TrueCrypt Hidden Device Stopped Working - Container Still Works

Discussion in 'encryption problems' started by sarthaz, Jan 27, 2016.

  1. sarthaz

    sarthaz Registered Member

    Joined:
    Jan 27, 2016
    Posts:
    6
    I have a USB drive that is encrypted as a hidden device. I haven't done anything with the outer container in months, and I mount the hidden device daily using the same process. Today it started telling me "Incorrect password or not a TrueCrypt volume." So I tried the outer volume password, and it worked just fine and mounted the outer volume. If I try to mount the outer volume with hidden volume protection, though, it won't let me do it -- again not recognizing the hidden volume. I've attempted to mount using the internal backup volume header, but I receive the same frustrating result. Nothing strange has happened on my system that I'm aware of, so this is very peculiar. As I said, I haven't mounted the outer volume in months, so I didn't overwrite the hidden volume in that manner.

    Is there a special process for recovering a hidden volume header? I do not think I made a backup of the volume header to another location, but if I did, I've lost track of it. Is there a signature I can use to try to find it on my system in case I saved it somewhere crazy?

    Thank you for any help!
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Flash or external hard drive? Sounds like a flash. Further; confirming you are mounting with a password not a keyfile + password?

    If its a small flash stick type volume you may have just worn it out. They only go so long. Have you tried going to another computer and opening the volume? Really long shot but its a few seconds to give that a try.

    I guess you realize finding the backup volume header would be a good thing. You may have to clone the entire device to another stick and then restore the backup header to it.
     
  3. sarthaz

    sarthaz Registered Member

    Joined:
    Jan 27, 2016
    Posts:
    6
    My apologies for not providing more information. It's a Western Digital My Passport, so not a flash drive. And password only.

    Is there a method I can use to search all my devices for a backup header? A file size or signature or forensic tool designed for said task?
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Read my post # 4 of this link. It tells you exactly where the hidden volume header is located. Don't worry VeraCrypt and TrueCrypt use the same code for this process. The address area discussed in post # 4 MUST be intact for any hidden volume to mount. No exceptions --- ever!

    https://www.wilderssecurity.com/threads/hidden-truecrypt-volume.382915/

    Am I correct in that you are using Windows? Linux works well for device encrypted volumes too, so I am still eliminating areas to look under.

    TrueCrypt does not ever make an automatic backup of a hidden device encrypted volume header. It does on a Windows FDE system disk. A backup in that instance would likely be on the original machine which created the volume. You would have had to intentionally and purposefully make a volume header backup to have one available to you. I would think you might remember that if you made one. The process sort of stands out in most minds, although over time I could see someone having a lapse of memory IF they used many volumes and such.

    You have a working outer volume so you could use a hex editor and copy that header into a file and then search for matching "numerals" on your system, but that of course assumes you haven't changed the password which would then significantly change the header as well.

    There is no way to re-create a valid hidden volume header. Either you possess one or you don't. Backup volume headers are very small in size 128-131 K, but what life savers they are.

    Good luck
     
  5. sarthaz

    sarthaz Registered Member

    Joined:
    Jan 27, 2016
    Posts:
    6
    Thank you so much for your continued assistance. I am using Windows. I know it sounds crazy, but I may have made a backup header, buried it somewhere I thought I'd never forget and then ... forgot. Knowing the file size and the earliest date of modified file on my outer container gives me some search criteria to see if something jogs my memory.

    I haven't changed the password to the outer or hidden volume since I created them, and I think I understand what you're saying about using the known working portion of my header to search my files for something similar. Is there a method for determining if my hidden header has been corrupted (beyond the fact that it clearly appears that way). Dumb question, perhaps, but if only one byte was wrong, and I knew which one is was, could I brute force my way back in trying every combination of what it could be, since I know the password?
     
  6. sarthaz

    sarthaz Registered Member

    Joined:
    Jan 27, 2016
    Posts:
    6
    Attempted to follow the steps here: https://www.wilderssecurity.com/threads/crc-error-truecrypt-cant-mount-volume.357357/#post-2319082 to see if I can find an embedded backup header, but when I get to Step 8, it won't let me type a large enough number in the End part of the Define Block section. Do I need to be using a different hex editor than WinHex? I am dealing with a 1.8TB drive.

    The WinHex FAQ indicates it can handle disk sizes up to "about 2000GB", which is cutting it close, but the text field stops 4 characters short of the offset I'm typing, which gets me nowhere near 2000GB. http://www.winhex.com/winhex/faq.html
     
    Last edited: Jan 28, 2016
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    You unfortunately are finding out how the stealth and code of TrueCrypt is working against you on your current mission. When an encrypted volume is formed it creates an exact same size header at all times. Even if there is no hidden volume the header is the same size as when there is a hidden volume. This masks any ability to determine whether or not such a hidden volume exists. Great code, but right now it sucks for you. The address (hidden volume's) I linked in the above thread is randomly filled with random bytes when you created the outer volume. Then when you created the hidden volume it was re-structured by TC. There is absolutely no way to know which one or more bytes have been changed unless you have an original header backup to use as a comparison. It is necessary for this to be coded that way so that no adversary can determine IF there is a hidden volume. I have used and played with this code for many years now. Its good.

    It may help you to picture this if you made a volume header backup right now. I realize that the current hidden volume portion isn't working but the header size is still unchanged. Then when you see the backup header size on your system you can simply do a search for any file with a matching size. Its much faster than looking for an exact match by byte. Maybe you can set a size range and allow for just a few byte differential.
     
  8. sarthaz

    sarthaz Registered Member

    Joined:
    Jan 27, 2016
    Posts:
    6
    Thank you for the suggestion. I've actually tried both of those things now. I've searched my system for all files less than 1 MB containing the first hex block on my device and found nothing. However, when I tried to create a new header backup, it creates a new salt, so turns out it wouldn't be the same anyway. I've also searched for all files between 127KB and 132KB and nothing looks useful. Right now, I'm searching my entire encrypted volume for the first hex block to see if there's a backup header somewhere on the volume itself. Isn't there supposed to be an embedded backup header?

    What I don't understand is how this happened in the first place. Unless there's a bug in TrueCrypt itself that wrote bogus blocks onto my drive, it seems the more likely scenario is some kind of damage to the disk itself. There's no SMART info on the drive that says something went wrong, but something must have. Like I said, I don't mount the outer volume, so I didn't overwrite the hidden volume that way. If the disk was somehow damaged, wouldn't it be possible to find where that damage occurred, map that to the portion of the header that is now incorrect, and brute force through it (assuming it's a small enough section of the header)? I'm not opposed running an algorithm for the next 5 years until it figures it out. :)

    Is it possible that a sector went bad and the drive tried to map it somewhere else and TrueCrypt can't find it?
     
  9. sarthaz

    sarthaz Registered Member

    Joined:
    Jan 27, 2016
    Posts:
    6
    Perhaps someone can answer this question for me:

    According to your link, TrueCrypt stores the standard volume header at 0-512 and the hidden one at 65536-66047
    According to dantz's instructions in the next link, I can find the embedded backup header at the end of the device, 131071 bytes before the end to be precise.

    Is there an embedded backup of the hidden volume header?
     
Loading...