TrueCrypt hidden partition recovery problem

Discussion in 'encryption problems' started by kalashbr, Feb 22, 2014.

Thread Status:
Not open for further replies.
  1. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
    I have a 2tb hd, which made ​​the whole disk encryption using TrueCrypt.
    Unintentionally today, when using a disk formatter to format my pendrive, i marked wrong my encrypted disc to format instead of format my pendrive and the program gave an error saying that the disk was protected against data change.

    Recalling that the truecrypt partition was unmounted when happened this problem.
    After seeing the **** that I did, and I got in TrueCrypt mount the partition and use the password after it appeared the message: "incorrect password or not a truecrypt partition recovery". As I had no backup of Hearder, I went into restore from Hearder volume.

    So I did this procedure, now I'm able to mount the partition with my password without giving the error but the disk is mounted is empty and windows does not recognize anything and asks me to format.

    What step should I take to try to recover my files?

    Thank you in advance for all the help.
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I don't quite understand this statement. Could you rephrase it or explain it differently?

    Did you use the embedded backup header to restore the volume header?
     
  3. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
    Yes, i used the embedded backup header to restore the volume header (Volume Tools / Restore Volume Header).

    After i did this procedure i was able to mount the volume in truecrypt using my password, like you can see bellow (ONLY WITH HIDDEN PASSWORD):
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Capturar.JPG

    But when i access the volume mounted i receive this message bellow:
    Format your disc in volume V: to be able to use it. Do you want to format?
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Capturar1.JPG

    V:\ is not accessible. The volume does not contain a recognized file system. Please make sure that all required file system drivers are loaded and that the volume is not corrupted.
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Capturar2.JPG

    Yesterday i bought one new 4tb HD and i did the raw copy to it, for we try to fix this problem in a new HD. Now you can see the new HD bellow:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Capturar3.JPG
     
    Last edited: Feb 28, 2014
  4. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
  5. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
  6. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
    Lets assumes that right now all things that i post here is using my new 4tb hd that i used to RAW copy from my original HD 2tb.

    The original 2tb HD is safe... with no changes.

    Bellow is the screens in GetDataBack NTFS with mounted partition in truecrypt:

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/getdatantfs1.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/getdatantfs2.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/getdatantfs3.JPG


    Now i'm trying to do it by GetDataBack FAT, but i think is NTFS, because i have one same external HD, with same encryption and same size, and when i mount it, in windows propeties say that is NTFS. I did the encryption of the bougth HD (2tb) in same day, with same password and same encryption mode
     
  7. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    What about the outer volume? Are there any files in there?

    If GetDataBack finds nothing then you can try two things: Try using Photorec to explore the mounted hidden volume. See if it can locate any of your files. Try doing this on the mounted outer volume as well.

    If that doesn't find anything at all then you should examine both mounted volumes (one at a time, of course) with WinHex to see if you can find anything recognizable, just to make sure that your headers were restored to the correct location and that they are decrypting the contents of the volumes. Look for anything recognizable, such as the word NTFS or FAT32, or an embedded error message, or a block of zeros. Anything that is not total random gibberish.
     
  8. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
    I tried to use GetDataBack FAT with no success.


    What do you mean with outer volume? sorry for this noob question

    Bellow is the screnshot of disk:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Capturar3.JPG

    In my original HD (2gb), until give this problem, i was doing the bellow procedure to use it:
    Connect HD in USB, windows recognize one letter and askme to format
    I open Truecrypt, select this partition, put my password and put to mount
    After that i was able to see all files in one new windows letter.

    Bellow you can see the screenshot of my WinHex

    Open Disk with no mounting in TC:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex1.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex2.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex3.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex4.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex5.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex6.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex7.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex8.JPG


    After i mounted the partition on TC:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex1mounted.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex2mounted.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/winhex3mounted.JPG

    How can i try to find the header on WinHex? I tried to find the way to do it in others posts, but most of others problems are different of mine.
     
  9. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
    Remember that this HD disk (4tb) is the raw copy of that i did from my original External HD Disk (2tb).
    Original HD is in safe location.
     
  10. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
    New uptade:

    I'm try to mount this partition with the "outer" password and it say that password is invalid.

    I can only mount it using the "hidden" password.
     
  11. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
    Could be possible that when i put to restore volume header, it restore only the hidden header?
     
  12. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
    Update:
    I ready the link bellow:
    https://www.wilderssecurity.com/showthread.php?t=357778

    I checked that some parts of this problem is similar with mine.

    I tried to copy from 1048576 to 1248576 to one new file:

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/copy1.JPG

    And i could be able to mount this file using my NORMAL password:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/copy2.JPG

    And could be able to mount this file using my HIDDEN password:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/copy3.JPG

    Remember that in normal partition i could not be able to mount using NORMAL password, only HIDDEN password.
     
  13. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    It's looking very hopeful! You've already done most of my work for me, and I appreciate that, as I have very little free time right now.

    Mount the 200 KB test file using the Normal password, then use WinHex to examine its contents. You will hopefully see some boot sector code right at the beginning of the volume, followed by a variety of non-random data, possibly some large blocks of zeros, etc. Maybe you will even see a file name or two.

    If you see anything like that then this confirms that you have found the correct starting point for the outer volume. You can now proceed to save your entire volume by selecting a large-enough block in WinHex and saving the entire lost partition as a file.

    When you save the outer volume you will also saving the hidden volume (as it is stored within) and afterwards it should work. Hopefully the hidden volume's contents will be intact, but this depends upon whether or not that portion of the partition was overwritten during the accident.
     
  15. kalashbr

    kalashbr Registered Member

    Joined:
    Feb 22, 2014
    Posts:
    12
    Hi Dantz,

    Thanks for your help.

    I save from 1048576 to 1253376 and the size of file was 201kb:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar.JPG

    I mount it using outer password and it take a little time and i checked that the file size increase to 3gb. This is normal? You can see the size in picture bellow:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar1.JPG

    I open it in WinHex and could possible to see the some information like: NTFS.... A disk read error occurred BOOTMGR is compressed Press Ctrl+Alt+Del to restart... Bootmgr...
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar2.JPG

    After that i could see a random characteres:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar3.JPG

    And after Offset 4128, random characteres finnished and start 0000000....
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar4.JPG

    And in Offset 11264 i could see the name FILE0:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar5.JPG


    And in Offset 12352 i could see some characteres, but not random:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar6.JPG

    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar7.JPG

    And in Offset 73728 / 73744 start random characteres:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar8.JPG

    After some lines i could see only UNREADABLESECTOR that stay in the rest of file:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar9.JPG

    When i mount this test file using my hidden password i can see only UNREADABLESECTOR.

    What would be my next step ?

    I need to save new file from 1048576 to what ?

    After i save this file what i would need to do to see my hidden files, because all the files are in hidden partition. in outer partition i putted only about 5 pictures to test it.

    I did a new test file, from 1048576 to 80001048576, with total size of 74,5gb.
    And i mount outer and open in WinHex and appears some errors and appears NTFS and others informations:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar10.JPG

    I mounted hidden and open in WinHex and could see only randow characteres and UNREADABLESECTOR:
    https://dl.dropboxusercontent.com/u/96804187/truecrypt/Nova%20pasta/Capturar11.JPG
     
Loading...
Thread Status:
Not open for further replies.