TC system drive problem. Wrong password

Discussion in 'encryption problems' started by markohasb, Feb 6, 2013.

Thread Status:
Not open for further replies.
  1. markohasb

    markohasb Registered Member

    Joined:
    Feb 6, 2013
    Posts:
    4
    Hello, I have a big problem with the TrueCrypted system drive.
    I partitioned my SSD USB 3.0 flash drive. I made two partition. The 1st partition is 3.72GB (first partition sector 32 and last partition sector 7806975) and the 2nd partition 55.18GB (first partition sector 7807653 and last partition sector 123523784).
    I installed Windows 8 to my USB 3.0 flash drive to second partition and I encrypted it with TrueCrypt like System drive. Everything worked fine. But windows 8 sometimes crashed ( I think, there was BSOD error which told about old drivers problem in the windows 8. But not USB flash drive problem). After last crashe my truecrypt bootloader did not want to work and said that password is wrong. So I tried to attach my flash to another laptop justa like a USB flash drive (not boot just attach) there was windows 7 in the other laptop. Windows suggested to check disk. Utility found some problems and fixed them.
    After that I can't boot my windows 8 in the flash drive. Even when i try to mount that patition in another pc with Truecrypt software, I can't. It sais Wrong password or not a truecrypt volume. I tried "Allow mount without pre-boot authentification" it fails. Answer is the same Wrong password or not a truecrypt volume. The worst thing that my TrueCrypt Rescue Disk was in that partition which are encrypted in My Documents folder...
    There are a lot of very important information in that partition. I now my password. Is there any possibilities to recover my data?
    I don't know really was the header overwritten or not. I hope there is a way how to fix it.
    I'm new in hexEditor or WinHex. Can someone help me? How to find partition in WinHex editor.. or how to find header if it not overwritten...
    Is there any another ways?
    Sorry for my bad English. Best regards.
     
  2. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    You can try creating another rescue.iso on another machine. In certain, limited circumstances, it may allow you to get in. I don't know the particulars, but I would use the same algo/hash/password when you make this second rescue.iso. Search the TC forum for more info. Please, please, please burn a CD or make a bootable USB/SD Card...having it in your My Docs folder does you no good, as you have found out.

    PD

    ETA: When you tried mounting in the external dock with the TC GUI, did you try the method using the embedded backup header?
     
    Last edited: Feb 6, 2013
  3. markohasb

    markohasb Registered Member

    Joined:
    Feb 6, 2013
    Posts:
    4
    Embeded backup header - what that meens? I don't know this method. I'll try to read about this.
    I think the same about rescue disk in another mashine with the same password. I allredy installed new system similar size of partition and soon i'll get new rescue disk with the same password. Hope it will be good news.
     
  4. markohasb

    markohasb Registered Member

    Joined:
    Feb 6, 2013
    Posts:
    4
    embedded backup header tried. Nothing good... Wrong password or not truecrypt volume. I alredy have Rescue disk from another system with the same pass ant algorithm. But if I'll try overwrite header and get nothing, what then?
     
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    System-encrypted partitions don't have embedded backup headers. The backup header for a system-encrypted partition is stored in the rescue disk. It was very careless of you to not burn a rescue disk or at least store a backup copy of the rescue disk .iso file in an accessible location. Plus, TC does not yet support Windows 8, so you really should have backed up your important data before playing around with it. But OK, we're here now.

    The volume header for system encryption is normally stored in the last 512 bytes of Track 0. If you have 512-byte sectors then this would be the 63rd sector (Sector 62, counting from 0). Or just use a hex editor to go to 32256 decimal and then look at the end of the previous sector (although if your drive has 4K sectors, and I believe it does, then I'm not sure about this). If the header has not been overwritten then it should look like random data. If it's all zeros then you're most likely screwed.

    If you use a rescue disk that was created on a different computer then you can try to boot from it if you like, but do NOT use it to restore the Key Data (the header), as doing this will guarantee that you are permanently locked out of your data. The fact that the rescue disk was built using the same password and algorithm means nothing. It will not be able to decrypt your data by itself. The volume header on your flash drive needs to be intact, since (in your case) that's the only place where the correct encryption key might be located.
     
    Last edited: Feb 6, 2013
  6. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Thanks dantz...always learning.

    PD
     
  7. markohasb

    markohasb Registered Member

    Joined:
    Feb 6, 2013
    Posts:
    4

    Here what I found in the 63 sector (62 counting from 0) look the picture I attached
    What can I do next?
     

    Attached Files:

  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    The highlighted block contains words, long strings of zeros and other non-random data. In short, it doesn't look anything like a TrueCrypt system header. If your header used to be there then it's gone now.

    On all of the drives that I've worked on the 512-byte TC system header is located in Sector 62, which you have apparently highlighted. However, I've only worked on drives that use 512-byte sectors. Many of the newer drives today use 4KB sectors, but since I haven't had a chance to play with any of those yet, I really can't say whether or not the TC header might be located elsewhere on that type of drive. I guess the next step is to confirm this one way or the other, on the hopes that your header still exists elsewhere (as that's your only chance). Although from what I'm seeing, HxD seems to think that your drive uses 512-byte sectors. Does it?

    Also, what is in sectors 1 through 61? The TrueCrypt bootloader should fill most of that.
     
Loading...
Thread Status:
Not open for further replies.