GB container file? Or instead did you encrypt a partition on your hard drive, or possibly the entire device?

    Also, what version of TrueCrypt was used to create the encrypted volume? And exactly what do you see when you attempt to mount the partially overwritten volume? Can you mount it? If so, do you see a prompt saying the volume needs to be formatted? (If so, DO NOT format it! Also, DO NOT run Checkdisk or any other disk tools. The first thing you should do, if you have enough storage capacity, is to make a full (and RAW) backup image of the affected hard drive, for backup purposes in case you screw up the recovery attempt. If you aren't able to do that then at least be very careful what you run on the drive, as you can easily make things worse. Don't write anything at all to the drive if you can help it.

    The outcome of your rescue attempt will depend on what section of the TrueCrypt volume was overwritten, and possibly whether or not you have any header backups. However, most likely you will be able to retrieve some of your data, especially if the volume was created with TrueCrypt version 6, which includes embedded backup headers.

    (edit):
    PS: Your Acronis backup is merely a 5GB file, right? You're not cloning your drive or copying and pasting partitions? Well, if your TrueCrypt volume is also file-based then there would be no reason for anything to get overwritten. And if it's partition-hosted or device-hosted and was unmounted then you wouldn't be able to save a file to that location, so there would be no overwriting risk there either.

    I'm hoping you can provide more details so we can figure out just what did happen.
     
    Last edited: May 27, 2009
  5. martin28

    martin28 Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    i had a hdd (186gb) nfts with 80 free space (with some dokus) + ca 100 gb 4.3a truecrypt container file.
    i didnt make header backup for this container.
    and i overwritten this hdd with a window xp backup, done with acronis trueimage 10!
    with r-studio i found this:
    http://img3.imagebanana.com/img/vtvhuvad/hoch2.jpg

    regards martin

    ps: i read a lot about mft and hdd's. i hope that a >100 gb file in one piece can be identified. or can it be that truecrypt fragmented a nearly empty hdd for the encryption formatting.
     
    Last edited: May 28, 2009
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm not familiar enough with R-Studio to recognize what is going on in your jpeg image, but it seems quite obvious that R-Studio has not found your lost file, otherwise there would be a large block displayed.

    I'm still not clear on what's going on here. Both Acronis True Image backups and TrueCrypt container files are merely files, so writing a new 5GB ATI file to your drive wouldn't normally overwrite an existing 100GB file. What really happened here? It's always best to figure out what happened before you embark on a recovery plan.

    Anyway, if your container file has somehow become deleted and standard file-recovery tools can't locate it then you can always search for it manually by using a hex editor to examine your drive's free space. Most container files are contiguous, but it might be fragmented if you created it on a drive that had files scattered all over it and that was never defragmented properly. Your lost file might also span the MFT or its fragments.

    In this case you will need to search for a gigantic, 100GB block (or perhaps a large fragment of the block) of what appears to be completely random data within your drive's free space, and then save it as a file. The trick is to locate the file's exact starting point, and hopefully (but less critically) the exact endpoint. The file might be contiguous, but like I said, it might not be. (If it isn't then it could be very difficult if not impossible to find all the pieces and fit them together. It depends on what kind of data is already on the drive. If it's all zeros, no problem at all. Otherwise, it could be a very big problem. You might even consider wiping all of your known data and replacing it with zeros so your lost file will stand out more easily.) The first 512 bytes of the file contain the all-important header, so you have to get the beginning of the file exactly right or you will have no chance at all. And if the header itself was overwritten then you really do have no chance. Anyway, if you're lucky then your 100GB of random data will be adjacent to non-random data and will be easy to spot, but if it's adjacent to other random data then it will be practically impossible to find. (However, it could probably be found programmatically by stepping through the drive one byte at at time and testing the password against every potential header.)

    For example, imagine trying to find the 38 characters of "random" data within this sentence: "This is a demonstration of how a TrueCrypt file a9ng7ufmd3nfnfi40jnvmnv8dnfidw02jfkzo0 might appear on your hard drive." Of course, in this example the random data was surrounded by text and spaces, so it was easy to spot the beginning and the endpoint. However, things could be worse: "prx3bl[kf9a9ng7ufmd3nfnfi40jnvmnv8dnfidw02jfkzo0g2". You might notice that the same random data is still in there, but you'd never be able to spot the exact beginning and endpoints unless you already knew what they looked like. If you had a header backup then you could use it in a search string to locate the exact beginning of the lost file, but without that all you can do is hope that your lost file is surrounded by plaintext or perhaps a long string of zeros.

    If you manage to recover and save the correct block as a file, as shown by the fact that you can supply the password and mount the volume, then you will probably need to use data-recovery tools on the mounted volume in order to recover your encrypted files.

    There are also many discussions of file and volume recovery techniques on the TrueCrypt boards.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I wonder if he imaged or inadvertently cloned to the target drive?
     
  8. martin28

    martin28 Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    @dantz

    yes, i think. so i must found it. i hope so. maybe it is the long full rose range to the end!?
    http://img3.imagebanana.com/img/eltgehxj/a22.jpg
    i found some jpg ansi data... and than some zeros before only data comes up.
    okay. now i hope you can help me with the next steps. i will go to buy a new usb hdd because i wont boot accidently from the wrong hdd, and i have more sata hdd's here but i didn't know something about the connections.

    i saved the first 512 .. and tried to integrate it in truecrypt.
    truecrypt said: wrong volumen size.
    is this my container?
    what do you think?
    how can i check if i have found the header?

    if i'm right. how can i save the data without marking it? because there is a lot to save.
    which tool..is safe for that?

    i hope you can help me more.. before your weekend comes up.
    cu .. regards
    martin

    ps: now i made a header backup from my second truecrypt container; to learn something... but this one is 1024 bytes (1kb) big... why this? i thought it should be 512 bytes.
     
    Last edited: May 29, 2009
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    If you think you have located the 512 byte header then you need to use a hex editor to save it as a file, but include another 100K or so of data at the end (it doesn't matter what data, anything will do). The file needs to be above a minimum size, which I think is around 50K, before TrueCrypt will allow you to test it, otherwise you will get the "incorrect volume size" error. Since your lost file should be immediately behind the 512 byte header, merely enlarge the block of data that you plan to save as a file, taking as much as is reasonable based on your circumstances, but at least 100K (this is just for testing purposes, not data recovery).

    Select the file and use your password to attempt to mount the volume. If your password is accepted then you've successfully located the header. If you get the "invalid password or not a TrueCrypt volume" message and you know that your password is correct then the header was probably wrong. You might have to test a whole bunch of potential headers until you locate the right one and are able to get past this message. If there are too many possibilities then you might have to assemble a small program that will walk through the drive testing the potential matches. If you don't have those kind of programming skills then I think it could be done fairly easily with a Windows macro recording tool.

    If you do manage to mount the volume then don't worry about the lack of a filesystem, as this is just a test of the header. Once you find the correct header you can use it to decrypt all or part of your encrypted data. Naturally, it is best to decrypt it all at once, but if this is not possible due to fragmentation or overwritten data then you can decrypt whatever portion you have located merely by attaching the header to the beginning of it. In this case there will probably not be a working filesystem, so you will have to use data-recovery tools to see what (if anything) can be rescued from the decrypted data.
    You can use one of the various freeware hex editors for looking around and possibly for saving small files from your freespace, but when it comes time to save the 100GB block as a file then you will have to use a commercial hex editor, as the free ones simply don't have that capacity. I recommend WinHex. Not only is WinHex an excellent hex editor, but it can save an absolutely huge block of raw data as a file. (There is also a free version of WinHex, but it can't save a large block as a file).

    The 1024 byte backup header actually includes two 512-byte headers. The first header is for the main volume and the other is for the optional hidden volume (if used). The first 512 bytes comes from the beginning of the file, and the second 512 bytes come from a point close to the end of the file.

    If you have any data stored in a hidden volume then you will have to use the second header to decrypt your data.

    edit:
    The above advice refers to TrueCrypt 4.3a, which you state you are using, and does not apply to the newer versions.
     
    Last edited: May 29, 2009
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes, I've been wondering that myself. The OP has not been entirely clear in describing the situation.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    No decent image program should have done what he's described, but cloning..... oops.
     
  12. martin28

    martin28 Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    sorry, i didn't understand peters question.

    my healthy system (before).
    2 x hdds

    1. c: 15gb (system=xp)+ d: 45gb e:90gb
    2. h: 186gb (with films etc+ 1 truecrypt container file= ca 110 gb)..in the container 11 gb free and
    outside maybe 25gb free


    than c: wont work. i decided to use acronis trueimage -- rescue disk -- to play back an old system (xp)
    from a acronis backup that was on e: or h: (i dont remember which one i use) .. i think from e.

    the problem comes with copying the backup data from ( e: or h: ) not to the old c: partition but to the full
    h: hdd. because i ratified that i will install it on c: ! but c: was not my old c: partition. acronis
    bring me the false letter from the devices.. thats my explanation.
    -

    -

    i think it will be more difficult than i thought because i dont know how to find a container header.
    or how i find a big file. with hexeditor without help that wont work out.

    so i must first clone the damage h: to a new hdd.. which tool can do this? that can copying all sectors?
    r-studio will only make a image like acronis cloning will do.

    ...
    and "after" that i need more tips to find the header. the first tests didnt bring it back. ;(

    @dantz
    this helps a lot. so i dont have to save such a lot data. before i find my header.
    is there a tool that can find a damage partition and which find more files from mft or something
    like that; i dont know? because i dont know how to clear all the false data with zero#s. and i didnt
    see the position where a tool (like r-studio) found these data.

    but i didnt use a hidden volumen. or i dont know what it is. but the file (header of my second container) is 1 KB big.*strange*


    ps: sorry, for more english but i didt have to use it the last years.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Okay, I think I see what happened. When you did the restore, you thought you were restoring to C: but the drive labels were mixed up and you accidently restored to your h: drive.

    Even though you only had 5gb on the image it probably created either a 15gb partition, or it could have created a new partition the size of h:\. In either case your file is no longer recognized by the OS.

    WARNING TO ALL. This wasn't an acronis problem. Drive letter changes in recovery environments is more a machine function. Unique Labels should be given to all drives in windows, so you can identify the drive by name.

    Martin, I don't have the knowledge to tell you how to try and recover the container file or it's possible. Depending on it's value you may have to go to data recovery specialists. Hopefully others will chip in here.

    Pete
     
  14. martin28

    martin28 Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    Now after some long nights, i found something like a header.
    If i save some data from the point i found (as bin with r-studio), then i can mount this file with my password.

    this must be the right beginning,or?

    but til now i dont know where the end is. and maybe the container is splited.
    if i have found the header how should i go farther. to find the complete file?
    from my start position to the end are only 93 gb left... and i thougt the container was 110 gb big.
    -
    if i save all data from the header til the end (hd end), then truecrypt say's still the same: "Not formatted..."
    ... what should me say this?

    regards bluebird

    ps: i cant reach the mounted volumen to use it with recovery tools.

    -

    My open container:
    http://img3.imagebanana.com/img/j9e9gmjr/opensafe.jpg

    .. is there any reason to see why i get the message:
    "This partition is not formatted. Would you like to format it now?"
     
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes, if you can use your original password to mount the "file" that you saved with your original header attached to the front of it then you have found your header, and considering all that's happened, that's pretty amazing. I thought that your header would have been overwritten when you accidentally restored your OS to the wrong drive (if that's even what happened). Anyway, whatever happened, good work!

    (You didn't use the same password to create a brand new header and then attach it to the front of the file, did you? Because that won't work. It will mount, but it won't decrypt.)

    You're seeing the "not formatted" message because the encrypted volume's filesystem was damaged in the accident. When a portion of a TrueCrypt volume is overwritten you will often see that message. At this point you need to mount the volume and then use data-recovery software to search the mounted volume for any files that can be recovered. Unfragmented files are more likely to be recoverable, but depending on the file type you might also get portions of some other files. Try R-Studio, try GetDataBack, try a hex editor.

    I guess you'll just have to use trial and error to see how much raw data you need to save as a file. Since the filesystem is shot anyway, it shouldn't matter that much if you grab some extra data. I would probably start by grabbing it all, and if that didn't seem to work then I would grab up to the first "discontinuity" (the first location on the drive where non-random text begins, as seen with a hex editor).

    Is the new container file stored on a USB drive? Some data-recovery software won't work well through a USB interface. Try saving the file to an internal hard drive and mount it from there.
     
    Last edited: Jun 4, 2009
  16. martin28

    martin28 Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    @dantz
    hi!!!

    yes, that happened.

    but every container (on e: is one, too) is from the middle of the hdd to the end. and so i found something.
    and yes... i'm glad.. that it is going further.
    to find the header it was a lucky moment i think because i had not the luck that there were zeros or text before.
    never mind!

    -
    "not formatted" can that be a problem with the 1:1 copy with that i work
    for recovery? what do you think? or maybe a saving problem from the tool:r-studio hex->bin (hdd).

    -
    the first times : "R-Studio, try GetDataBack, Active @Undelete" etc wont find the open container. But after some refreshs... can i NOW use R-Studio to scan. i hope this time that this tool can find complete files, like "EASEUS Data Recovery Wizard" can do with normal partitions. but with the wizard i cant see my volumen :'( . but that tool was very great.
    -

    yes, it is a usb-drive. because my pc is now full of hdds.
    - but if the recovery tools wont find the mounted volumen, can that really be an usb problem?


    i will report, if i get something back.
    cu martin/blueb.
     
    Last edited: Jun 5, 2009
  17. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I've heard that the USB interface can get in the way of these types of operations, but my guess is that this probably varies based on the specific software being used. You should check with the vendors of your data-recovery software to see what they think. (Can you at least examine the mounted volume with a hex editor?)

    The vendors may tell you that the TrueCrypt drivers, the lack of a working filesystem or perhaps the TrueCrypt virtual drive itself is interfering with their data-recovery software. You can believe the vendors outright, or you can perform some tests of your own using existing TrueCrypt volumes. This would be a very easy test to do. Just create a reasonably-sized container file, stick some files in it, copy it to several internal and external locations, and then try to examine the mounted volume with various types of data-recovery software. Heck, you could even intentionally damage the volumes and see if they continue to be detectable and viewable. Any limitations should quickly become apparent.

    If the problem really does lie with TrueCrypt then you could always try doing a sector-by-sector backup or clone of the mounted drive and then restoring it to a physical hard drive (hopefully an internal one). This should result in a fully decrypted (but still filesystem-damaged) hard drive full of data that should now be fully explorable by data-recovery software. I've never tried this, but I think it would work.

    Be aware not all imaging software is capable of doing sector-by-sector backups or clones of RAW unformatted data.
     
  18. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
  19. martin28

    martin28 Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    Status: I could rescue 90% of my data. The important things are back.. and now i know what i have lost.
    So my problem is solved.
    I didnt try "SpinRite" because it looks too difficult to me. And the video dont look serious.


    Now i made a update to the newest "Truecrypt" version and i made an engrypted partition.
    (The header is saved!)
    But i will also make a copy of the full hdd (incl. the extra truecrypt partition).
    How should i do this? Which tool?
    A fast one would be great because i will do it every month.

    Regards martin
     
  20. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Good news so far !

    SpinRite is most definately a serious tool.

    Lots of backup/copy etc software available, and plenty which are free. Start by doing a search on here.

    All the best.
     
  21. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Congratulations! Would you mind telling us how you finally performed the successful recovery of most of your data? It might help somebody else in the future.

    As far as backing up an entire 186+ GB partially encrypted hard drive, there is no quick solution. You already have Acronis True Image, so if it's working well for you then I would just stick with that. Other imaging apps may be marginally faster, but it's still going to take quite a few hours and it will probably be best to run it during "off" hours (e.g. overnight). There are no shortcuts when backing up an entire encrypted partition, as there is no data that can be skipped or compressed, even if the volume itself is mostly empty.

    A quicker option would be to regularly back up the contents of your mounted volume directly into an external encrypted (and mounted, of course) volume. Incremental or differential backups will go fairly quickly, and even the monthly (or whenever) full backup should be considerably quicker than the time it would take you to back up the entire encrypted partition and/or the entire hard drive. It will also consume much less space.
     
    Last edited: Jun 19, 2009
  22. martin28

    martin28 Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    @dantz +
    yes.. you are right. i made another truecrypt safe and i did a filecopy. so i can faster copy
    the changes. acronis can't copy the truecrypt volumen, and makes always trouble.


    @all
    i have no guide to rescue a lost truecrypt volumen.
    the header is always important... make here backup's (header + data backup)!!!!!!
    if you havent one ..then use r-studio to find your container. (from a 1:1 backup of the hdd where the
    truecrypt file was on it- use drive img xml, dont use the corrupt one for the rescue; every access can kill the rest of your data).
    ... these rescue can only work if you have a file structur because the truecrypt file-header is
    encrypted, so the file won't be found by any recovery tool. - only if you had a big safe then you have
    the last chance to try to locate the beginning of your container with the hex editor. this means
    that from one position you can only find encrypted data (good if a text file or zeros are before).
    with r-studio you can see there are only encrypted data/archiv, so you don't have to check the whole hd.
    but you need still luck.
    if you find something...then save some bin data from the beginning (2 mb or more). if truecrypt mount
    this file (then you found the right beginning) and you can save the rest of the hdd from the header.
    after this save ..most of the time the mounted containers are corrupted so you have to use r-studio
    to check the mounted container. and i'm sure it will find something from your data.
     
Loading...
Thread Status:
Not open for further replies.