Recovering data from possibly corrupted Truecrypt volume

Discussion in 'encryption problems' started by Sukhvir Notra, Jul 4, 2014.

  1. Sukhvir Notra

    Sukhvir Notra Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    9
    I have an external hard drive (no system files on it) which has been encrypted using truecrypt.

    Suddenly today when i tried to mount the hard drive, I got the following error:

    Incorrect password or not a truecrypt volume
    So I tried to mount it using mount options and choosing use backup embedded headers embedded in volume if available option. When I do that the hard drive mounts but I am not able to access any files in the drive.

    I get the following error when I click on the drive to open it:

    You need to format the disk drive in J: before using it

    How do I recover my files? This is very important and urgent. Your help will be greatly appreciated

    PS: I am using windows 7 64bit
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Sounds like the beginning of the container got damaged somehow. Possibly your external drive's partition table was overwritten at the same time.

    When you click on "Select Device" to choose your volume, does the selection screen look any different now? In other words, did you used to select a partition, but are you now selecting the entire disk because the partition is no longer listed?
     
  3. Sukhvir Notra

    Sukhvir Notra Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    9
    @dantz thanks for replying. When i click on the "Select Device" button, I can still see the partition(so both the hard drive and the partition). Also here is the screenshot of what I see when I open the drive in dmde:

    http://i.imgur.com/vraAgDm.jpg
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    So what were those WinHex screenshots? They showed no partition present.
     
  5. Sukhvir Notra

    Sukhvir Notra Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    9
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    I'm sorry about my previous reply. I got your thread mixed up with another one.

    As far as I can tell, the DMDE screenshot shows a big block of random data where there should be a boot sector or other file system structure. Apparently the screenshot is of the mounted volume, is this correct?

    Possibly the beginning of your volume was overwritten. That would be one explanation. In DMDE, in the mounted volume, scroll down. Scroll way down and see if the data changes. Look for blocks of zeros or any recognizable plaintext.
     
  7. Sukhvir Notra

    Sukhvir Notra Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    9
    @dantz Thanks for the reply. Ok so I followed your instructions. Now I tried loading up my drive in the following way in DMDE:

    1. So after mounting in TrueCrypt ("using backup header if available" method), I opened DMDE and loaded the encrypted logical device (i.e the J drive). As shown below :
    http://i.imgur.com/RL4ZlsX.jpg

    After scrolling down as you suggested I found this in the second last sector :
    http://i.imgur.com/Dbh6fwC.jpg

    2: I also captured a screen recording of this whole process for you (Choose 720p HD from the settings) :

    http://youtu.be/9FGK9Dj6WCU


    The second part of the video is me loading the drive in dmde using its original drive letter (i.e G). This letter gets resolved to J: when I mount it in Truecrypt.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    I see that you found a lot of zeros in the middle of the volume and some recognizable plaintext near the end of the volume. This shows that your volume is still decrypting properly, that it likely still contains some of your original data, and that it is behaving "normally" as far as TrueCrypt is concerned (aside from the fact that your volume header and the beginning of the volume have apparently been damaged). Apparently an event occurred that overwrote a portion of the beginning of the volume. Perhaps there was an accidental format of the unmounted partition?

    If you accidentally format an unmounted partition-hosted TrueCrypt volume, and then you mount the volume (using the embedded backup header, as the original header would have been destroyed), and then you examine the volume using a hex editor, then you will see a lot of random data wherever the formatting code overwrote the volume. And that's what I'm seeing at the beginning of your volume.

    To confirm this theory, you can dismount the volume and then use a hex editor to examine the unmounted partition. An unmounted Truecrypt-encrypted partition normally looks like random data from start to finish. You won't see a single recognizable pattern in there, not even a large block of zeroes. It will look like a solid block of gibberish from beginning to end. However, if the partition was accidentally formatted then you will see some recognizable code and even recognizable words, plus some very large blocks of zeros. Is that what you see?

    Anyway, at this point I suggest you use various data-recovery programs to explore the mounted volume on the hopes of recovering some of your data. I don't know how much of your original data remains, as you scrolled by too quickly for me to make anything out (which is just as well, as you posted it on YouTube. I would probably take down that video. Screenshots are safer.)

    Try Getdataback (at runtime.org) first. You can start out with the evaluation copy. If that doesn't find anything then your file system may be too badly damaged for conventional data-recovery tools, in which case you will want to try Photorec (which comes with Testdisk, from CGSecurity). Photorec works via file-carving. It examines the disk (or other source) directly, looking for known file signatures, and then it attempts to recover whatever files it finds one by one.

    Be aware that your file types must be on Photorec's "supported file types" list, otherwise it will not find them. It will also find recently deleted files and even file fragments, so the output can be a bit of a mess, but you ought to be able to recover something. I can't say how much at this point.

    There are other tools that you can try as well, but I'd begin with those two, just to get an idea of how things are looking.
     
  9. Sukhvir Notra

    Sukhvir Notra Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    9
    @dantz The drive has never been accidentally formatted. I checked this using what you suggested. I opened up the drive in DMDE and winHex without mounting it in trueCrypt. Its all random data all the way through (WinHex is slightly different - see second video). Here are the screen captures of DMDE and WINHEX:

    DMDE : http://youtu.be/a6lX6c_gXxw (watch in fullscreen)
    WinHex: http://youtu.be/8-Afl-n0vgY (watch in fullscreen)

    Would you still recommend data-recovery softwares in light of the above ?

    PS: Don't worry, I will remove these videos once you have viewed them.

    Thanks again
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    No, I'm seeing standard file system structures at the beginning of your partition, plus various bits of plaintext. (A block of zeroes can be considered plaintext since it is showing its true self rather than being encrypted and unintelligible.) A TrueCrypt-encrypted partition would not display any of those things. There would be no boot sector, no blocks of zeros, no backup bootsector at the end, none of that.

    Your unmounted encrypted partition has been partially overwritten, and it looks like a format, or at least a partial format, took place. (Perhaps it occurred without your knowledge. Be aware that under certain conditions such as a reinstallation or an upgrade Windows can sometimes do this without prompting).

    Yes, I still suggest using data-recovery software to search the mounted volume. I think it's your best option.
     
  11. Sukhvir Notra

    Sukhvir Notra Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    9
    so how does this data-recovery software work? Do i first mount the truecrypt drive using "backup headers" and then start the recovery process? Will this data be encrypted or decrypted?

    Also should I invest in another hard drive?

    PS: I have paid version of eassos data recovery software. Is that any good or should i try the ones you suggested?
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Install the data-recovery software in the usual fashion
    Mount the TrueCrypt volume to a free drive letter
    Run the data-recovery software
    Instruct the software to explore the contents of the mounted volume by using its interface to select the same the drive letter that you mounted the volume to.

    Yes, the data will be decrypting on-the-fly while the volume is mounted. Most data-recovery programs can work with a TrueCrypt volume, although there are some that can't.

    Sure, try the Easus program. You will probably want to try several, as some will probably work better than others. Every situation is different, so it's hard to predict how things will go.

    If you are able to recover a lot of your data then you will need a storage location (such as an external drive) to copy it to. You should not copy any data back to the original drive. Don't write anything to the original drive or you might end up overwriting the data that you are trying to recover.

    It would also be a good idea to make a backup copy of the TrueCrypt headers. Ideally you should do that first. It's under "Volume tools: Backup volume header". You have to dismount the volume first. I think it will work from the embedded backup header, but if not then you can do it in two steps: go ahead and restore the volume header first (from the embedded backup) and then back up the volume header to an external file.
     
  13. Sukhvir Notra

    Sukhvir Notra Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    9
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    I am not familiar the new product "GetDataBack Simple", but from what I can see it looks as though you're examining the physical hard drive rather than the mounted volume. Did you select the mounted volume?
     
  15. Sukhvir Notra

    Sukhvir Notra Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    9
    so here is what I did :

    1. I mounted my drive in truecrypt to drive letter "M" using the "backup headers" option.
    2. Opened Getdataback
    3. It only offered me 2 choices of drives to be scanned for recovery: 1st one is my system drive, 2nd one is the external drive (truecrypt drive - has only one partition)
    4. I chose the second one
    5. I chose the level of sophistication to be "high"
    6. And you saw the screenshot.
    7. Its still going .. Here is the current status. Would you mind telling me if this is wrong ?

      http://i.imgur.com/HJUh6ZJ.jpg
     
  16. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    I have used the evaluation copy of "GetDataBack for NTFS" (there is also a FAT version), and that program allows you to select a logical volume to explore (such as your TrueCrypt volume that you have mounted to drive "M").

    "GetDataBack Simple" is apparently a new product, and I am unfamiliar with it. If it will not allow you to select a logical volume (Drive "M" in your case) then it will not help you. Using it to scan the physical hard drive (as you appear to be doing) is merely a waste of time.

    What about your Easus data recovery software? Have you tried that? Does it allow you to select and explore your mounted TrueCrypt volume?
     
  17. Sukhvir Notra

    Sukhvir Notra Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    9
    @dantz I downloaded the getdataback for NTFS version and booyah its working. It found almost all my files (With the exception of maybe 4 or 5). In the process of copying these recovered files to a new drive right now.

    Once I have finished this copying procedure, Can I rescan the drive using getdataback "Retry each sector" option to recover those missing files?

    Lastly I want to thank you for your help mate, you are a legend.
     
  18. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Congratulations, that's a fantastic outcome!

    The "retry each sector" feature would be more useful if you were dealing with a physically damaged disk that had limited readability and bad or failing sectors. It probably won't gain you anything in this situation, but if you want to try it then I don't think it would hurt anything.

    It's also possible that Photorec might be able to recover portions of the missing files. If the files contain text then even a fragment could be useful. To save time you could limit the search to specific file types, if you know which files are missing.
     
  19. Jean15

    Jean15 Registered Member

    Joined:
    May 30, 2015
    Posts:
    1
    Hi dantz,

    I have a similar problem. I can mount my truecrypt volume, but cannot access it. When I click on the mounted volume I get the message: You need to format the disk drive in J: before using it, just like Sukhvir Notra.

    However, I run DMDE on the mounted volume and there is no blocks of zeros or any recognizable plaintext.

    I ran GetDataBack on my volume and it said that it has not found any NTFS or FAT file system.
    photorec did find the files (although I do not know if they found all the files), but like you said the files have weird names, mostly a combination of numbers and letters. I remember using GetDataBack a while ago and it actually gave me back roughly the folder structures and correct file names. Unfortunately, GetDataBack does not work for me this time.

    Since it seems like my header has not been overwritten, is there a way to get my data back with their original names, and possibly with folder structures?

    Any help would ge greatly appreciated.

    Jean
    PS my truecrypt volume is a hidden volume.
     
Loading...