Truecrypt cannot decrypt system

Discussion in 'encryption problems' started by testowe, Nov 6, 2013.

Thread Status:
Not open for further replies.
  1. testowe

    testowe Registered Member

    Joined:
    Nov 6, 2013
    Posts:
    2
    Hi,

    I have encrypted system partition 55gb.
    My hdd have problem i guess bad sectors there. My windows cannot start. I launch my hirens cd, try mount it /without pre-boot/ and it works - i saw my data. Next i launch my truecrypt rescue disk and use decrypt partition system. On about 97% it stucks:

    read error:16 sector 620698729
    skip all sectors? y
    reamaining...

    So i back to hirens CD and try mount it to backup all data, but TC tell me that i must first decrypt partition (bcs it started) and i cant mount it.
    This 97% files are decrypt or not? only 30mb left to decrypt whole partition...probably this 30mb are bad sectors. I have very important data there. What i can do to decrypt this data or mount this partition?

    ps
    sorry for my english
     
    Last edited: Nov 6, 2013
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    You're in pretty deep, but you got here by committing several big mistakes:
    1) You didn't have your important data backed up in advance
    2) While troubleshooting a serious problem, you didn't back up your important data as soon as you got the chance
    3) You attempted to decrypt a damaged hard disk

    After booting to the Hirens CD and seeing your data you should have backed it up immediately. That was you best shot at success. Now, however, you are stuck with a partially-decrypted volume and your task has become much more difficult. There is an approach that you can try, but it is highly technical:

    Briefly (and don't try to do this without skilled assistance, because this is just a general overview, not a complete step-by-step solution):
    1. Use a hex editor to save the 97% (already decrypted) portion of the partition as a file. (TrueCrypt decrypts from back to front.)
    2. Make a backup copy of the current TC header (in Sector 62)
    3. Restore the original TC header (from the TC Rescue CD) to the disk. This will restore your ability to mount the volume using the "mount without preboot authentication" command, but it will also cause TrueCrypt to lose track of which portions of the volume have been decrypted, so don't do this lightly.
    4. Slave your drive to another one, or use a boot CD, and mount the volume "without preboot authentication"
    5. Use a hex editor to copy the unencrypted first 3% of the partition (in a decrypted state, since it's now mounted) and save it as a file. (Ignore the remaining 97% of the volume)
    6. Assemble (concatenate) the two file fragments together, being very careful to get the border between them exactly right, otherwise the resultant file won't decrypt. This is the trickiest part, and it will probably take several or more tries until you figure out exactly where the borders should be.
    7. Mount the newly assembled file using TrueCrypt, then copy the resultant file back to the partition, replacing the current contents, then copy off your important data.

    I can't walk you through the exact procedure here in the forum, as it's too complex. You need to either find an expert who is good at hex editing and who understands how TrueCrypt works, or become that person yourself.

    PS: You might be able to recover some of your data right now using data-recovery software, but you need to do it carefully. Don't write to the disk.

    Edit: crossed out some incorrect details

    (Hmmm, in retrospect, there's a slightly more efficient way to accomplish the task, but I won't continue to edit/rewrite the overview. Tell me if you are seriously considering doing this and also if you have access to some sort of an expert computer user, and I will help with more details if you like.)
     
    Last edited: Nov 8, 2013
  3. testowe

    testowe Registered Member

    Joined:
    Nov 6, 2013
    Posts:
    2
    Thanks for reply!

    Im lame with hex editor, so i was go with my own thoughs (wrong decision i could try hex).

    This is what i make:

    1. I was hope that 95% data is decrypted, so i use recovery tools, but it didnt works - no data found and stucks on bad block.
    2. Next i use disk regenerator to remap bad sectors - it works but stuck on one of them. So i use live-cd with victoria and remap this sectors, then use again regenerator - wow it works!
    3. Try decrypt last 5% partition - works! Decrypted completed.
    4. Try use recovery tool and...find decrypted data only on this 5% partition, 95% still is encrypted <omg>o_O . Only first 3/55gb can recovery...
    5. Try backup TC header and bootloader and again decrypt from beginning /from 55 to 0gb/ - now all data is encrypted and no data to recovery (i have clone).

    No idea what i can do more, one clone have all data encrypted (the last one with 100% decrypted), second clone have 5% decrypted and 95% encrypted (with decrypted last 5%). I have third clone too (fist one) - make him before i decrypt (cant mount it, no recovery etc. - clone done with skip bad sectors bcs clone program stuck on them) When i try mount TC says that it must be completed first /process not been completed/ . Backup header and TC boot sector or system boot, doesnt work. I try mount too clones and partition with pre-bot and backup header but cant recovery data (data seems enrypted).
    Try use testisk too and rebuild BS - no help.

    Its so hard for me to understand why TC only decrypt 5% partition if he was continuing what he started /when i remap bad sectors/ o_O

    I guess its done (no succes), sorry that i dont follow your advice.
    Good luck to all.
     
    Last edited: Nov 10, 2013
Loading...
Thread Status:
Not open for further replies.