TC Volume Lost Partion

Discussion in 'encryption problems' started by BigSmurf, Jun 13, 2014.

Thread Status:
Not open for further replies.
  1. BigSmurf

    BigSmurf Registered Member

    Joined:
    Jun 13, 2014
    Posts:
    8
    Hi all!

    First of all, sorry for coming with a new post for what seems to be a common issue (a lost partition on a TC encrypted volume) but after reading a few thread I realized that they where not identical and since I don't know much about partitions, encryption and filesystems I'm worried to apply a solution which will aggravate the issue rather than solving it...

    So I have a 1TB external hard drive (WD My passport) which I encrypt using TC. I set the same password as the system drive, also encrypted through TC, so it was able to auto-mount without prompting any password on my computer. All worked fine for more than a year.

    Then recently I switch to a knew computer which I also encrypt with TC but with a new password. When I plugged my external HD to it I was able to access it without any issue but obviously it was not possible to auto-mount it since the password was now different. So I change the password through TC using volume tool. But even though it told me that the operation was successful, the partition disappeared...

    I'm know able to mount the disk (patition0) but the usual partition1 has disappeared from TC. The mounted disk appears as RAW disk on Windows. Why I tried (probably wrongly...) is to backup the volume header from the one embedded in the disk (without success and apparent changes) and revert back to the first password (operation successful again but partition 1 is still missing).

    Any idea on what should I do and how I should proceed?

    Thanks a lot in advance for any comments! :)
     
  2. BigSmurf

    BigSmurf Registered Member

    Joined:
    Jun 13, 2014
    Posts:
    8
    If it helps below are 3 screenshots from TC (Devices list with partition 0 of hardisk 1 now missing, volume property once mounted, and disk manager properties).
    Again infinity of thanks ;) for anyone able to give me some advices! :)

    TC_devices.jpg TC_Properties.jpg TC_Manager.jpg
     
    Last edited: Jun 13, 2014
  3. BigSmurf

    BigSmurf Registered Member

    Joined:
    Jun 13, 2014
    Posts:
    8
    No ideas...?
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    This doesn't sound too difficult. You've merely lost your partition, and according to my rough calculations (based on the imprecise data that you've already posted), the beginning of your lost partition was probably located in the default location (at offset 1048576 decimal). We can try to confirm that mathematically, and then test it, and then go on to an attempted recovery.

    I'd start by downloading and installing the evaluation copy of WinHex. Use it to open Disk 1 (Tools: Open Disk: Physical Media: choose the desired disk), then look at the sidebar to read the drive's Total Capacity in bytes.

    Also, note that the original size of your mounted TrueCrypt volume was 1000169275392 bytes. (This number is stored in the TrueCrypt header and it never changes, even if you screw up your volume in the meantime). Add 262144 to this number to include the four 64KB headers that are wrapped around the data area of the volume. The result is the total size on disk of your original TrueCrypt volume. I get 1000169537536 bytes.

    Subtract the above number from your disk's Total Capacity in bytes (from WinHex) to see how many unused bytes existed on the disk (back when it was working properly, that is). Is the number close to 1048576? Well, whatever it is, we'll use WinHex to go there and do a visual inspection to see if we can find the alleged beginning of your lost encrypted partition.
     
  5. BigSmurf

    BigSmurf Registered Member

    Joined:
    Jun 13, 2014
    Posts:
    8
    Hey, hi dantz!
    Are you the universal saver of lost data? :)
    And glad to see that it doesn't look such a big mater to you! I've no idea on how a hard drive is logically structured...

    So I did what you suggest, and bingo, I got exactly 1048576!

    Disk total capacity from Winhex: 1000170586112.
    So 1000170586112 - 1000169537536 = 1048576.

    I've used WinHex to go there (Go to offset) but since I don't know what to look for, I haven't been further ;)

    Thank you so much for your support!
     
  6. BigSmurf

    BigSmurf Registered Member

    Joined:
    Jun 13, 2014
    Posts:
    8
    Hi again! ;)
    I tried to dig a bit further (without doing anything not reversible) and follow one of your post from 2012: https://www.wilderssecurity.com/threads/truecrypt-missing-partition-table.336671/

    So to recap:
    -Part1: No issue, test file created from sector 1048576 to 1248576.
    -Part2: Password accepted and file mounted! On TC properties I got the exact same size (1000169275392 bytes) and info as from the full hard drive. Not sure to understand why... The TC header would be copied both at the start of the hard drive and at the start of the file (so ofset by 1048576 in the file)?
    -Part3: When I open the mounted file on WinHex I got a warning message telling me that 'The file or directory is corrupted and unreadable'. I guess it's normal since you say it shouldn't contain a complete file system? Anyway it definitely shows non-random data! I can see NTFS written close to the beginning (offset 3) then later 'A disk read error occurred NTLDR is missing NTLDR is compressed Press Ctrl+Alt+Del to restart' then empty space from 3456 to 8191 then I can recognize some of my folder names (written with a space between each character) then again alternatively empty block and data. I guess its' because of the look-like-4kB cluster size, right?
    -Part4: Don't know if all the above went as you expected it, but made this back anyway already.

    So was this what you had in mind? And do you suggest me to go ahead with the recovery from windows 7 disk management as you did in the earlier mentioned post or is this different? Tell me if you need anything more!
    Thanks a lot again!! :)
     
  7. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    You're doing great. I think you're probably going to recover all of your data. But did you happen to notice my Post #61 in the thread you referenced? I have concluded that using Windows Disk Management or DiskPart to recreate the default partition is unnecessarily risky for most users. You can do it (it only takes a few minutes and it is very easy to do) and it might work, but in certain cases it can screw things up even worse. (To play it safe you should back up the entire disk before trying this. If you choose not to back up then please don't blame me if something goes wrong.)

    I feel that it's much safer to select the entire contents of the lost partition (using WinHex or some other hex editor) and save the selected block as a gigantic file, and then save that file in an existing formatted partition on another disk. Naturally, the partition that you store the file in will need to have sufficient space available.

    The procedure is just like the one you followed to create the test file, only larger. (In most cases you merely extend the block to the end of the disk). If it's done correctly then TrueCrypt will be able to mount the file-hosted volume, just as you were able to mount your test file, but this time it will contain the full contents of your volume. (Downside: The evaluation copy of WinHex will not allow you to save that large of a file. You will need to either purchase a license, or use a different hex editor such as HxD, which is freeware.)

    The above will allow you to regain access to your data,but it's not a complete solution. Once you have access to your data then you should first back it up, and then you can recreate and format the lost partition on the original disk, encrypt the partition once again, and then copy your data back in.

    I can see why many users would just want to follow the quick, easy, in-place solution (using Windows Disk Management or DiskPart), as you won't have to buy any additional storage space or a WinHex license, or copy off all of your data. If you decide to accept the risks and try this on your own then make sure you have backed up the headers on your test file first, as you will need to restore them to the new partition.
     
  8. BigSmurf

    BigSmurf Registered Member

    Joined:
    Jun 13, 2014
    Posts:
    8
    And.... YESSSS !! :)
    Look like all my data is here!! (or at least most of it)
    You're a genius dantz! So much thanks! :)

    For information I went the fast way (using computer management) mainly to avoid buying WinHex, at least first, because I made a bit by bit backup of my drive before trying it (using DiskImage 1.6 that I already used previously) on another identical HD.
    All good now! I'm just a bit scared to try to change the password again since it look like it caused my issue (or at least the issue appeared at the same time). Any idea/experience on this?

    Again, many thanks!
    Take care!
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Great news! And I love it when people figure out how do to all of the details themselves by reading the prior posts. Of course, you have to follow the right details, so thanks for checking first.

    Changing your password really should not have caused this problem. Usually some sort of a Windows issue is to blame. Another way to cause this would be to select the wrong device (the disk instead of the partition) and then restore the header, in which case it would overwrite the partition table. Is that what happened?
     
  10. BigSmurf

    BigSmurf Registered Member

    Joined:
    Jun 13, 2014
    Posts:
    8
    OK, I changed the password without any issue :)
    And, yes, it is very possible that I restored the header to the disk instead of the partition, but only when trying to access back my data after the partition disappeared from TC. Of course it's always possible that I did it before by mistake... but I don't see me trying to do that if everything work as expected. Hard to be 100% sure now of what I did then.
    Anyway, thousands thanks again!
     
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    You say you didn't get all of your data back? Possibly your hard drive experienced a hardware error near the beginning of the disk. That could take out your partition table and a portion of your volume. I'd back up that data if I were you, and then test the disk thoroughly.
     
  12. BigSmurf

    BigSmurf Registered Member

    Joined:
    Jun 13, 2014
    Posts:
    8
    Nope, all data recovered and secured! :)
     
Loading...
Thread Status:
Not open for further replies.