Truecrypt Disk Corruption

I tryed with HD tune too and I can't detect any bug... can you recomend me another tool that you know that it will detect that specific Bug?

I will try to update that driver (previuslly check if it out of date of not...)

You ask me this so many time that i am starting to doubt... I was prety sure that i encrypted the entire drive... But i didn't note that information in anywhere and this was long time ago... whathever... I can try to get the header from the location that you especified (Like if it was encrypted all the disk, extracting the header from the last of the disk) and if that doesn't work try to get the header from the other location that you will said me in that moment... I am olmost sure that it was the entire drive. And in the remote case that i were mistaken... I am sure (100%) that, when i mounted the volume of TC it give me 3 TB of size to fill... So if it was a partition was one partition of all the drive size. (I am not sure if this information is helping of something for you... ...?)

WD still hasn't answer me... So i am thinking in wait one day to wait and if that way doesn't work, do exactly what you said in a prevoiusly post from linux. (extract the first and last part of the disk, and try to mount it from windows.)

Do you agree with me??

 

I would just follow my recent Post #20 to see if you can recover TrueCrypt's embedded backup header from its specific location near the end of the disk (but only if you can access the drive's full capacity).

I wouldn't bother trying to recover the TrueCrypt volume header from the front of the disk, as the area where the volume header would normally be located has already been overwritten by boot and partition code, as seen in your first screenshot.

 

Hi! The WD Support has answer and they answer me this:

~Private communication removed per TOS. Use your own words.~




One question: you think that the program "Data Lifeguard Diagnostics (DLG)" will write over the disk? Or i can pass it securelly?

 

The diagnostic features (for example short test, long test) are readonly: however the last time I have used the tool, advanced features could be selected which may also write data to the disk. I would not use the tool now but concentrate to get the full size of the disk detected in Windows.

 

My vacation starts tomorrow and I will be gone for several weeks. Hopefully you will be able to get your data back before then, but if you need more TrueCrypt assistance then I'll be back around Oct. 10. Good luck!

 

Here i have the output from the linux SO... Thats something strange at the end... Do you think that the header is overrritten Where Must i start to copy from and too to try it

EDIT: Someone know how to doit with the DD command??

EDIT2: Well I think that I figure it out: I will use this 2 Commands:
To see the -n bytes skyping -s bytes:
hexdump -C FILE -s 0 -n 100

Extracting 'count' bytes skypping 'skip' bytes to extract to a file...
dd bs=1 skip=16 count=100 if=/dev/sdX of=FILE

I will Try with this when i go home and i will tell you then...


If some one can orientating me with the byte number i will be thanks!

 

Well... Mission Fail... I will post what i have done and see if someone can check if i am doing something wrong...:

-> First I boot with KALI linux
-> lsblk:
sdb 8:16 0 3000592982016 0 disk
├─sdb1 8:17 0 1024 0 part
└─sdb5 8:21 0 2025406291456 0 part

So... I understand that...
TOTAL BYTES OF DISK:3000592982016
Starting HEADER= TOTAL-131072= 3000592982016-131072= 3000592850944

To see it:
hexdump -C /dev/sdb -s 3000592850944 -n 131072



To extract 171072 bytes of the last of the disk
dd bs=1 skip=3000592850944 count=131072 if=/dev/sdb of=./Desktop/sdbLast131072
To extract 512K bytes of the last of the disk
dd bs=1 skip=3000592457728 count=524288 if=/dev/sdb of=./Desktop/sdbLast512K
To extract 20M bytes of the last of the disk
dd bs=1 skip=3000572010496 count=20971520 if=/dev/sdb of=./Desktop/sdbLast20M


The calcs that i have done are these:
TOTAL DISK--> 3000592982016 = 0x400002BAA1476000
TC HEADER --> 131072 = 0x20000
512KB --> 512*1024 = 524288 = 0x80000
20MB --> 20*1024*1024 = 20971520 = 0x1400000


Then... I tryed to mount with TC in windows with the option that DANTz sayed but it still give me the WRONG message...

Code:

2ba7def3000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
2baa11f8000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
2baa11f8010  00 00 00 00 00 f8 00 00  3f 00 ff 00 22 00 00 00  |........?..."...|
2baa11f8020  00 00 00 00 80 00 80 00  9e 8f 50 5d 01 00 00 00  |..........P]....|
2baa11f8030  04 00 00 00 00 00 00 00  f9 08 d5 15 00 00 00 00  |................|
2baa11f8040  f6 00 00 00 01 00 00 00  06 70 fd 4e 6a 7b 25 0a  |.........p.Nj{%.|
2baa11f8050  00 00 00 00 fa 33 c0 8e  d0 bc 00 7c fb 68 c0 07  |.....3.....|.h..|
2baa11f8060  1f 1e 68 66 00 cb 88 16  0e 00 66 81 3e 03 00 4e  |..hf......f.>..N|
2baa11f8070  54 46 53 75 15 b4 41 bb  aa 55 cd 13 72 0c 81 fb  |TFSu..A..U..r...|
2baa11f8080  55 aa 75 06 f7 c1 01 00  75 03 e9 d2 00 1e 83 ec  |U.u.....u.......|
2baa11f8090  18 68 1a 00 b4 48 8a 16  0e 00 8b f4 16 1f cd 13  |.h...H..........|
2baa11f80a0  9f 83 c4 18 9e 58 1f 72  e1 3b 06 0b 00 75 db a3  |.....X.r.;...u..|
2baa11f80b0  0f 00 c1 2e 0f 00 04 1e  5a 33 db b9 00 20 2b c8  |........Z3... +.|
2baa11f80c0  66 ff 06 11 00 03 16 0f  00 8e c2 ff 06 16 00 e8  |f...............|
2baa11f80d0  40 00 2b c8 77 ef b8 00  bb cd 1a 66 23 c0 75 2d  |@.+.w......f#.u-|
2baa11f80e0  66 81 fb 54 43 50 41 75  24 81 f9 02 01 72 1e 16  |f..TCPAu$....r..|
2baa11f80f0  68 07 bb 16 68 70 0e 16  68 09 00 66 53 66 53 66  |h...hp..h..fSfSf|
2baa11f8100  55 16 16 16 68 b8 01 66  61 0e 07 cd 1a e9 6a 01  |U...h..fa.....j.|
2baa11f8110  90 90 66 60 1e 06 66 a1  11 00 66 03 06 1c 00 1e  |..f`..f...f.....|
2baa11f8120  66 68 00 00 00 00 66 50  06 53 68 01 00 68 10 00  |fh....fP.Sh..h..|
2baa11f8130  b4 42 8a 16 0e 00 16 1f  8b f4 cd 13 66 59 5b 5a  |.B..........fY[Z|
2baa11f8140  66 59 66 59 1f 0f 82 16  00 66 ff 06 11 00 03 16  |fYfY.....f......|
2baa11f8150  0f 00 8e c2 ff 0e 16 00  75 bc 07 1f 66 61 c3 a0  |........u...fa..|
2baa11f8160  f8 01 e8 08 00 a0 fb 01  e8 02 00 eb fe b4 01 8b  |................|
2baa11f8170  f0 ac 3c 00 74 09 b4 0e  bb 07 00 cd 10 eb f2 c3  |..<.t...........|
2baa11f8180  0d 0a 41 20 64 69 73 6b  20 72 65 61 64 20 65 72  |..A disk read er|
2baa11f8190  72 6f 72 20 6f 63 63 75  72 72 65 64 00 0d 0a 42  |ror occurred...B|
2baa11f81a0  4f 4f 54 4d 47 52 20 69  73 20 6d 69 73 73 69 6e  |OOTMGR is missin|
2baa11f81b0  67 00 0d 0a 42 4f 4f 54  4d 47 52 20 69 73 20 63  |g...BOOTMGR is c|
2baa11f81c0  6f 6d 70 72 65 73 73 65  64 00 0d 0a 50 72 65 73  |ompressed...Pres|
2baa11f81d0  73 20 43 74 72 6c 2b 41  6c 74 2b 44 65 6c 20 74  |s Ctrl+Alt+Del t|
2baa11f81e0  6f 20 72 65 73 74 61 72  74 0d 0a 00 00 00 00 00  |o restart.......|
2baa11f81f0  00 00 00 00 00 00 00 00  80 9d b2 ca 00 00 55 aa  |..............U.|
2baa11f8200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
2baa13ffe00  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
2baa13ffe10  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 08 00 00  |........?.......|
2baa13ffe20  00 00 00 00 80 00 80 00  ff 97 50 5d 01 00 00 00  |..........P]....|
2baa13ffe30  04 00 00 00 00 00 00 00  7f 09 d5 15 00 00 00 00  |................|
2baa13ffe40  f6 00 00 00 01 00 00 00  2e ff ce 70 e1 ff 67 52  |...........p..gR|
2baa13ffe50  00 00 00 00 fa 33 c0 8e  d0 bc 00 7c fb 68 c0 07  |.....3.....|.h..|
2baa13ffe60  1f 1e 68 66 00 cb 88 16  0e 00 66 81 3e 03 00 4e  |..hf......f.>..N|
2baa13ffe70  54 46 53 75 15 b4 41 bb  aa 55 cd 13 72 0c 81 fb  |TFSu..A..U..r...|
2baa13ffe80  55 aa 75 06 f7 c1 01 00  75 03 e9 d2 00 1e 83 ec  |U.u.....u.......|
2baa13ffe90  18 68 1a 00 b4 48 8a 16  0e 00 8b f4 16 1f cd 13  |.h...H..........|
2baa13ffea0  9f 83 c4 18 9e 58 1f 72  e1 3b 06 0b 00 75 db a3  |.....X.r.;...u..|
2baa13ffeb0  0f 00 c1 2e 0f 00 04 1e  5a 33 db b9 00 20 2b c8  |........Z3... +.|
2baa13ffec0  66 ff 06 11 00 03 16 0f  00 8e c2 ff 06 16 00 e8  |f...............|
2baa13ffed0  40 00 2b c8 77 ef b8 00  bb cd 1a 66 23 c0 75 2d  |@.+.w......f#.u-|
2baa13ffee0  66 81 fb 54 43 50 41 75  24 81 f9 02 01 72 1e 16  |f..TCPAu$....r..|
2baa13ffef0  68 07 bb 16 68 70 0e 16  68 09 00 66 53 66 53 66  |h...hp..h..fSfSf|
2baa13fff00  55 16 16 16 68 b8 01 66  61 0e 07 cd 1a e9 6a 01  |U...h..fa.....j.|
2baa13fff10  90 90 66 60 1e 06 66 a1  11 00 66 03 06 1c 00 1e  |..f`..f...f.....|
2baa13fff20  66 68 00 00 00 00 66 50  06 53 68 01 00 68 10 00  |fh....fP.Sh..h..|
2baa13fff30  b4 42 8a 16 0e 00 16 1f  8b f4 cd 13 66 59 5b 5a  |.B..........fY[Z|
2baa13fff40  66 59 66 59 1f 0f 82 16  00 66 ff 06 11 00 03 16  |fYfY.....f......|
2baa13fff50  0f 00 8e c2 ff 0e 16 00  75 bc 07 1f 66 61 c3 a0  |........u...fa..|
2baa13fff60  f8 01 e8 08 00 a0 fb 01  e8 02 00 eb fe b4 01 8b  |................|
2baa13fff70  f0 ac 3c 00 74 09 b4 0e  bb 07 00 cd 10 eb f2 c3  |..<.t...........|
2baa13fff80  0d 0a 41 20 64 69 73 6b  20 72 65 61 64 20 65 72  |..A disk read er|
2baa13fff90  72 6f 72 20 6f 63 63 75  72 72 65 64 00 0d 0a 42  |ror occurred...B|
2baa13fffa0  4f 4f 54 4d 47 52 20 69  73 20 6d 69 73 73 69 6e  |OOTMGR is missin|
2baa13fffb0  67 00 0d 0a 42 4f 4f 54  4d 47 52 20 69 73 20 63  |g...BOOTMGR is c|
2baa13fffc0  6f 6d 70 72 65 73 73 65  64 00 0d 0a 50 72 65 73  |ompressed...Pres|
2baa13fffd0  73 20 43 74 72 6c 2b 41  6c 74 2b 44 65 6c 20 74  |s Ctrl+Alt+Del t|
2baa13fffe0  6f 20 72 65 73 74 61 72  74 0d 0a 00 00 00 00 00  |o restart.......|
2baa13ffff0  00 00 00 00 00 00 00 00  80 9d b2 ca 00 00 55 aa  |..............U.|
2baa1400000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
2baa1471e00  a2 a0 d0 eb e5 b9 33 44  87 c0 68 b6 b7 26 99 c7  |......3D..h..&..|
2baa1471e10  3e 20 80 59 1a 9b 80 49  8b 24 d8 aa 58 d7 bc fb  |> .Y...I.$..X...|
2baa1471e20  22 00 00 00 00 00 00 00  c0 8f 50 5d 01 00 00 00  |".........P]....|
2baa1471e30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
2baa1475e00  45 46 49 20 50 41 52 54  00 00 01 00 5c 00 00 00  |EFI PART....\...|
2baa1475e10  11 c4 c6 0f 00 00 00 00  af a3 50 5d 01 00 00 00  |..........P]....|
2baa1475e20  01 00 00 00 00 00 00 00  22 00 00 00 00 00 00 00  |........".......|
2baa1475e30  8e a3 50 5d 01 00 00 00  b2 39 85 06 6d d1 25 45  |..P].....9..m.%E|
2baa1475e40  97 54 b7 9a 66 2f 31 5b  8f a3 50 5d 01 00 00 00  |.T..f/1[..P]....|
2baa1475e50  80 00 00 00 80 00 00 00  59 58 46 fc 00 00 00 00  |........YXF.....|
2baa1475e60  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
2baa1476000

I add a file zip that have 4 files... the log up... and the 3 portion of disk extracted in 3 files... (131072 bytes - 512K - 20MB)

Someone have a clue if I am doing or calculating something wrong

Thanks for the time...

 

The last sector of the partition contains the GPT mirror: according to the mirror partition entry at 0x13FBE00 in your 20MB file, the disk had one partition from LBA 0x0000000000000022 to LBA 0x000000015D508FC0. LBA 0x000000015D508FC0 (3000590368768 bytes) lies within your 20MB dump at offset 0x1182000.

Unfortunately there is no TrueCrypt header at this location but a backup NTFS boot sector indicating a NTFS partition of 3000590351360 bytes: it seems there has never been a TrueCrypt header at this location: as the TrueCrypt header (128KB) is much bigger as the NTFS boot sector (512 byte), fragments from the TrueCrypt header would still be visible if the NTFS boot sector would have been written over the TrueCrypt header. Did you completely format the TrueCrypt volume on creation or did you cancel formatting? If you cancelled the initial format of the volume, a bug in TrueCrypt will result in no backup header being written.

There is only one chance left: the TrueCrypt header at LBA 0x0000000000000022 (17408 bytes): the chance is almost zero though if the 32-bit LBA overflow is the root cause for your problems. I assume you do not have an external backup of the TrueCrypt header, do you?

 

Thanks For answer Simpson474!! I dont have a backup of the header.

I think that I encript the entire disk... (I doubt if i encrypte the entyre disk or an partition that has the entire disk... I was olmost sure that was the first... Encrypt the entire disk.

Wich ofset must I try to rescue the header that you said? from-to what offset?

that iffset is from the 20m or are you pasing me the offset of the full disk


One more time... thanks for answering me Simpson!

 

The offset is from the beginning of the disk, the command should be as follows:
dd bs=1 skip=17408 count=131072 if=/dev/sdb of=./Desktop/header