Recover TC file after USB HDD partitioning/format

Discussion in 'encryption problems' started by Tlucz_huba, Dec 29, 2017.

  1. Tlucz_huba

    Tlucz_huba Registered Member

    Dec 23, 2017
    - MacBook Pro 2012 with dual boot macOS high Sierra and Win10 64-bit,
    - WD MyPassport 0730 external USB 3.0 HDD 1TB, GTP, split into 2 equal partitions (HFS+)
    Second partition contained a 20GB TrueCrypt file.

    - Hard drive got repartitioned/formatted into a SINGLE partition (HFS+)

    Got most of the TC data back from backup, but I am sure there are a few files that were only in this container.


    1) Tried TestDisk to recover the original partitions scheme, NOT successful.

    2) Used R-studio for Mac 4.6, it identified 20GB file with the same name as the original TC container file.
    The file was listed in the Root ( ) and also in on of the Extra Found Files subfolders ( ).

    After recovery, the file format was not the usual HEX file, but rather UNIX executable.
    Getting the “Invalid password or not true crypt volume” even when tried to mount from the header backup.

    3) Started researching the problem. The most similar case to mine is this one:

    Got some ideas and tried a few things.

    3) in R-studio, I found the absolute starting and ending addresses of the TC file.

    Start address: (HEX) 0x6a7df88000 = byte 457,379,971,072 ( )
    Last address: (HEX) 0x769b362fff. = byte 509,410,160,639 ( )

    Assuming the file was stored on HDD in a contiguous manner, I though the difference between addresses would add up to approx. 20GB.

    Not the case, my calculations resulted in approx. 48.5 GB, which makes me doubt the R-studio ability/correctness.

    4) Tried a few scenarios via HEX editor (HEX field) and DD in attempt to recover and mount:

    A) From the “probable” start address that R-studio gave me, I went back 262,144 bytes (should contain the TC keys ?? ), marked this address, then went 262,144 and 21,747,836,480 bytes (20GB) forward. Extracted this chunk using DD into another drive.

    Tried to mount using the RESTORE volume header from embedded backup. Got “incorrect password or not TC volume”.

    B) From the “probable” start address, I went forward 256Kb + 20GB.
    Extracted this chunk via dd into another drive. Tried to mount the same way as above. Same result.

    C) From the “probable” end address”, I went back 20GB + 256KB.
    Extracted via dd and tried to mount the same way as above, with the same result.

    5) While randomly browsing the drive in HEX editor, I found a few a plain text references to my TC container file name ( hitachi160-enc2-SG1B )

    Not sure if that can lead me to some attempt to somehow better identify the start/end addresses. ( o_O )

    6) Booted into Win 10 and tried TestCrypt in the whole external drive. I got installed Paragon HFS for Win 10

    , so system sees HFS+ drives. Overcame the trouble with unsigned drivers when running the TestCrypt. Scanned the whole drive while provided valid password for the container. Nothing found.

    So the question is: Did I exhaust all possibilities or can I try something else or different, or maybe adjust/correct something I already tried?

    Thax to anybody for their advice and time.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.