Truecrypt flash disk didn't mount and now doesn't decrypt

Discussion in 'encryption problems' started by pnil, Jul 25, 2016.

  1. pnil

    pnil Registered Member

    Jul 25, 2016
    United States

    Last week my sister brought me her TrueCrypt flash disk that she couldn’t mount. She shutdown her laptop before dismounting the disk in TC, and pulled out the disk after wards. When she attempted to use it again, windows asked to format it. The disk is a 64GB and all her critical data are on the disk, without any backups.
    I went through the same ordeal about six months ago, and was able to get it mounted and pull my files out thanks to Dantz and the procedure he outlined in this thread. But this time the procedure didn’t work.

    Here is what I did:
    When I loaded the physical disk in WinHEX, I realized that the first 9,388,031 bytes has no data (e.g. all zero). Upon closer examination of the encrypted disk I found out that, contrary to my own disk the other time, the encrypted disk has lots of bands of empty blocks scattered throughout the disk. I profiled the data and non-data blocks on the encrypted disk in this worksheet, showing both the table of offsets and a plot of the bands. Looking at the table, there are about 255 bands of alternating data and empty blocks of different sizes. The largest being a 28GB and a 32GB block at the end of the disk with a few bands between them (note that I have excluded these large blocks from the plot).

    I tried to find the beginning and end of the lost volume using Dantz’s procedure (e.g. creating test files and checking to see if they decrypt with restored header and original password). But I wasn’t able to decrypt any of the test files (I did it for about 30 data blocks from the beginning and end of the disk).

    Looking at the distribution of data and non-data blocks in the plot, one can clearly see a pattern of overwriting the disk data (as though the operating system was performing a format or wipe on the disk), but I can’t make anything out of it that could help me recover the data.

    I would appreciate any comments and suggestions that can help answer any of these questions:

    1. What caused the disk data to be “shredded” like this?
    2. Is it possible to recover any data from this disk?
    3. If not sure of the answer to no. 2, what procedures would you suggest to get to the point where we can be certain it will be recovered, or otherwise the disk should be formatted?

    Thanks in advance.