TrueCrypt container disappeared from a flash drive!

Discussion in 'encryption problems' started by stopkran, Jul 11, 2014.

Thread Status:
Not open for further replies.
  1. stopkran

    stopkran Registered Member

    Joined:
    Apr 26, 2014
    Posts:
    5
    Hello to everyone and thanks in advance for any help!
    Here's my situation, briefly explained: I've got a 16GB SanCruiser SanDisk USB flash drive. I formatted it in NTFS and then created a FAT container which I encrypted with TrueCrypt. I've always mounted it by selecting file, not partition. The problem occurred when I tried to use it with my friend's computer. I restarted his computer with the flash drive in a USB slot (unmounted, of course) and when it restarted the flash drive no longer contained my container. It looked like it deleted it. Everything else that was stored on the drive outside the encrypted container was there but the very container which was always shown as file was not there. Say that the container size was about 6GB. And now the flash drive shows almost 14GB available space!
    Is there a way to restore the container? I used Photorec to try and restore my files and was able to recover a lot of files including a file of the same size as my container (almost 6GB). I was even able to change its extension and mount it in TrueCrypt with "Use embedded headers feature" but the drive it mounted to cannot be accessed. What do I do? Please, help!
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    For the sake of accuracy I will just mention a few apparent discrepancies in your description of events, and then we can go on to try to recover your data:

    1) It is almost entirely unheard of for Windows to selectively destroy a TrueCrypt container file while leaving all surrounding files untouched. Merely restarting a computer shouldn't do anything like that. I suspect that something else occurred instead. Perhaps you accidentally deleted the file, or renamed the file, or replaced the file with a smaller file of the same name, or something like that.

    2) As far as I am aware, Photorec is not capable of recovering a lost TrueCrypt container file.

    3) It is not necessary to change a file's extension before it can be mounted in TrueCrypt. Any filename and extension will work. A filename without an extension will also work.

    But ok, you are where you are, no matter how you got there, so let's go forward from here.

    If the embedded backup header is functional (that is, if your password is being accepted and the file can be mounted in TrueCrypt) then the file's ending offset is correct, so it is very likely that you have recovered the tail end of your lost file. There are several possible reasons why the file may not be not working properly. One of them could be due to the fact that the file is not the same size as the original. Since the ending offset is correct, the starting offset of the file might be wrong. Encrypted data is very fussy, and one thing that you can't screw around with is the starting offset of the file. It has to be perfect or it won't work.

    For starters, please try this:

    1. Mount the recovered file in TrueCrypt, using the embedded backup header

    2. In the TrueCrypt interface, click on "Volume Properties"

    3. Write down the "Size" of the volume in bytes (it's the second item on the list)

    4. Add 262,144 to this number to arrive at the "Total Size" of the original volume, which includes its four headers (which are external to the data). Save the result for later.

    5. Dismount the volume

    6. Browse to the unmounted file using Windows Explorer

    7. Right-click on the file, then choose Properties

    8. Note the "Size" of the volume, according to Windows.

    9. The "Total Size" that you calculated in Step 4 should be the same as the Windows size in Step 9. If it is then you have probably recovered the entire file. If it isn't then the recovered file's starting offset is likely incorrect and it will have to be fixed before you can decrypt any of your data. (There could be other problems as well, but let's start with that.)

    Before I go, just one last question: As far as you are aware, was the lost file contiguous, or was it fragmented?
     
  3. stopkran

    stopkran Registered Member

    Joined:
    Apr 26, 2014
    Posts:
    5
    Thank you, dantz, for your reply.
    First, I'll address the first part of your answer. I am 100% certain that I did NOT "delete the file, or rename the file, or replace the file with a smaller file of the same name". I'll try to give a full picture of what happened: the container was created on a Windows computer but was used both on Windows and Mac. For several month before this happened I used it on Mac. Then I tried to use it with my friend's Windows laptop. I mounted the container and tried to open an Adobe PDF file but for some reason it wouldn't open! I tried several times, killed Adobe process in Task Manager, tried to first open Acrobat and open the file via its interface but Acrobat wouldn't open too. So I decided to simply restart the computer. I dismounted the drive but left it in USB slot. Then, when I browsed the flash drive to mount my container it wasn't there!
    Also I might misinform you in my previous post: I probably used TestDisk (not PhotoRec) to recover lost files from the drive which I still have in my possession. It recovered bunch of files of a much smaller size and only one was about the size of my container.
    Now, I did everything you suggested and here's what I got:
    - volume size in TrueCrypt: 6442188800 bytes
    - added 262144, resulting 6442450944 bytes
    - volume size in explorer: 5951848448 bytes.
    Obviously you were right: : "the recovered file's starting offset is likely incorrect".
    As for the last question, I am not quite sure what you mean. How do I check or know it?
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Well, it's probably too late to check for that now. I asked because fragmented files are much more difficult to recover, as all of the pieces must be found and reassembled perfectly. Let's just hope that yours wasn't. We'll find out soon enough.

    OK, from the numbers that you posted it looks like the file you recovered is too small. The only way I know how to deal with this is manually with a hex editor, and it's going to get rather involved. You'll have to learn how to use a hex editor. I use WinHex, and I can provide you with some steps to follow using that program, but I don't want to spend hours typing in a full tutorial, so you're going to have to learn much of it on your own. You can start out with the evaluation copy, but at some point you will need to purchase a license in order to save large files. The alternative is to use a freeware hex editor such as HxD, but there will be some limitations.

    Brief overview:
    I would start by looking at the unmounted file to see if it looks like a typical TrueCrypt container file. It should be fully encrypted from start to finish, which means no recognizable text or patterns of any sort, and no large blocks of zeros.

    Then I would use TrueCrypt to mount the volume, then I would open the logical (not physical) volume in WinHex. I would look for the presence of decrypted data (such as large blocks of zeros, i.e. 00 00 00 00 00 00 etc.) If there was no decrypted data anywhere in the volume then I would assume that the file's starting point was incorrect.

    Next I would dismount the volume, open the container file in WinHex, add enough zeros at the beginning to make the file the correct size, and then save it to another filename (so as not to overwrite the original). Then I would use TrueCrypt to mount the file, then open the logical volume in WinHex, then examine the volume for the presence of decrypted data. It wouldn't be in the beginning because that's all zeros (which will look like random data at this point), but if you got the file size right then there should be some decrypted data farther in. If there is no decrypted data then the file might still be the wrong size.

    I would also use WinHex to examine the unmounted file on the original disk (I would most likely locate it by performing a search for a known string from the recovered file). I would examine the file to see if the "missing" portion at the beginning of the file looks like it might be a piece of a TrueCrypt volume (i.e. fully random), and if so then I would use that segment to enlarge the file instead of pasting on zeros as we did previously.

    Encrypted files can be a real pain to recover. And we're just getting started. If the file was fragmented then things will get much more involved.

    The above was just an overview. I wanted you to see the general approach before I tried to provide any detailed instructions. It's all subject to change, of course, as we gain further understanding of the situation. However, be aware that I am a busy guy and I can't devote a lot of time to this. I will try to provide some details later on, but this is all I can do right now. And if this is going to work then you'll need to learn most of the necessary techniques yourself so you can work on it without me.
     
  5. stopkran

    stopkran Registered Member

    Joined:
    Apr 26, 2014
    Posts:
    5
    No problem, I understand that you are not obliged to help at all and really appreciate your doing this. I'll dig into techniques you mentioned and will respond with the results. May take some time I presume :)
    I will purchase a license for the full version, of course. If I get stuck on something I'll try to answer a detailed, brief, specific question so you could get me back on the right track. Once again, thanks for your help!
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    You're welcome. I'm back now and can answer any questions if you like.

    You're lucky that at least you've found one end of the missing volume. I would pad the leading edge with zeros until the file size was exactly the right size, and then mount it and look for data (using a hex editor).

    I suggest doing a practice run to get the hang of it: Take a small practice container, use a hex editor to chop a few bytes off the beginning of the file, (which will destroy the volume header as well as making the entire file a little smaller), then notice that the embedded backup header still appears to work but the mounted volume does not seem to contain any decrypted data.

    Then dismount the volume, insert the missing number of bytes (use zeroes, or whatever you like) at the beginning of the file, then re-mount the volume and notice that now it seems to contain decrypted data. In fact, all user data will be intact as long as you didn't remove more than 128KB of data from the front of the file, as that area is used only by the volume headers.
     
  7. stopkran

    stopkran Registered Member

    Joined:
    Apr 26, 2014
    Posts:
    5
    Hello,sorry for the late response. Pretty much like yourself I work from dusk till dawn and due to the nature of my work I travel a lot. That basically was the reason why I needed a secured container on my flash drive. So here's what I did following your directions:
    - mounted the volume in TrueCrypt
    - opened it in WinHex (a window with the following warning popped up right away "The volume does not contain a recognized file system. Please make sure that all required file system drives are loaded and that the volume is not corrupted".
    - there are no large blocks of zeroes at all and no recognizable patterns of any kind BUT few lines (I say few comparing to the volume of all lines) at the very bottom with absolutely the same pattern and the words "UNREADABLESECTOR" in the right column.
    I stopped doing anything after I discovered the fact because I wanted you to confirm that there's nothing bad with that. If it's not bad I'll continue following your directions. By the way how do I add zeroes to the volume? Would you point me to some good manual or a book I could study?
     
  8. stopkran

    stopkran Registered Member

    Joined:
    Apr 26, 2014
    Posts:
    5
    I assume you're away from home and won't trouble you until you're back :)
    Just don't want to proceed not knowing what those "UNREADABLESECTOR" lines mean.
     
  9. Argentum

    Argentum Registered Member

    Joined:
    Aug 23, 2014
    Posts:
    1
    Please help, I'm using truecrypt on my mac and after renaming the file i've lost all the data ((.
    Is there any way to recover the lost files.
     
Loading...
Thread Status:
Not open for further replies.