Truecrypt encode problem (after lost header)

Discussion in 'encryption problems' started by Hemus, Dec 18, 2012.

Thread Status:
Not open for further replies.
  1. Hemus

    Hemus Registered Member

    Joined:
    Dec 18, 2012
    Posts:
    7
    Hello

    At start i want to apologise for my english. I prefer read and understand neither think what I need to say


    I have a problem with my truecrypted HDD USB disk. It's 1TB, using for copy all od datas from computer when I was doing format on it etc.

    A few days ago after format I wanted encrypted my files, it was working fine. I dont know why, but the letter of this disk in the My computer seems not fine to my so I delete volume in the Manager Disk. After that I recreate new volume and broke my HDD

    Truecrypt showed me "incorrect password or not a truecrypt volume", I couldnt mount this dive in TC. I was in depressed. I tryied delete and recreate volume few of times.

    After that i was looking for some solution and i find it here. I read two topics:

    https://www.wilderssecurity.com/showthread.php?t=335873
    and
    https://www.wilderssecurity.com/showthread.php?t=336671

    and now I'm here.

    - I created 2MB test file, it's work fine
    - I tested the file to see if the header is present and accept my password - fine http://img7.imageshack.us/img7/425/83262424.jpg
    - Checking to see if the data in your mounted test volume is decrypting - not fine, I got some errors http://img515.imageshack.us/img515/4051/83384007.jpg
    http://img809.imageshack.us/img809/1200/64365919.jpg
    http://img100.imageshack.us/img100/176/94640938.jpg

    - Back up the test volume's headers - I did it and now my HDD can be mounted, but TC dont encrypt my datas, Windows ask me if I want to format disk.


    Before this my HDD was like that: http://img233.imageshack.us/img233/876/dfgcx.jpg (imageshack changed resolution :/)
    Now is like that (tc head is gone, password again is no correct but when I restore head from file is fine, work again.)

    With no header
    http://img171.imageshack.us/img171/2258/61646959.jpg
    http://img651.imageshack.us/img651/2425/71161955.jpg

    After header recovery
    http://img716.imageshack.us/img716/6859/76664310.jpg
    http://img33.imageshack.us/img33/9373/37138477.jpg
    http://img18.imageshack.us/img18/6351/72747655.jpg


    What I saw in another thread - tc show that hdd has 1000193753600 bytes
    Mounted disk and check in winhex (logical) - 1000193753599 bytes
    Non mounted and check in winhex (psychical) - 1000204885568 bytes

    WinHex - (Tc+head) = 10869824 - that's the different between mounted/unmounted space



    So what I can do now? Is any solution to encrypt my files? Or its lost.

    Thanks a lot
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The error messages displayed by WinHex are normal for this situation and are of no concern. The only purpose of that test is to see if your data is decrypting, and it definitely is. This indicates that the header is intact and is in the correct location relative to its data.

    I have other projects today and I also need some time to study your results, so I can't get back to you immediately. However, I will say that so far it's looking good.
     
  3. Hemus

    Hemus Registered Member

    Joined:
    Dec 18, 2012
    Posts:
    7
    Thank you so much, Im full of hope now :)


    I tried make new thread on http://forums.truecrypt.org, but they want to non-free adres email and I dont have it :/

    Really, thanks a lot for your attention, Im waiting for another clues from you :)


    Edit: One more thing - I dont have 1TB space to make image disk :/ My hard drive in computer has only 500GB, so it can be a problem to do any copy
     
    Last edited: Dec 18, 2012
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I've read through your post several times, but I still don't quite understand all that you've done. However, after careful reading I am less hopeful now then I was yesterday. I have a few questions:

    You mean you actually went into Disk Manager and deleted the partition full of data? (Or did you merely change the drive letter?)

    I don't quite understand this part. What exactly did you do? Did you create a new partition, and then create a new TrueCrypt volume on it? This would completely overwrite your old volume's data unless you chose 'quick format'. It would also overwrite your previous headers, making your old data permanently inaccessible.

    What do you mean when you say, "I tried delete and recreate volume" a few times? This makes very little sense to me. What did you delete and recreate, and how did you do it?

    Do you mean you went in with a hex editor, selected a 2MB block beginining at decimal offset 1048576 and saved it as a file, and you were able to mount the file using your TrueCrypt password?

    And yet, for some reason you were not able to select the partition on the USB drive and mount that?

    What do you see when you look inside the mounted volume with a hex editor? Does one of your links show that?

    I'm still trying to understand if this volume contains any of your data, or if it's a new volume without any contents.
     
  5. Hemus

    Hemus Registered Member

    Joined:
    Dec 18, 2012
    Posts:
    7
    All problem referes to my old crypted portable disk

    Yes. After windows intalation I mounted my disk into TC. All was fine and after copy one file I unmonuted it. But next day i saw in My computer weird to me disk with letter "F:"' and when i was clicking it, Windows showed me some error (I dont remembrer what). So I delete it in Disck Manager and can't mount my portable hdd after.

    What I did. In Disk Manager I deleted some "F:" disk (before format my portable HDD got I: letter, that's why I did it) and after when I find out the problem with mount that disk into TC i recreated volume like 5-6 times (with letter and with no letter and always with no format option)

    Why - you can read up. How - in Disk Manager

    I went in hex editor at decimal offset 1048576 and saw just 000000. So I was looking offset when the zero's change for something and I found offset 8257536 (on screen - http://img651.imageshack.us/img651/2425/71161955.jpg). And from 8257536 I selected a 2MB block, saved it as a file and mount the file using my TrueCrypt password.

    I backup header in truecrypt from that 2MB file and after restored the header on my HDD. Next I mounted it, password pass but windows show me "You need to format the disk in drive J: before you can use it". T

    Links:
    http://img716.imageshack.us/img716/6859/76664310.jpg
    http://img33.imageshack.us/img33/9373/37138477.jpg
    http://img18.imageshack.us/img18/6351/72747655.jpg
     
    Last edited: Dec 19, 2012
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    That's quite a story. I assume that for some reason drive letter 'F' was assigned to your portable disk that day. Your multiple deletions and subsequent repartitioning efforts wiped out its basic file structure many times. It all sounds very reckless. Normally when something goes wrong you should stop and think, not engage in widespread destruction. However, you might just be lucky this time. We'll see.

    You went in with a hex editor and were able to locate your TC header at decimal offset 8257536 (as shown by the fact that your test file based on that location worked properly), so apparently that's where your original partition used to begin. (Perhaps there was another small partition in front of it, otherwise I don't know why it would be in that location). When you used Windows to repartition the disk, the new partition did not begin at the same location. Thus, when you restored the header from your header backup file to new location it was not able to decrypt any data because the header was not positioned correctly.

    Do the images in the second and third links refer to a TC volume in your portable hard drive, mounted to drive letter "I"? The data looks random to me, but I'm not quite sure. Have you scrolled down a bit, and do you recognize anything?

    Compare this to your mounted test volume (which you had previously also mounted to "I"). The data in the test file appears to be decrypting perfectly.

    (By the way, your links would be much more helpful if you would describe each one and tell me exactly what it is. This is tough enough already. In the future please don't make me guess.)

    Since both volumes are based on the same header, the header that you restored to your portable hard drive is apparently not in the right place. This is probably because your new partition does not start at decimal offset 8257536. This could be corrected by using WinHex or some other hex editor to edit the partition table, or better yet a dedicated partition table editing program, but it's a very tricky procedure and I'm not even going to try to walk you through it. I'm still not sure I fully understand what's going on, and our communication is not that good.

    I suggest you go to sites that offer a partition table editing program (the old EASUS Partition Table Doctor used to be good at this) and get some help from knowledgeable users. TestDisk is another option, but again, it's not easy. You'll need expert help. Keep in mind that it's risky to perform these kinds of operations without having a backup in place.

    Alternatively, you could use a hex editor to select the entire block starting at decimal offset 8257536 and save it as one gigantic file, and it would probably work. That would be a pretty big block/save operation to save a 1TB file! I realize that you don't have enough storage capacity to save a file that large, but if you want to solve the problem, that's one way to do it.

    Before getting too crazy here with partition table editing etc. I suggest you look at the contents of your mounted test file very closely and see if there are any traces of the data that you want to recover, as it's just possible that you destroyed everything with all of your deletions/recreations/etc. I'm still not certain what went on there. I strongly suggest you create a much larger test file, as 2MB is really too small to see or do much. (It's large enough to test for decryption, but that's about it.) Then use data-recovery software to explore the mounted volume. If the volume is large enough you might even be able to recover some data that way.
     
  7. Hemus

    Hemus Registered Member

    Joined:
    Dec 18, 2012
    Posts:
    7
    Ok, I downloaded R-Studio, made larger file (15GB) and I have full view on my old files and I successed recover some of that.

    I know I can do much larger file few times (10x 100GB) and recovery part and next part, but i got one question

    Can I recovery from hdd some file/information how was exactly image of my hdd before I ruined it? I want to get some file or something to show you that text/hex/whatever string and you magically after tell me "i know, u must put header in XYZ" and all will be fine ;) Its possible?
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    That's great news!

    I don't quite understand your question, but I will say that your header is already in the right place. The 64KB header (actually, there are two) must be located right before the beginning of the data, a specific distance away, and if it isn't exactly right then the data won't decrypt at all. Yours is working, as shown by the success of your test files, so it's ok.

    The problem is that your partition table is screwed up, and that's a tricky job to fix. (I don't know of any way to get a copy of the original partition table, certainly not after all that you did.) If you do fix it such that your first partition is adjusted to begin at the correct offset (as mentioned previously) then your partition-hosted TrueCrypt volume will begin to work normally again. However, if/when you fix the partition table you must be VERY CAREFUL not to overwrite any of the partition's contents, especially the first sector. (Many partition repair programs will unfortunately do this). And make sure you don't delete your 2MB test file, as this contains a valuable copy of the header that you might need later if things go wrong.

    edit: You're going to have trouble trying to mount inner segments (part by part) of the lost data. You can't mount an inner segment; the header won't work. You'll see. You have to start at the beginning every time, so the maximum size of the file is determined by how much storage space you have.
     
  9. Hemus

    Hemus Registered Member

    Joined:
    Dec 18, 2012
    Posts:
    7
    I know where is my problem, but I dont know how repair it :) Thanks a lot for a such a help, but I still need a little. I understand all what you were writting and Im sorry you dont understand me as well. Nevermind, I got another problem

    I installed Partition Table Doctor and do scan. Results:
    http://img267.imageshack.us/img267/5/unmounted.jpg
    Which option will be correct?

    <Im trying to borrow from friends 1TB disk to make copy, but still with no succes.
    And at night I made 100GB test part, want to restore some photos or .doc files and after all of restoring process I couldnt opened it. I restored ~30GB fles, but just .txt was all correct and I can opened it>

    And another (maybe stupid question) - its possible to move all hex from 8257536 offset at start and its gonna work? (0000000). Seems simple for me, but to my mind if it is so easy you would like tell me that advice much earlier. Just asking, Im little irritated of my situation and what I have done

    Edit: Or is possible to move offset on some "place", becouse I want to just recover some files directly from HDD (like 100GB, the rest of files can gone), but R-Studio doesnt see my portable HDD mounted, just created by me new test files.
     
    Last edited: Dec 20, 2012
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    You just need to find somebody who is good at editing partition tables, translating LBA to CHS etc. Tell them you need to define a single partition that starts at decimal offset 8257536 and fills the rest of the disk. Hopefully they will be able to provide you with the correct CHS values etc., and you can use the WinHex MBR template to fill them in and write the changes. TestDisk can do it too, and I'm sure there are other ways as well. I've done this sort of thing myself, but I'm not an expert at it.

    I wonder if the TestDisk developers would help you, or perhaps somebody on their forums? (forum.cgsecurity.org)

    Note that since the lost partition is fully encrypted, it has no identifying characteristics. It consists of fully random data from start to finish. Most partition recovery tools will not see it, as they are looking for known signatures. That's why the repair has to be done manually.

    Important: The partition's first sector must NOT be altered in any way, as it contains a vital portion of the TrueCrypt header.

    None of those options look correct to me. The lost partition is much larger than 7MB. Those are probably remnants of previous partitions that used to exist on the disk, or something like that.
    That's an interesting approach. It might actually work, but it's very high risk. You could move your data to the beginning of an existing partition, for example. Of course, one screwup and the whole thing will break. I wouldn't try it with real data, but just for fun I'll play with the idea and let you know.

    edit: I just tried it. It works fine on a small scale, but not for 1TB of data. WinHex needs to access large amounts of external storage before it can move that much data. However, if you are able to obtain that much additional disk space then you'll be better off just saving the entire partition as a file.
     
    Last edited: Dec 20, 2012
  11. Hemus

    Hemus Registered Member

    Joined:
    Dec 18, 2012
    Posts:
    7
    Helo, its me again

    I got another 1TB hdd and Im making image my old disk from 8257536 offset (9h left)

    But I have new problem. Today I try make another new test copy from 8257536 (1GB) , I mounted it in trucerypt and next try use R-studio to see file list. Unfortunately, I just got the msg "unable to open the volume because mft file is outside disk bounds". Any idea how I can fix it?

    I just before analyzed hdd by TestDisk (2 weeks ago)
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The size of your test file is only 1 GB, wheras the MFT on a 1 TB partition would be located much farther in than that. R-Studio probably read the MFT's location from the partition's boot sector and realized that the mounted (test) volume is too small to include it.

    Did you ask for help on the CGSecurity forums? I'm pretty sure some of the knowledgeable users there, or possibly even the TestDisk developers, would be able to help you manually edit your partition table, which ought to fix the entire problem. I suggest you provide them with a link to this thread so they will be able to better understand your situation. My expertise is more TrueCrypt related and I don't have the skills to safely accomplish what you need, but I believe that it would actually be a fairly minor procedure.

    PS: I'm curious. What program are you using to create the image?
     
    Last edited: Jan 8, 2013
  13. Hemus

    Hemus Registered Member

    Joined:
    Dec 18, 2012
    Posts:
    7
    Yes I asked on CGSecurity forum and no one answer me and mod blocked my thread.

    WinHex, Copy all into new file (start at 8257536)

    edit:
    FINISH! I recover all of my data! Just mounted copy into TC and i dont need to use r-studio, all is fine. THANKS A LOT!
     
    Last edited: Jan 8, 2013
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I just checked your thread over there. It's mistakenly marked as "solved", and perhaps that's why they locked it. You could probably get it re-opened if you tried. Next time mention TestDisk as one of the ways you are attempting to fix the problem, otherwise they will think you're too far off-topic. TestDisk does have the ability to create partitions manually, and I've used it for that before.

    But ok, I'm hopeful that your WinHex procedure will work. Let me know how it turns out, ok?

    edit: Oh, I just read the edited portion of your post above mine. Wow, that's great! Congratulations!

    (PS: Better back up that data before it happens again!)
     
    Last edited: Jan 8, 2013
Loading...
Thread Status:
Not open for further replies.