Truecrypt Header/Partition Corrupted

Discussion in 'encryption problems' started by Usermee, Nov 13, 2012.

Thread Status:
Not open for further replies.
  1. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Hi there, I am in a bit of a dilemma, any help will be greatly appreciated, I think I have just lost all my data (critical work I have done in the last 6 months) and my head feels like it's going to explode :(

    I had downloaded this file:

    [noparse]http://computernetworkingnotes.com/images/tips_and_tricks/xp/download/solution.zip[/noparse]

    to create a system boot flash stick to install windows to another PC, by accident I clicked on "quick format" and "create a dos startup disk" with file system FAT32, by accident the device which was selected was my truecrypt encrypted HDD and not the flash stick, when I clicked "start" I got an error in trucrypt which said I can't do this with the device mounted and the program gave an error, it' didn't look like it actually did anything, however now my truecrypt password doesn't mount the encrypted partition of my hdd.

    I have tried to restore volume header from the backup embedded in the volume, however it now says "incorrect password or not a truecrypt volume".

    I do not have an external backup of this header, am i totally stuffed or is there some way I am able to get back into my drive and get my data back?

    Thank you so much for any assistance.
     
    Last edited: Nov 13, 2012
  2. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Re: Truecrypt Header Corrupted

    The options I had used when I created this encrypted drive a few months ago was as follows:

    "Enrypt a non-system partition/drive"

    "Standard TrueCrypt volume"

    Under volume location I selected the \device\Hardisk\Partition1

    I then selected "create encypted volume and format it"

    Encryption Algorithm used was "AES"
    Hash Algoritm was "RIPEMD-160"

    It currently still displays my partition as follows:

    Harddisk 4:
    \Device\Harddisk4\Partition1
     
  3. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    I have followed the following steps described by Dantz in another thread:

    Open WinHex
    Tools
    Open Disk
    Physical Media (select the correct hard disk)
    Edit; Define Block; start 1048576, end 1248575 (the block is small because you can't save more than 200KB using the evaluation version)
    Edit; Copy Block; Into New File, name it "Test Outer.tc" & save it on a different disk.
    Close WinHex
    Open TC

    I was not able to mount the "Test Outer.tc"
     
    Last edited: Nov 13, 2012
  4. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Sorry to bump this, but is there anything I am able to do to restore the partition? Is there a program similar to TrueCrack with which I am able to use my password with in order to find the encryption keys or is this a lost case?

    Thanks.
     
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I assume you were unsuccessful when you attempted to restore the header by using the embedded backup header? You received the "incorrect password etc." prompt?

    For partition encryption, TC's embedded backup header is located very close to end of the partition. To find it, TC notes the location of the end of the partition and then looks backwards 131,072 bytes. If the header is not there or if it doesn't work (due to corruption, i.e. a full or partial overewrite) then you will see the "incorrect password or not a TC volume" prompt. The question is, what happened to the header? Was it overwritten, or is it merely lost?

    1) If the embedded backup header is in the correct location but it was overwritten then you're likely screwed. This would happen during a full format and probably certain other operations. I'm unfamiliar with the tool you mentioned, so I don't know what it might have done.

    2) If the tool changed the partition boundaries such that the end of the partition has been moved then the embedded backup header might still be intact, but TC would not be able to find it. Sometimes when this happens it's possible to look for it manually. Since an encrypted partition is a solid block of random data, it's often possible to view it in a hex editor and visually identify a specific transition point where the random data stops (and zeros begin, if you're lucky). Even if the partition's end point has been changed, the encrypted data will still end at the same place on the drive, and this location is probably the end point of the original partition. I'd try looking for it. If you think you've found it, the potential header can be tested using a technique similar to the one you posted earlier in the thread, but using different offsets. (You can practice on a small file-hosted container, as it works pretty much the same way.)

    It's also possible to search for the lost header programmatically. A user on the TC forum created a simple "drive walking" program that goes through a selected area of the drive, testing each block in an attempt to find a lost header. As far as I know that program is no longer available, but with programming skills it should be possible to create another one.

    Be aware that all of this is quite a long shot. You'll have to put in a considerable effort and learn a lot of new stuff, with no guarantee of success.
     
  6. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Thanks for the reply, much appreciated Dantz!

    I have identified the transition from zeros to the data area where the header is stored, it does indeed start at sector 1048576 as described by you in another post.
    I can now play around with changing the offset, I would just like to know how I would go about this, do I simply delete/remove an offset, save the file and try to mount it? Sorry if this is a very noob question but, I'm completely new to this.
    Would you be willing to perhaps take a look at the .tc file I have identified? I know you must be busy, but would greatly appreciate your assistance. I have tested this on a working tc drive which is the same size (2TB) and have found the encryption keys to be within a file of around 50kb.

    Thanks again for the assistance thus far.
     
  7. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Well it seems to have been successful, I'm hoping this is a good sign!
    I am able to mount "test outer.tc" now. Before when I tried this it would not mount and I have not done a thing to the drive.
    I am able to select from offset 1048576 to 1068575, save it and mount it with TC.
    What do I do from here? Can I simply backup the header from this file and restore it to the encrypted HDD?

    After mounting the "test outer.tc" I am able to see words as well as patterns (alphabet listed over and over and ascii alphabet", I have also found a spot in the data which actually has then name of the volume which I named it before I lost access to the drive.

    I have to admit this is pretty exciting :D
    Awaiting your response on the edge of my chair!
     
    Last edited: Nov 22, 2012
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    So you've found the (primary) volume header and have got it working (in a test file)? That's great news! Much better than hunting for the embedded backup header.
    No, definitely don't do that. If it was going to work that way it would already be working, and you might do great harm by copying the header to the wrong location. Decryption is only possible if the header is located exactly the right distance from its data.

    I assume that the starting offset of your partition was changed during the accident, and that's why your header is still in the same spot on the hard drive but TC can no longer find it.

    You have two options now: 1) Recreate your partition (without formatting it!) such that starts at 1048576 (decimal), right where the header also begins, or 2) use a hex editor to make a gigantic block-copy of the header and all the data behind it and save it as a new file. This is basically the same procedure you followed when you made the test file, only this time it will be much bigger. Big, long job.

    Make sure you don't delete your test file, as it now has a backup copy of your header. Things are looking quite hopeful now. It would be smart if you made a complete sector-by-sector backup of the drive before going any further, in case you screw up and make things worse.

    So the question is: Where does your partition actually begin? Mount the physical drive in WinHex, then click on the partition and see where it takes you. (And click once in the offset column to switch to decimal view)
     
  9. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Okay, excellent! Yes it seems that it is the primary header and is indeed working in the test file (test outer.tc).

    I have found the partition to begin at offset 32256 instead of the normal 1048576. I actually started a sector by sector backup last night after being successful with the "test outer.tc", it's a 2TB drive so it's going to take a while before it has completely backed up, at this time I'm only at 43% so it will be at least another 10 hours before I am able to try to recreate the partition in the correct place.
    Seeing as I will have the backup in place, would you rather suggest we try recreating the partition instead of doing option 2 as described in your previous post? And once I have this backup, where would I go from here?

    Thanks!
     
    Last edited: Nov 23, 2012
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    You seem to be in good shape. I think that all you have to do is delete your existing partition and then create a new one, being careful NOT to format it when you do so. What's your OS? I believe that Windows 7 can do this easily by merely accepting the default settings for the partition, but it might wipe your TrueCrypt header in the process, so it's important that you keep your working test file as a backup. In fact, you should 'mount' the test file and perform a header backup on it first chance you get.
     
  11. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Okay cool, so basically I must right click the volume within windows 7 disk management, delete current volume and recreate volume as I did when I first bought the drive (being careful not to format it). I have already kept a backup of the test file and also backed up the header.
    Will it then mount within TC straight after the partition has been created or do I perform a restore header from within TC from the backup of the test file?
    Sorry for the extra (perhaps unneeded) questions, I just want to be precise when I do this as not to mess things up :)
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes. If given a choice make it a Primary partition. You don't need to assign a drive letter.
    If all goes well then it should be mountable immediately with no further intervention. If not then you might have to restore the header from your backup, but if that becomes necessary then I suggest you examine the first sector of the partition using WinHex before performing the restore, to see if Win7 did something it shouldn't have. (It should look like random data, not a partition boot sector, which among other things will contain some long strings of zeros).

    We can't be certain that this will work, so I hope you have a good backup.
     
  13. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Okay, just re-partitioned it now, it did not mount however, checked the sectors and it now starts on sector 1049088 instead of sector 1048576, where I'm guessing TC is trying to look for the key.
    Backup in place and secure.
     

    Attached Files:

    Last edited: Nov 23, 2012
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    1049088? That's one sector off. Are you referring to the beginning of new partition or the beginning of the random data? I've never heard of Win7 creating a partition at 1049088. Maybe the partition starts at 1048576 but Win7 decided to zero out the first sector?

    In WinHex, open the physical disk and then click on the partition (should be listed) and see where it takes you.
     
  15. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Yes, you are correct, it looks like it zero'd out the first sector. The partition does start at 1048576.
     
  16. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    Dantz, you are the MAN! Thank you so so much! Wow amazing :D
    I just copied that sector from the backup test file to the drive, replacing the zero'd sectors and it mounts and I can see all my data. Thank you, thank you, you are a life saver, wow haha :D
    And from now on I will keep backups of all my headers ;)
     
  17. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Congratulations!
     
  18. giuseppe

    giuseppe Registered Member

    Joined:
    Apr 22, 2013
    Posts:
    7
    Location:
    Italy
    Hello everyone,

    I am having a similar problem.... Today when I tired to mount my HD in Linux I got the message "Incorrect password or no TrueCrypt volume found."

    I tried to restore my header previously backed up, but still, I get the same error.

    In this HD there are my family's photos and I do not want to lose them forever :'(

    Could someone please help me with this?

    The OS is Debian 64Bit and the HD is EXT4 File-System
     
Loading...
Thread Status:
Not open for further replies.