TC Hidden Volume issue | $500 AUD reward

Discussion in 'encryption problems' started by chrislimbers, Oct 24, 2016.

  1. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    hey there, need some assistance with a big mistake I made, will happily pay the person that can provide me with steps to either mounting the hidden volume and getting access back to my files or can provide data recovery to hidden volume without mount. I've tried for past couple weeks but my technical ability is limited.


    I stupidly copied files into the outer volume without protecting the hidden volume of a TC container file. The file is roughly 200mb and the hidden volume is about 100mb of that.
    It does mount outer volume without incident and I can access all files within that volume, the hidden volume will not mount and I get the bad file system error.

    Have at it guys I will post any pictures you require and provide you with any further information you may require.
    $500 is conditional of successful file retrieval
     
  2. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    No one wants to take a stab at this really?
     
  3. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,026
    Location:
    Hawaii
    OK, I don't want any money, but I will take a look at it tomorrow.

    But when you say that your hidden volume doesn't mount, do you mean that TrueCrypt is telling you that your password is incorrect? Because that wouldn't happen merely from overwriting a portion of the hidden volume by writing too much to the outer volume. All of TrueCrypt's volume headers are stored outside the data area, so TrueCrypt does not tend to overwrite them. And if your hidden volume password is being accepted then you are technically "mounting" the volume, and TrueCrypt is doing its job, as far as it is able.

    What seems more likely to me is that the volume's file system was damaged when you accidentally overwrote a big chunk of it, so TrueCrypt is able to mount the volume, but your OS can't make any sense out of the unstructured data so it gives you a file system error. However, there might still be some recoverable data in there. If so, it will take the use of special tools and care to try to recover it.

    Does the above sound plausible so far? Or am I wrong about your hidden volume password still working?
     
  4. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    Thanks so much Dantz, thats very kind of you. Lets get it done and just try and stop me compensating you ;)

    No, passwords for both are accepted and outer volume mounts and files are all accessible and always have been. You are correct in your assumption the hidden volume when mounting gives filesystem error.

    Some info for you.
    Windows7 home 64bit is my work station
    The TC container was created and utilitised via tails TC 7.2 while i made my outervolume overwrite mistake without knowing i needed to protect the hidden volume at the time.

    I think the headers or the embedded headers are there and seem ok (might need to walk me through propper testing of)

    I have partedmagic live on usb which has many tools which can help including winhex teskdisk etc

    I have use data recovery programs like photorec and wondershare data recovery on every usb or external storage drive and backup storage drive i can find that might have a backup of the TC container (in working state) but to no avail. This has been over 6 months of tirelessly searching for a needle in a haystack that i dont think exists anymore :(

    TC container size - 209,715,200
    Outer volume size FAT32 - 209,453,056
    Hiden volume size - 104,726,528
    Block size 128bit

    I have time tomorrow so ill log back in and get back to you within hour/s of your replies.

    Let me know what programs i need and ill download all in preparation for data recovery etc.

    Thanks again speak tomorrow.
     
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,026
    Location:
    Hawaii
    Hey, I know this may seem late, but the day is not over yet, and in fact the sun is still shining in Hawaii!

    So ok, you have basically confirmed that your hidden volume's password still works and thus TrueCrypt is still able to "mount" (although perhaps you didn't realize it) your damaged volume to a drive letter. If your hidden volume's password is accepted and you don't see the "Incorrect password or not a TrueCrypt volume" error message then the hidden volume's header is fine. The problem that I believe you are having is that once TrueCrypt mounts your volume, your OS can't read your hidden volume's damaged file system, and this is to be expected if/when you partially overwrite your hidden volume. This has happened more times than I can say wombat.

    If my assessment is correct then the job now becomes one of data-recovery, and in fact it's not even a TrueCrypt problem anymore. You just have to mount the damaged volume and then use one or more data-recovery tools to try to recover as much data from it as you can.

    Here are some instructions that I threw together. They are not totally, nit-pickingly complete, but they should be adequate if you are able to help out by watching the screens. You may need to deviate from my instructions now and then as necessary.

    1) Download and install "GetDataBack Simple" from Runtime.org. I've always had pretty good luck using GetDataBack for these kinds of recoveries. In fact, runtime.org really ought to send me a free copy for recommending it so much.

    2) Mount the TC volume that you want to recover data from (in your case, the hidden volume) to a free drive letter

    3) Open GetDataBack

    (The next step is necessary to display your logical drives, otherwise GetDataBack will not see your mounted TC volume)

    4) Tools, Settings, Miscellaneous, select "Show logical drives", Close dialog box

    Note: There are some other settings in here that you might want to alter, but for now you can probably just leave them alone. However, since we may be dealing with sensitive data, be aware that the default setting for Temp directory (under the "Log and Temp Dir" tab) might constitute a security risk, as this folder might end up storing some of your decrypted data. If that's a problem then you might want to set the Temp Dir to an external drive before you go any further, so you can wipe it more easily after you are finished.

    The next few steps will make a full backup image of your damaged hidden volume. Afterwards, we will try to recover your files from the backup. That's much safer than working directly within the damaged volume.

    5) Tools, Create Image, select your mounted TC volume (based upon its TC-assigned drive letter) as the Source drive

    6) Choose a pathname for the image file that you are about to create. (See the Note below before you continue)

    7) Click on Start and wait for GetDataBack to make a complete image of your entire mounted volume (this might take awhile)

    Note: Before you perform Step 6, make sure there will be enough space on the target drive to hold your entire TC volume, that is, all of it, including all empty/unused space. Also, before you perform Step 7, be aware that the data that will be stored in this image file will NOT be encrypted, so based upon the sensitivity of your data, this might create a security risk. You might want to create your target file on a removeable drive so you can wipe it or destroy it when you are done working with it. I suppose you could even create it within another TrueCrypt volume if you felt it was necessary, but I think doing that would over-complicate GetDataBack's job and might cause unnecessary difficulties.

    8.) OK, it's time to recover (we hope) some data! Click on the yellow "Image Files" icon (or use the menu to choose Drive, Load Image), then find and select the image file that you just created, then choose Open. The chosen filename should appear as an icon on GetDataBack's main screen.

    9) At the bottom left corner, there is a "Level" icon. It probably has a single star (the default setting), but that's not good enough for this situation. Click on "Level" (or use the menu to choose File System, Level) to select either Level 3 or Level 4. I usually start with Level 3 because it's quicker, but if your volume's file system has been badly damaged then you will probably need to go to Level 4. Try them both if you like and let me know how it goes, but I usually start with Level 3.

    10) Now you should be at the "Select a file system" screen. There should be at least one, and maybe more, icons in the top left corner, and one of them should indicate the file system that you used when you created the TC volume. Maybe you will be lucky and see only one icon. Anyway, click on the one that describes your volume the best, whether it be FAT, EXFAT, NTFS or whatever.

    11) GetDataBack goes to work! Hopefully you will see some familiar filenames and/or folders showing up here. If nothing appears then back out, go to Level 4 and try again. Might take awhile.I hope you see some of your missing files here!

    12) OK, here comes the dirty part. You are merely using an evaluation copy. You can't actually copy your files off to recover them unless you purchase a license. Oh noooooooo, I knew there was a catch! But at least GetDataBack is kind enough to show you what files you might be able to recover before they make you pay.

    Just a little warning, before you get your hopes up: Just because a file is displayed on the screen doesn't necessarily mean that you will be able to recover it intact. If the file was fragmented within your TC volume then GetDataBack might not be able to fully re-assemble it, and of course your results will vary widely based on both the fragmentation level of your files and the amount of damage that has occurred to your volume's file system. You get what you get, basically. If you want more then you are going to have to try using other data-recovery tools and probably perform all sorts of advanced trickery, and even then there will probably be some missing data.

    Also, be aware that there are other ways to use GetDataBack. Some users choose to perform their data-recovery attempts from directly within their damaged volumes, but I prefer to make a complete image first, and then work from within the image. It's much safer, and if you screw up then at least you haven't damaged your original. If you really want to play it safe then you can make a forensic clone of the entire drive before you even run GetDataBack.

    There are many other data-recovery tools out there, and I don't claim to know which ones are the best overall, but I do know that some are better than others for certain situations. I just wanted to use GetDataBack to get you started and to see how you do. If you are suddenly feeling less rich then you might want to try the free version of Recuva, which can usually recover some files, although not nearly as slickly as GetDataBack. (Jeez, you'd think I work for the company or something! I don't.)

    Good luck, and let us know how it goes. I hope you get somewhere! We'll see.
     
    Last edited: Mar 25, 2017
  6. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    Tried similar processes to this before with zero success will probably need a data recovery expert and that trickery you suggested i just cant risk a third party recovering the info hence why i havnt already paid 1000+ for some forensic guru to work his magic.

    I will update you within the hour and thanks soo much for the info. FYI im in Sydney Aus and the suns still high in the sky also
     
  7. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,026
    Location:
    Hawaii
    Did you try running your other data-recovery software directly on your mounted volume, based on the assigned drive letter? Many data-recovery programs won't even see a logical drive, which is why I suggested using GetDataBack, along with that little setting we changed in order to get it to see your mounted (logical) volume.

    There are other ways to do this as well. You can use WinHex or similar to clone the entire contents of your mounted, damaged TrueCrypt volume into an image file, and then you can attack that file with various types of recovery software, even the ones that wouldn't normally work with a logical volume, as long as they can work with a raw image file.

    Oh yeah, and as to hiring forensic gurus with all their fancy tools and tricks, it's a real problem if you have sensitive, encrypted data. I won't even remote in to help somebody. I don't want to see or touch anybody's encrypted data. Too frickin dangerous for both of us. I limit my assistance to the message boards.
     
  8. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    Ok followed all above steps to a tee. I cant find anyfile system at any level for the image or for the logical drive (made backups)
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,026
    Location:
    Hawaii
    Did you go to Level 4? I believe that will do file-carving, which doesn't require a file system at all, just a recognizable file type.
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,026
    Location:
    Hawaii
    OK, break time already. I'll check back in a bit.
     
  11. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    Yeah i went to level 4, this isnt good is it?
     
    Last edited: Mar 25, 2017
  12. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    Update, i have 6 container backup files which are all the same basically. However, i created 6 image files and tried the steps again and one of them mounted EXT file system but still no data recovered. Lost and found folder x 2 but they were also empty folders
     
  13. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,026
    Location:
    Hawaii
    Hmm, not good. I guess the next step will be to manually examine the GetDataBack image file to see if it contains any meaningful data. I would open it in WinHex and start looking. The portion that got overwritten (probably from the beginning onwards, to a certain point) will be fully random, but once you get past the overwritten area the original file system should appear and recognizable patterns should emerge (large blocks of zeros, etc.) How large was the overwrite?

    Anyway, I will try to come up with a WinHex procedure for you.

    How did one of your backups have an EXT file system?
     
  14. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    I think cause over last 8 months ive been trying all different testdisk, diskpart, gparted procedures taking hail mary shots in the dark maybe.

    Dont know ill check the hex file now of the image and update you

    Cheers
     
  15. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    Another update, maybe a positive one this time. I opened the tc container image with winhex, The one which mounted EXT filesystem in gdb simple and saw some large group of 0000xxxxx in the start then random characters but then more large groups of all 0000xxxxx &
    FFFFxxxxx and patterns. The end is also a large block of 0000xxxx also which i assume is the header and embeded header also.

    Over the last 8 months of playing with backups, images hex editors recovering 40 old usb's pulling out hair and going grey in remaining strands i havnt seen groups of recognizable patterns so im taking this as a small win even if prematurely.

    Where to from here Dan? I have the trial version so only 200kb blocks can be copied but i also have an old version of hexeditor on the partedmagic live usb so i can load the image there as its full version or we can crack on after doing test files in the evaluation version i dont mind. Fingerscrossed.
     
  16. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,026
    Location:
    Hawaii
    There's no need to deal with the TrueCrypt headers, as it sounds like they are working fine. As for how to find them and what they look like, they look like totally random data, so you can't identify them visually at all. All you can do (if it becomes necessary) is look for them in the specific locations where they are normally stored, or do a very tedious trial-and-error search for them if they somehow become lost. But that's not your situation here, as your headers are working (accepting your passwords), your volumes are mounting to drive letters, and when you view your mounted volume (or an image of it) with WinHex you are even finding some non-random data, which demonstrates that your volume is decrypting properly.

    At this point the job, to me, sounds like straight data recovery. I don't think my TrueCrypt expertise is going to be of much more use here. Perhaps WinHex will play a role, plus various other data recovery techniques. We'll see.

    I'll just assume that GDB was mistaken (which is possible) about the EXT filesystem unless you can actually recall formatting it that way. Or perhaps that particular backup is one that you altered or reformatted after the fact, while attempting to figure out how to recover your data. Those are some dangerous tools that you have been playing with, and you can definitely make things worse if you go at things incorrectly.

    As far as what to do next, I can't hold out a lot of hope, but try this just to move things along: If there were any text files within the hidden volume, use WinHex to search for some the specific words (contents) that you would expect to find there, just to see if any text survived the accident. Or just try searching for the word "FILE" if you can't think of anything else. Make sure you have Text Display enabled, and search Down from the top. Watch the Text display and look for anything readable. In WinHex you can also change the View to Text Display Only, which will make it much easier to scan through large volumes of data. I guess you will have to try this on the original container file, plus some or all of your backups. I hope they are not too different!

    You don't have to create image files to do this, you can just use TC to mount the container file backup of your choice and then use WinHex to explore the mounted volume (Tools, Open Disk, then choose the logical drive letter), as long as you're careful to leave WinHex in Read-Only mode (Options, Read Only).

    Of course, it's possible that the overwrite was so big that it replaced all of your files. But in that case I would expect to see something like this: The mounted volume, as viewed in WinHex, would begin with a very large block of unidentifiable, completely random-looking data which would extend as far as the overwrite went, and then (as you continue to scroll down) you would suddenly reach the end of the giant random-looking blob and you would start seeing recognizable patterns, lots of blocks of zeros, maybe some identifiable words or text, and hopefully some of your remaining files. But it sounds like that's not quite what you are seeing, so I'm a little puzzled by what you are telling me. Of course, I suppose it's possible for the overwritten area to begin farther in. Maybe that's why you are seeing zeros at the start.

    The reason the overwritten area looks random is because it is being encrypted by the decryption process whenever you mount the hidden volume. Never mind the exact reasons why, as I don't think I can explain it legibly right now. And actually, if you just mount the regular volume and examine the extent of its data (say, using WinHex) you might be able to determine how far the overwritten area reaches.

    Oh, just to make sure we aren't miscommunicating here or screwing up too badly, maybe you should try this. I suggest you examine the recent *.img file that was created by GDB to ensure that it is correct:

    1) Mount the hidden volume

    2) In Windows Explorer, right-click on the logical drive letter that TrueCrypt assigned to your mounted volume, choose Properties, General, and note down the exact size of the volume in bytes

    3) Then go find your GetDataBack *.img file, right-click on the filename, choose Properties, General and ensure that this file contains exactly the same number of bytes that Windows displayed for the mounted volume (previous step). It should.
     
  17. chrislimbers

    chrislimbers Registered Member

    Joined:
    Aug 1, 2016
    Posts:
    13
    Location:
    Sydney
    Ok will do the above steps and let you know the results.

    Thanks
     
  18. thidisbogus

    thidisbogus Registered Member

    Joined:
    Feb 10, 2018
    Posts:
    2
    Location:
    Magnolia, Texas
    Hi Chris,

    Were you able to recover your data yet?

    I have a remarkably similar situation here.

    I have an encrypted flash HD that was set up using TrueCrypt. As I was trying to access it, it told me the header was corrupted and told me to repair it. It is 64GB and I didn't know any better so I had to go ahead and have TC repair the header using backup stored on the HD.

    TC said it successfully repaired the header, but now when I try to access the volume this happens:

    1) I can successfully mount it, it accepts the password, and lists itself as \Device\Harddisk1\Partition1
    2) After mounting, when I try to access the volume it says "The volume does not contain a recognized file system. Please make sure that all required file system drivers are loaded and that the volume is not corrupted"

    I have used Winhex to sector by sector clone the disk and use the cloned copy for all experimentation. Once I try something and it doesn't work, I will go through the effort to clone again in case of any damage that could have been caused by the tool.
    No matter what tool I use, the mounted volume always shows up as RAW file system.

    I used Windows 7's Disk Management to initialize the disk and then create (but not format) a new maximally-sized (default size) partition. I ran Zero Assumption Recovery with no results.
    I have used Testdisk to attempt to rebuild the boot sectors but failed with FAT32 and NTFS.
    I purchased GetDataBack, mounted the volume and ran it. It recovered what was supposed to be 21 SWF files and 1 RIFF file. I never had these file types on the drive..I tried to open them and they were invalid anyway.
    I have not tried but was considering M3 Data Recovery software.
    I ran Winhex and searched for a text key word in one of the Word documents I had (it was a diary going back almost ten years) and it came back with no results.

    I have read that you can save the entire partition as a file if you want to in Winhex (and it is a good method for retrieval in some circumstances), but I have not done that and would appreciate some guidance on how to do that.

    Please let me know if you have had any success with anything else. Like you, these files are years worth of family videos, photos and diaries so I am really trying to recover them.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.