Truecrypt accepts password but container not accessible

Discussion in 'encryption problems' started by meister72, Jun 3, 2014.

Thread Status:
Not open for further replies.
  1. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    Hi guys, i have read quite a few links originating from here regarding my problem, but the more pertinent ones (to my issue) have just stopped...which i can understand all of the info here is voluntary, and that a moderate amount of expertise is required, but if someone can , please help me out.

    amongst the entire web, i feel this forum has understanding regarding TC issues (now that there is an issue on truecrypts site)

    i had created a TC partition of hidden 50gb with an open 5GB on a 64gb SD card,

    problem is, i feel i overwrote the header by writing above and beyond the open containers capacity and now although i can mount BOTH of the containers, the hidden container mounts as "not accessible" in win7 pro 64,

    -i have attempted at usiing Getback data (NTFS+FAT) and recover my files v5
    -winhex does not know what format is my encrypted/hidden partition
    -recover myfiles 5, does recover my files, but they come out corrupted, even though some of the folder-tree remains, the data is corrupted

    any help guys.

    thanks :)
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Actually, you probably didn't overwrite the header, as TrueCrypt headers cannot be overwritten by adding data to a container. The headers are completely outside of the data area, even for hidden volume headers.

    It sounds to me as though you may have added excessive data to your outer volume without enabling "hidden volume protection". This can overwrite a portion of your hidden volume's file system and data. Could this be what happened?
     
  3. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    yes, i believe so
     
  4. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    getdataback for NTFS says no NTFS but GBD FAT says no FAT, however could someone let me know, am i to try and mount the encrypted volume to recover files or just mount the open container, and also what options to select in getdataback
     
    Last edited: Jun 4, 2014
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    You are saying "Getback data". Is that the name of the program, or are you using "GetDataBack" from runtime.org?
     
  6. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    yes i just corrected that that, thanks, it is getdataback from runtime.org
     
  7. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    In the past I've used GetDataBack very successfully on TrueCrypt volumes, but I don't have it installed right now so I can't go into specifics. But as I recall, I didn't need to mess around with the options too much. The main thing is to make sure that you are selecting the same drive letter that you mounted the volume to in TrueCrypt (in GetDataBack it should be listed under "logical volumes").

    You might also try PhotoRec (which comes with TestDisk), as it will function normally even if your volume's file system is badly damaged. PhotoRec uses file-carving techniques to locate your lost files according to their known signatures on the disk, and thus it doesn't even look at the file system. However, the recovered files can sometimes be quite a mess, and not all of them will be complete, but you can almost always recover something. It helps to recover only certain file types at a time (by limiting PhotoRec) so as not to be overwhelmed by too many files at once.

    From your previous posts it sounds as though you can access your TrueCrypt volume and it is decrypting properly, so your problem has become one of data-recovery. Every situation is different, so I suggest you try several different data-recovery tools.
     
  8. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    well, i did, and got back ~30GB of data although the folder names were numbered, but within the folders themselves the hierarchy was properly maintained, any way to recover or repair the drive itself to appropriately access the data
     
  9. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    I'm glad you got (most of? all?) your data back, I'm certain dantz will be too, I hope neither of you mind me jumping in at this point

    What you do now pretty much depends why the problem happened to begin with, being an SD card makes it a bit tougher to diagnose than a hard drive (no SMART).

    It could be as simple as corruption from a bad write or a dismount partway through a write, in which case CKKDSK /F or reformatting the container is a complete cure. Though you're better to use CHKDSK /R as a test, (it implies /F anyway) see next bit.

    Damage from ESD is always a possibility with solid state memory (or just some cells going bad for other reasons), quality SD cards will put damaged cells out of use, cheap SD cards sometimes lack the ability of hard drives or SSDs to remap bad areas transparently, CHKDSK /R will check for them, and mark them at a filesystem level, if the card has any TC will bomb out if you try to encrypt again, and I wouldn't like to guess what happens if such cells got shifted as a result of wear levelling afterwards.

    In the case CHKDSK /R marked anything bad I wouldn't be wanting to use the device with TC anymore anyway, and I'd be wary of storing anything critical on it at all. If it didn't you should be good to go again, but as with anything data related keep a current backup!

    By all means wait for dantz to comment before acting on anything I've said though, I'll be the first to admit he's streets better than me at dealing with damaged TC volumes!
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Hi BeardyFace,
    I very much appreciate your helping out here, as I really don't have time to respond to all of the TrueCrypt-related threads in this forum. And I think it's going to get even busier now that the TrueCrypt forums have shut down.

    In this case I think the OP has pretty much confirmed that the problem was caused by an accidental overwrite of the hidden volume's contents, so his hardware is probably ok, or at least, that's the current assumption.

    PS: If you were wondering, I was "Dan" in the TrueCrypt forums.

    @meister72: I agree that running chkdsk /r is probably a good idea, but it might adversely affect your unrecovered data (if any), so I would make sure that you have recovered and backed up as much data as possible using other means (i.e. data recovery software) before actually trying it.

    And in the end it would be best to copy off your recovered data, test the media for defects, reformat the volume, and then (if all is well) copy the data back in.

    And while you're at it, don't forget to back up your volume headers and store them elsewhere (not on-disk). Can't hurt!
     
  11. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    yes Dantz, all the truecrypt stuff i read about, in an attempt to fix my problem, was info i gleaned off your posts when i wasnt registered.

    30 GB is half of the data? is there nothing else i can do? i had read in your earlier posting that runnign check disk was going to affect recovery big time

    @ beardyface, the SD card is U-sd from Sandisk
     
  12. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    Guys, in getdataback for FAT, the logical (i.e TC not mounted either the hidden or the outer volume) drive is not readable, its only when i mounted the hidden partition was it able to recove the 30gb of data, i have another 20Gb to find on that volume, any ideas,?

    i would like to be able to read the entire volume were it to mean that i could recover >90% of my data
     
  13. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    You're probably ok from a hardware perspective then Sandisk are decent quality, all I can suggest is try as many different data recovery tools as you can find to try getting the remainder recovered, as you've already found, you often get different results with different tools.

    One more thing I personally would try before resorting to CHKDSK if it were me, would be to run Spinrite from grc.com on the drive, then see if recovery improves afterward. I'll warn you that it's quite involved to run Spinrite on an SD card though, as you have to set up a virtual machine and give the VM raw access to the SD as one of it's hard drives, then boot spintite in the VM, it does it's recovery at a hardware rather than filesystem level, and the results are sometimes dramatic. The fact the card is encrypted is irrelevent to the way Spinrite works, just test entire card, I've had it recover or make recoverable things nothing else would, it's not free though. Also using higher levels than 2 shorten the life of solid state media, you'd want to avoid that. If Spinrite completes without error you know 100% the card itself is in good shape. Unlike CHKDSK it is very unlikely indeed to damage any data in the course of its testing or recovery processes.

    I have the software anyway though, only you can decide if it's worth the price of the software and the hassle of setting a virtual machine up when I can't give you any guarantee it will help, in fact given how the problem occurred I'd say the chances it'd help are more limited than if the damage was from an unexpected power outage for instance. I'd only have time to lose, not cash, and in my case the VM is already basically set up for other drive testing jobs.

    Eventually you'll reach a point where you have to decide you've got all you're going to off it, that's the moment to reach for CHKDSK but do what you can with other tools firsrt, CHKDSK is a one way trip and could make things worse or better, it's even *possible* that some of the tools might recover things afterwards they couldn't before, it's just as likely to put data that was previously recoverable beyond reach though.

    @dantz I'd guessed, as you'd doubtless guuessed my identity as "Bearded_Blunder"
     
  14. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    try photorec
     
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes, that was an easy one. Thanks for helping out! I'm drowning here.
     
  16. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    i tried photorec as you suggested, however the outcome was the same, 30GB recovered :(

    17 hours and this was all it recovered

    Now i am mentally prerpared to run chkdsk, but i cannot seem to select the mounted container as win.file system says it doesnt contain a valid file system
     
  17. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    Then the filesystem is too damaged for CHKDSK to handle and you're left with FORMAT as your only viable tool to repair it, with the obvious consequences regarding any data on there.
     
  18. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    i ran the entire disk through minitool partition checker...and it came up with no errors on filesystem
     
  19. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    Well either it's right, and CHKDSK is wrong, or CHKDSK is wrong and it's right, if CHKDSK is wrong, this is a good moment to report the fact to Microsoft, it's their tool and it *ought to be able to* reconize a Microsoft filesystem no?. I've not used minitool, but the possibility occurs to me, it might not report a filesystem error if it doesn't recognise a filesystem.....
     
  20. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    ok, i guess fate would have it, i'll have to format the partition, but as a last piee of advice, if i were to make a copy of the drive in its current state to attempt retrieving the info sometime later, what would you advise me to do?
    Meaning do i make a copy of the hidden partition or the open partition? the difference between the 02 is that the TC hidden is 50GB in size and the TC open partition is 5Gb in size
     
  21. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    if you want to make a copy for purposes of trying more recovery, you'd make an image (sector clone) the entire unmounted device
     
  22. meister72

    meister72 Registered Member

    Joined:
    Jun 3, 2014
    Posts:
    13
    hey guys, sorry i was away, i had some crazy shifts at work since they let off some folks and there weren't enough of us to handle the work load

    i tried making an image of the SD card via winhex, however itisnt mountable or decryptable via TC, any other software to recommend do the same thanks?
     
  23. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Try copying just the partition and saving it as a file. WinHex can do that easily, and the resulting file should contain everything and be mountable by TrueCrypt.

    However, it's important for the starting offset to be exactly right, otherwise TC will not be able to locate its headers. If you wish you can first do a small-scale test by saving a small (1 or 2 MB) file from what you think is the correct starting location, just to see if TC can open it. If it works then copy the entire partition and save it as a file. (Select the entire partition, then "Edit: Copy Block: Into new file")
     
Loading...
Thread Status:
Not open for further replies.