Truecrypt Header Backup

Discussion in 'encryption problems' started by jin0, Sep 28, 2016.

  1. jin0

    jin0 Registered Member

    Joined:
    Sep 28, 2016
    Posts:
    3
    Location:
    Singapore
    Hello,
    I wanted to see how the backup and restore of the volume header work with my 3TB hard disk and I created three non-system standard encrypted partitions, each allocating around 931GB with a same password. I always create raw partitioins first and then encrypt them with truecrypt with quick format disabled. I backed up the volume header of each of the three partitions and saved them as three separate backup file. Next I deleted the first partition and recreated it over its unallocated space and repeated this for the second and the third partitions in an attempt to increase the possibility of recovering files in each partition. Finally I restored the volume headers using the backups created earlier.
    The problem is only the first partition is mounted fine and the other two are mounted raw partitions that I can do nothing but format them. I repeated this whole process several times to make sure I did not make any mistake in the middle. I created different passwords for the three partitions but it did not make any difference. I also tried mounting the third partition first, but despite all these attempts, it was always the first partition that is mounted and works fine and the other two were always mounted as raw.
    Please tell me what I am missing here?
    Thank you in advance
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Lets discuss some disk geometry. In your example you create three working encrypted partitions. At that point all are opening fine and seem to be just right. So far so good. Now you decide to get creative and completely blow away one of the partitions (if I understand your post correctly). Guess what, when you remove a partition you have just instantly changed the MBR on the device. The MBR resides in the first 512 bytes assuming your disk is not GPT formatted. There are four slots of 16 characters = 64 that define the partition geometry to the OS. Those 64 spaces immediately follow the first 446 of the disk bootloader space on the mbr. The final 2 spaces are for disk ID. Now should you attempt to open one of the encrypted partitions using geometry that doesn't point correctly and it won't go well. If you understand how it works you can place an encrypted volume absolutely anywhere and call it using other means by specific byte address range. I used to do it all the time, but that is another thread.

    Let me help you accelerate the learning process on your huge disk. Is there any chance you are using Linux, or are we dealing with Windows? You can play with a much smaller disk to learn, OR you can create three very small partitions on the 3TB drive and leave say 2.8TB as unallocated behind the three partitions just to accelerate your learning. Staying with Windows go ahead and create those three partitions and encrypt them. The password means nothing at this point. You will create separate header keys using TC for each volume. BTW - my opinion is that you might want to consider VeraCrypt as a better option ----- again my opinion. Once you have those three volumes all working during the initial creation you can create volume header backups. NOW also save a copy of the MBR. Its 512 bytes but as mentioned above it controls direction of the disk geometry. On a normal working 3 TB external you will never just delete a partition unless an accidental operator error happens.

    There is nothing in your post above regarding how you created those backups. I am not questioning you just mentioning in passing that I will assume you are doing it correctly.

    Hopefully you know how to backup an MBR. If not ask away.

    If you are restoring those partitions intact (no errors) you could place them anywhere on the disk platter. Now you just need to learn how to direct/call out to those locations and TC will use them. The easiest way is to simply restore the MBR and as long as the volumes are geometrically in the SAME location the saved MBR will point correctly.

    I cannot tell you how many times a user screams and moans and if ONLY they had made an MBR copy they would be fine.

    Please understand I have many questions as your post leaves some ambiguity on a few things. I can tell from your manner of posting that you are not a newbie to most of this.
     
  3. jin0

    jin0 Registered Member

    Joined:
    Sep 28, 2016
    Posts:
    3
    Location:
    Singapore
    Thank you very much for your detailed reply.

    First of all, I am using windows 10. I did not know very much about MBR, especially its role over the disk geometry. I thought it was only necessary just for loading the system. And thanks to you, my problem became crystal clear, I really appreciate it.
    I read my original post again and it said I encrypted the partition with quick format disabled, but I miswrote it. I actually encrypted it with quick format because testing this with full format would take such a long time.

    I created the volume header backups by using TC. I clicked "Select Device", selected one of the 3 partitions, go to "Tools", and select "Backup Volume Header." The same for the restoration process, this time by selecting "Restore Volume Header". Please correct me if I am doing something wrong.

    So if I understood your points correctly, in addition to the backup of the volume headers, I need to make a backup of the MBR and the volumes should be goemetrically in the same location.
    I did a quick research and found the following link, from which I will use one of the the tools.
    https://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/
    As for the disk geometry, I deleted the first partition and created a partition again over the consequent unallocated space for the partition to be created in the SAME location. But if all three partitions were deleted at the same time, how can I restore the three partitions in their exact previous locations? Using imaging software would require 3TB of backup space so it's not a viable option.

    If my 3TB is GPT formatted, what are the tools I can use to backup and restore the MBR counterpart? I searched online but they were mostly Linux related or backing up the whole GPT partition.

    Also, if somebody deleted the whole disk and created new partitions (quick format), that means not so much space was overwritten. In that case, would it be a better idea to use Testcrypt to analyze the whole disk and recover the files in each of the three partitions by mounting them one by one? I am asking this because once I lost one encrypted primary partition but successfully recovered all the files by analyzing the whole disk and mounting the lost encrypted partition.using Testcrypt. But it was only one 200GB encrypted partition, with two other small unencrypted partitions. This time it is 3TB HDD with three partitions. I don't think it would make much difference, but I think I read somewhere that Testcrypt is the last resort when the volume header restoration does not work.

    Finally, if these three encrypted partitions were formatted to a normal unencrypted partitions, which can be done by clicking the unmounted drive in windows explorer followed by clicking the format button (again quick format), it will reduce the possibility of recovering files due to the overwriting of the 300 to 400MB system volume information, right? If this does not affect the recovery of the files, this would be much simpler than the above procedure...
    And in this case, the backup and restore of the volume headers would work without backing up and restoring the MBR?

    I am sorry, I just found out that I asked you around five questions. Again I really appreciate your help.
    Thank you.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Let me step back and discuss your overall procedural approach. TrueCrypt/VeraCrypt are great encryption tools designed to COMPLETELY overwrite and encrypt every sector on a device, partition, or file based volume depending upon your mission for the software. If I understand you correctly you are not going about using it properly. There is NO way to short-circuit the time needed to encrypt every sector within the volume area. In your example you are using 3 partitions and creating 3 independent volumes. That means that to capitalize on the encryption "powers" and to conceal the amount of data stored on those volumes you must encrypt every sector. That leaves Quick format as a terrible choice! You do not need to use all 3 TB on your external drive. If your data needs are much smaller and yet you still want to create three partitions you may do so. You always have the option of leaving unallocated space behind the volumes on the disk. OR another option would be to create a large Fat32 partition after the 3 encrypted volumes and then you can easily monitor the space for staying clean. Fat32 is not a logging filesystem so it won't journal activity unrelated while you are using those 3 encrypted volumes. I personally don't like ANY unencrypted workspace on my disks, so I would encrypt everything. That is my take.

    Since you are new here you have to consider the amount of data you are going to store and what are your future needs for space. There is no harm in having a 1 TB volume with only 200 meg inside it.

    On your quick format approach I wanted to point out that TC is not going to support a dynamic volume approach. You can't make a 300 Gig volume and then later "grow it" to 1 TB because your needs have changed. You would have to start over creating a 1 TB and then migrate the 300 Gig of data over from another media.

    Study and learn what you are attempting to do on a smaller media. If you were on linux you could grab a 8Gig flash and create multiple partitions and go through the process quite quickly. Unfortunately Windows isn't smart enough to know a flash can do that!

    I do feel your pain on the TIME thing. In the past week I have re-worked six external drives all > 1TB due to some code changes I made in preparation.

    So, now it comes down to your decisions. If you are going to utilize 3 large encrypted partitions the TIME needed to create them MUST be spent. I have spare computers so I simply use them and let them run (sometimes its a full day or more for large drives).
     
  5. jin0

    jin0 Registered Member

    Joined:
    Sep 28, 2016
    Posts:
    3
    Location:
    Singapore
    Yes, I had read before that quick format shows how much of the disk space was actually encrypted, therefore not secure enough. I'm doing quick format just for testing this backup and recovery. Once I get the hang of what and how to do if these disasters should take place, I'm going to save my files after full format encryption. Each 1tb took 2-3 hours for full format.
    Thank you for your concern.
    BTW what about my other questions?
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Sorry I am quite busy doing some code work this week.

    I am going to avoid your question on GPT because while I know it, its not at the "instructor/coder" level. If someone else wants to point you along so be it.

    You had asked a few questions above about IF the volume headers cannot be restored. In the case where a volume header is gone/broken/password lost/etc..... there will be NO recovery. I don't care if you use any software you want. Without a header key to open the volume all data will appear as jibberish at best! Once a volume header is used to open/access a volume there are scores of nice data recovery programs that will get back much of your stuff --- assuming the sectors have not been overwritten. Relying upon recovery in that circumstance is a fool's folly though.

    If you are going to spend time developing strategies and learning, it should be employing backups and good OPSEC upfront. I have never lost partition data due to Windows. Has Windows hit me, you bet. But my backups and other protections in place made restoration a snap. Now I know how to handle Windows and I don't get hit any longer, but early on as a casual user you just experience the learning curve.

    I suggest rather than farting around with quick format (trying to help here) you simply create 3 full format small partitions on that drive and leave a huge unallocated space behind them. This way you get a real world feel for how recovery works.

    You also asked a question or two about MBR's. Windows is the worst at breaking them. During an update Windows will with regularity, decide a fully encrypted disk is broken. Hey, I'll just be nice and fix it while updating my system disk. Thanks, get my drift?? Restoring or rebuilding an MBR is easy but strange as it may be, many software products do NOT create the exact same MBR. In your case you are going to have 3 TB encrypted so protecting access by backing up 512 bytes is easy.

    Sometimes I feel like a lone "ranter" here, but I have done this code for over a decade. I am much more relaxed now since my Linux machines don't keep trying to break my archives. Its smart enough to leave my totally encrypted devices alone. I also do not use MBR/partition based encrypted externals anymore. There is a thread here I just UP'd recently discussing my position on this issue. Its NOT a security thing strictly speaking, but on the other hand it is. Just so you are aware.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.