TrueCrypt Hidden Volume Lost upon installing Windows 8

Discussion in 'encryption problems' started by Modar, Apr 16, 2014.

Thread Status:
Not open for further replies.
  1. Modar

    Modar Registered Member

    Joined:
    Apr 16, 2014
    Posts:
    3
    Location:
    Damascus, Syria
    Hello, forum, and especially dantz. My name is Modar and I'm from Syria. I had a problem with TrueCrypt and googling lead me here. I read a bunch of threads, but none of them was actually the same case that happened to me.

    I stored an amount of 100 GB of ery sensitive information in a friend's 1 TB WD hard disk. I made a 200 GB volume, I did not assign a letter for it, then encrypted the whole partition with TruCrypt.

    Now, what happened was that my friends brother installed Windows 8 (replacing windows 7), and the invisible partition that I created magically came to live. There was 3 partitions before (C, D, E) plus my hidden partition, but now there are four. And buy calculating the sizes of the partitions they all add up to almost 930 GB, which is the entire hard disk capacity.

    Now, I don't know if the guy who installed Windows 8 actually did anything other than installing the system, But it seems that he didn't. The new partition now contains about 5 GB of information.

    I can't really remember the specific size of the partition I made, and I can't post photos now, but to summarize, I tried mounting the last two partitions with TC, and I got two different errors, one was that this is a wrong password or not a TC volume, the other was that It was trying to mount, but some of the files were in use and I have to close all software, anti-virus, etc..

    My questions, and I am in desperate need of help an answers (dantz, if you have the time. 30 minutes are more than enough):

    - Where do you think my partition went?
    - If, we assumed, that my volume is the new partition that appeared in Windows. What's the best wway to approach it? Do you I delete the partition and try to restore it?
    - Do I use WinHex (I have the pro version) to check for the TC header, and then start from there?
    - How can I create a TC rescue disk, and will that help me now?

    I can take photos of the errors I'm getting in TC tomorrow, but for now I was just hoping for an analysis of my problem and the best way to approach it. I was meaning to try to restore my partition, but I read that failed attempts might result in losing the data, so I chose to wait for your opinion.

    I really need the help very soon, you know the situation in Syria. The data on that volume is very sensitive and I need to restore it as soon as possible.

    Thanks a lot in advance, I'll be online as long as I can to answer any questions.
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    It might be the same one that now appears to be formatted, or it might have been partially overwritten by the current partition. We'll see.
    Don't delete it. How large is the new partition? Is it 200GB, or is it some other size? It would be nice if it was 200GB, as this would imply that Windows used the same starting and ending offsets.
    Not yet. The first thing to try is to see if TrueCrypt can find the embedded backup header (details below).
    The rescue disk is only used with computers that have an encrypted operating system. It cannot help you in this situation.
    It's true that you can make things worse by trying the wrong things. If the data is important then I usually recommend that users make a complete sector-by-sector backup before they attempt any sort of repairs.
    We need to leave politics completely out of this. I don't know what sort of data you have stored on your disk and I absolutely don't want to know. Please do not make any further references to the nature of your data. I almost decided not to respond to your post because of this.

    Installing Windows 8, formatting a previously encrypted partition and then copying 5GB of data onto it would be very bad for an encrypted partition. It would certainly overwrite your TrueCrypt volume header, and you would also lose some or even all of your data, depending on whether it was a "quick" format (which is the default, I believe) or a "full" format. (A quick format merely writes a new file system onto the partition but does not overwrite most of the existing data, but a full format writes zeros to the entire partition, wiping everything.)

    You will have to hope that a quick format was performed and that your volume's embedded backup header has survived. Since it is stored at the opposite end of the partition and we only need the header's first 512 bytes, it might still be recoverable.

    Before you begin you should make a copy of the 5GB of data that was added to the partition (if you want to keep it, that is). Also, be careful not to write any new data to the partition.

    The first thing to try is to select the partition in TrueCrypt (via "Select Device"), select a free drive letter, and try using the embedded backup header to mount the volume. (Mount: Mount options: Use backup header embedded in volume if available").

    You can ignore any prompts that say "volume in use" or similar. Just say OK or whatever you need to say in order to make the message go away, and continue. When you do this are you able to mount the volume, or do you get the "incorrect password etc." prompt?

    If you can't get past the "incorrect password" prompt then the next step will involve examining the partition using WinHex to see if it we can find the 200GB contiguous block of random (encrypted) data that used to be your partition. However, the block may not be fully contiguous anymore, as it has probably had various file system compnents written onto it.
     
  3. Modar

    Modar Registered Member

    Joined:
    Apr 16, 2014
    Posts:
    3
    Location:
    Damascus, Syria
    First of all, thank you so much for the quick replay. it means so much to me. Of course, I would never talk about politics in a forum that's not meant for that purpose, nor would I talk about the nature of my data. What I said was merely to emphasize how much important the data is to me, so you can know that I need to handle this as carefully as possible. Sorry about that.

    Anyway,

    Yes, it's 200GB. But, I cannot remember the specific size of my partition, as I made it about 2 months ago.

    Will I need a 1TB external hard disk to do this? (the hard disk is 1TB, as I mentioned) or will I need just the amount of data that's currently written on the hard disk? (about 300GB + my invisible 200GB partition). It might be an issue to get a 1TB external hard disk now. - Also, will you kindly advise me on the best way to do this?

    Will do.

    OK. But what if I get an error other than "incorrect password or not a TrueCrypt volume", what could that mean? Unfortunately I won't have an internet connection while doing all this, so I kinda want to be prepared for all possibilities. You can explain shortly, if you don't have enough time.

    Also, what if my partition is now made into parts, one in the E partition and the other part in the F (new) partition. What's the best you to approach here?

    Can you, kindly, refer me to previous threads on this forum or elsewhere about this step? I want to have an idea about how does it work, and how I can identify the header and/or my partition inside the hard disk.

    Thanks again!
     
  4. Modar

    Modar Registered Member

    Joined:
    Apr 16, 2014
    Posts:
    3
    Location:
    Damascus, Syria
    One other thing. I'm doing a little experiment here, on my laptop's hard disk. I made a 2GB TrueCrypt volume. I saved an amount of 1GB of data inside, dismounted it. I then formated this partition using the quick format. Now the partition is visible, but, of course, empty. I mounted the volume in the basic way, I got the password error. I then tried to mount the volume using TrueCrypt with the option of "Use backup header embedded in volume if available", it was mounted successfully, but, when I tried to open it, I got an error that said: "You need to format this disk before using it, etc.." When I cancel, I get an error that says: "J:\ is not accessible. The volume does not contain a recognizable file system. Please make sure, etc.."

    Pic1: http://i.imgur.com/QvGwwo0.png
    Pic2: http://i.imgur.com/o2j2OHm.png

    Is this what I should get when I try it? If so, what's the next step? Do I format it, or use the "check file system" and "repair filesystem" options in TC?

    Thank you so much, again, and really sorry for flooding you with questions.
     
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes, that's what will normally happen if the header (or the embedded backup header) is still good but the volume itself has a damaged file system. At this point the next step would be to use data-recovery software to look for any surviving data that might still exist within the volume.

    Do not format the volume or try to run any repair options such as check disk (which is what TrueCrypt will run if you select those options). Those actions will write to the volume and might overwrite more of your data. It's far safer to use data-recovery software first, as this will generally run in read-only mode and will not harm the damaged volume any further.

    You can make a complete sector-by-sector clone of the disk and then try running various repair procedures on the clone if you like, as you will not be risking your original copy of the data. Many different imaging programs are capable of making a sector-by-sector clone of a disk.

    And yes, your target disk will need to be as large as or larger than your current disk, as nothing will be left out. The clone skips nothing, it's necessary to do it this way because whatever data still resides on the disk is no longer supported by a file system, and thus it can be considered to be in either free space or unallocated space.

    If your lost partition happens to span multiple existing partitions or does not use the same starting and ending offsets as your existing 200 GB partition then you will have to find it by searching for it manually, for example, by using a hex editor, but it's often a laborious job. More on that later, but basically you begin by using a hex editor to look for a huge block of pure random data in the expected location, and then you try to find the exact endpoints of the block, then you try to locate and test the headers, if they are still good. There are various complications.

    You can also try to find the lost headers programmatically. There is a program on SourceForge called TestCrypt that has been designed to do this type of thing, but I have not yet personally tested it. (I'm rather careful with my computer, so I don't download or run unknown software. I won't get a chance to try out this program until I have enough free time to clone my system onto a spare disk, test the program, and then wipe the disk afterwards.)

    Sorry I did not answer all of your questions. I'm quite busy right now but I will post back with more information when I get some more time.

    edit:
    PS: WinHex can make a sector-by-sector clone or image via the "clone disk" command.
     
    Last edited: Apr 18, 2014
Loading...
Thread Status:
Not open for further replies.