Truecrypt - How to find volume header manually?

Discussion in 'encryption problems' started by slowmoe11, Aug 21, 2014.

Thread Status:
Not open for further replies.
  1. slowmoe11

    slowmoe11 Registered Member

    Joined:
    Aug 21, 2014
    Posts:
    4
    Hi all,

    i assume I have screwed up my Truecrypt disk. I once encrypted the whole drive and everything worked fine. A few month ago i accidentially deleted the partition and I coundn't mount the disk ("Incorrect password..."). In a panic reaction tried to repair it on my own and probably did it worse. Bad thing: I can't even remember what I did. Now I am trying do repair it with research, but got stuck. I hope you can help me...

    It's an internal 250GB IDE HD
    Winhex disk specifications: http://imgur.com/kKne0vs
    Disk in TC: http://imgur.com/sBySk38 (no partition, just the drive)
    Windows disk management utility: http://imgur.com/oiN7g4D (not allocated)

    What I have done unitil now:
    1. Created a Winhex backup of the drive
    2. Tried this: https://www.wilderssecurity.com/threads/truecrypt-missing-partition-table.336671/#post-2149666
    BUT: I created a testfile (Beginning = 1048576 ; End = 3145727), but wasn't able to mount it ("Incorrect password..."). My conclusion: The partition header is either not there or completly wasted.

    What can I do now?
    Can TestDisk help to search for the header (http://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume)

    Kind regards
     
  2. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    There's a program called testcrypt that will search the drive for a truecrypt header, give it a shot.
    Testdisk won't be able to help you - here's a quote from a moderator there concerning my own post "Truecrypt encrypts each sector, even a boot sector etc..
    So TestDisk doesn't recognize this partition, because it's not standard like FAT or NTFS."

    There are apparently some tedious methods one can use to manually find the header also, if it exists - during my readings on the forum here i've come across people salvaging their truecrypt volumes by all sorts of strange means..

    good luck *puppy*
     
  3. slowmoe11

    slowmoe11 Registered Member

    Joined:
    Aug 21, 2014
    Posts:
    4
    Hi there,

    tried it. Didn't found any headers. I choose "Automatic" for the begin and end of the volume. Does it help if I use any specific sectors?

    I discoverd something using winhex. Nearly at the beginng of the disk (300-380) I found some readable text:
    "Invalid partition table Error loading operating system Missing sytem"
    After that text there are many 00 entries until "55 AA" in byte 511.
    http://imgur.com/gzTA3Q8

    I read in one post of dantz that that is the and of the partition table (https://www.wilderssecurity.com/threads/accidentally-deleted-truecrypt-partition.357892/#post-2325472)

    Is that good or bad?

    Kind regards
     
  4. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    I've always used automatic, I'm not sure about specifying other parameters, you'll have to ask someone else, but i'm sure the option's there for a reason. Did you boot an operating system from the volume? If not, it's not really good that there's readable text in the hex-viewer, it sounds as though windows wrote some data to the drive, which is what corrupted the volume ( a common occurrence).

    did you try mounting the volume with the embedded backup header?
     
  5. slowmoe11

    slowmoe11 Registered Member

    Joined:
    Aug 21, 2014
    Posts:
    4
    Nope.

    I am not sure what you mean.
    I tried to restore the Volume Header from the disk using truecrypt but he tells me "incorrect password or not a truecrypt volume"
    Mounting the disk has the same effect.
     
  6. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    When you go to mount the volume, when it asks for the password, did you click 'mount options' then tick 'use backup header embedded in volume if available' ?
     
  7. slowmoe11

    slowmoe11 Registered Member

    Joined:
    Aug 21, 2014
    Posts:
    4
    Oh this. Same effect -> "incorrect password or not a truecrypt volume"
     
  8. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    that's about as far as I know how to take it but I know there are other ways to possibly salvage the header - maybe some of the other guys here can help you out - good luck :thumb:
     
Loading...
Thread Status:
Not open for further replies.