Truecrypt Missing Partition Table

Discussion in 'encryption problems' started by InterestedParty, Nov 26, 2012.

  1. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    Hi all,

    So this seems to be the place to find Truecrypt info/advice. I've ready nearly every other thread on here relating to these problems so I'm hoping to get some specific help to the issue I have.

    So here it is:

    I have 2 external 1.5TB HDD connected via USB. These have worked fine in the past but suddenly the other day the partitions stopped showing up in Truecrypt when trying to mount.

    http://i.imgur.com/jxy6f.png

    When I select Harddisk 3 (Since \Device\Harddisk3\Partition1 no longer appears) I am prompted for a password as usual, I enter the pass and the drive mounts.

    http://i.imgur.com/f1eiH.png

    As you can see the drive mounts even though it's the RAW partition rather than the TrueCrypt Volume. Based off my reading and the fact that it accepts the password makes me believe the header is intact and the partition table is missing/damaged?

    Also note that P: in the above picture is an internal drive that was setup at the same time as the other 2 external drives which is functioning correctly.

    So I fired up WinHex and found the following based on another 'Dantz' post.

    Actual Size WinHex = 1,500,299,395,072
    Actual Size TC = 1,500,298,084,352
    Total TC Size + Four Headers = 1,500,298,346,496

    That should mean: Expected Offset = 1048576

    Both drives appear in WinHex fairly identical.
    Both have data from 0 to 1F0
    Both then show 0s until
    Actual Offset in WinHex = 100000

    http://i.imgur.com/Uk6HC.png

    AND

    http://i.imgur.com/yMy1j.png

    So I am now unsure how to proceed and if I can administer a fix on the drives from here. Hopefully someone can provide guidance :)

    Thanks in advance!
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    That's the first sector. This usually contains the MBR, the partition table etc., but in your case I believe we're looking at the first sector of a TrueCrypt header.
    The offset is displaying as 100000 (hex) because your offset column is currently in hex mode. Click once in the offset column to switch to Decimal mode. The offset should now display as 1048576 (decimal).

    I'm going to re-check your math etc. before going much farther, but so far it looks good. The only part I don't understand is why you are able to mount your volume at all if your original partition definition is missing.

    When you encrypt a partition, TrueCrypt's header begins in the first sector of the partition, and that's where TC looks for it every time you try to mount that volume. If the partition table is gone then you can't even select the partition and TC has no way of finding its header, even though it might be sitting right there on the drive (in your case most likely at offset 1048576 decimal, the standard location for a partition created by Windows 7.)

    If instead you attempt to mount the entire drive, which is what you've been doing, TrueCrypt looks for its header in the first sector of the drive, and in your case it seems to be finding it. Why is this? There wouldn't normally be a TrueCrypt header at that location. Did you restore your header from a backup after the partition was lost? That would do it.

    Aside from that little uncertainty, so far your situation appears to be fairly typical, and most likely all you have to do is restore the default partition. However, be warned that Windows 7 (is that what you're using?) has a nasty habit of zeroing out the first sector when it creates a new, unformatted partition, and this will wipe your TrueCrypt header. You need to back that sector up before going any further! I'll post the details in a little while. I'm revising them from some of my previous posts.
     
  3. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    I am at work but will check this and post an update as soon as I am home.

    I found this strange too. Perhaps my use of terminology is confusing things but as you can see in the images it will let me mount the whole RAW drive without the TC partition showing in that menu.

    I did try restoring the header from the backup contained in the volume.

    Also if it makes a difference I think I encrypted the whole drives rather than creating a volume on them (I could be mistaken though.) Actually I'm fairly certain as I formatted the drive through the TrueCrypt Wizard.

    I am using Win7 so I will backup those headers as soon as I get home.

    Thanks for your response Dantz. You are a scholar and a saint :)
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The partition header is inaccessible at the moment, so you can't back it up using TrueCrypt. If you do back up a header, you'll be backing up the header which is located at the beginning of the disk, which may or may not be the one you need. I'd just leave it all alone at this point. The procedure that I'm going to post will give you a way to back up the partition header and test it. Time to sleep now; I'll post it tomorrow.
     
  5. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    Thanks again, I appreciate the help.

    Also you were correct about the offset. In decimal it is located at 1048576 as expected
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    (Note: This procedure is specific for the OP, although it can easily be adapted. Keep in mind that not all first partitions begin at decimal offset 1048576)

    Part 1 - Creating the test file:
    1) If any TrueCrypt volumes are currently mounted, dismount them.

    2) Open WinHex.

    3) To reduce the chances of screwing up the drive, click Options: Edit Mode and ensure that you are in Read-Only mode.

    4) Click Tools: Open Disk and select the correct disk under Physical Media

    5) Click once in the Offsets column to switch to Decimal mode (if you're not already in that mode). To the right of the Offset column, the top row of address should change from "0 1 2 3 4 5 6 7 8 9 A B C D E F" to "0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15". (It's a toggle, so you can click the offset column again to switch back if desired.)

    6) Edit; Define Block; Beginning = 1048576 [Beginning of block]; End = 3145727 [End of block]; OK

    (The block includes the potential header plus almost 2 MB of adjacent data. The test file will be exactly 2MB in size. This should include enough data to determine whether or not it is decrypting properly. However, if you are using the evaluation copy of WinHex then you are limited to creating files no larger than 200KB. In that case make the end number 1248576. It should still work.)

    7) Edit; Copy Block; Into New File. At this point, select a folder on a different drive or partition and enter a filename such as "1048576 test.tc", then click Save. (The .tc extension is merely for convenience in mounting the volume.)

    8. Notice that the newly created file appeared in a new tab or window in WinHex. Right click on the tab and select Close, then exit WinHex.

    Part 2 - Testing the file to see if the header is present, intact and accepts your password:
    1) Open TrueCrypt; click on a free drive letter; Select File; specify the file "1048576 test.tc" (or whatever you called it); click on Mount; enter the password for the lost partition; and click OK.

    (For many installations of TrueCrypt you can just double-click on the test file in order to mount it. This assumes that you allowed TrueCrypt to set the file association for the .tc extension).

    2) If your TC header is present at the beginning of the test file and it is still intact and you enter the correct password then your password should be accepted and the volume will mount to the drive letter that you specified earlier. If this works then you've located the intact header. Hooray! If not then you will see the "Incorrect password or not a TC volume" error message.

    3) In the TC main screen, click on Volume Properties and write down the exact Size of the volume in bytes. This will help in determining the exact size of the lost partition. However, don't bother trying to view the volume's contents using Windows Explorer, as it does not contain a complete file system. Windows will merely suggest formatting the volume (don't do this!)

    Part 3 - Checking to see if the data in your mounted test volume is decrypting. (If the header is located the wrong distance from its data then the volume will still mount, but the data will not decrypt).
    1) While the test volume is still mounted, open WinHex.

    2) If the tab is still open from the previous session, right-click on it and select Close

    3) In WinHex, select Tools: Open Disk, then select your mounted TrueCrypt test volume from the list of Logical Drive Letters, using whatever drive letter you have mounted the volume to.

    4) Click on View: Text Only (to make it easier to identify any non-random data that may be present.)

    5) If this test fails then you will see only random data with no pattern whatsoever. However, if your data is being decrypted then you will almost certainly see some identifiable plaintext here and there, although it's usually mixed in with a lot of unintelligible data. You will often find something obvious right there in the first sector, but if not then scroll down while looking for words, strings of zeros or empty space, or other patterns of any sort. Anything at all that's not random. ABCDEFG, aaaaaaaaa, 0000000000, the word 'file' or 'error' or 'invalid', obvious phrases, anything like that. Finding just one or two words or any obvious pattern is adequate proof of decryption, as these things are very unlikely to occur in random data.

    6) When you're done inspecting the test volume's contents, open View and uncheck Text Only, then right-click on the open tab and close it, then close WinHex. If your test volume passed both tests then go on to the next step.

    Part 4 - Back up the test volume's headers (in preparation for recovering the lost partition):
    1) Open TrueCrypt

    2) If the test volume is still mounted then dismount it

    3) Click on Select File, then find the test file, select it and click Open. (It's probably already selected)

    4) Click on Volume Tools; Backup Volume Header

    5) Enter the password and answer the prompts. When the time comes to specify Path and Filename, make it something obvious such as "TC header backup for lost partition" and click Save.

    When you get this far then let me know and we can work towards recovering your lost partition. There are several ways, and so far none of them are perfect, but it should still work.

    Note: I don't guarantee that all of the above steps are completely accurate, but I think they're mostly right. Let me know if you find any parts that don't seem to work properly.
     
  7. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    Hey Dantz,

    Wow, what can I say? You really have put a lot of effort into your helping people with Truecrypt!

    So onto results...

    Part 1

    So I created 2 x test file. One for the first problem HDD and one for the second problem drive.

    First one saved to my desktop shows as being 3.00GB!
    Second one saved to my desktop shows as being 195KB!

    Part 2

    Both took quite some time (~30s - 1m) to mount after I entered the password but did so without error or complaint. Both showed 1.4TB size in TC and AES encryption.

    Here is an example of one mounted:
    http://i.imgur.com/L7kRK.png

    Part 3

    So when opening in Winhex I hit the following errors:

    http://i.imgur.com/aXr9u.png

    Once I clicked ok I got the same error again, clicked ok and could then see the drive.

    I switched to text view only mode and could see the following:

    At the top:
    http://i.imgur.com/9GMiy.png

    Sectors near the top with patterns and words:
    http://i.imgur.com/RCGmO.png

    (If it makes a difference I did used to mount this drive as P:)

    Once I got part way down the sectors I was greeted by this:
    http://i.imgur.com/u47Yq.png

    That snippet is from the last sectors in the test file.

    Part 4
    Given the above errors I did still take a copy of the headers which saved without protest from TC though I'm not sure if they will be usable given the issues we experienced.

    Summary

    It seems that some of the things went smoothly and others not so much. My TC files created by WinHex weren't 2MB and they wouldn't open without first displaying errors in WinHex. Perhaps this is due to the trial version of WinHex. If you think this is the case I will happily get a full copy to try it out.

    Again, thanks.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I don't see how you could have possibly created a 3GB file using the evaluation copy of WinHex, as it won't allow you to create any files larger than 200KB. Please double-check the size of the unmounted file.

    The second one is correct.

    They should have mounted immediately. I suspect problems with your system. Do you have a lot of other stuff running? Is your system short on RAM? Buggy software? Malware? All possibilities.

    The strange WinHex error messages are ok and are even expected. I should have added them to my instructions. The error messages are due to TrueCrypt reporting the wrong volume size to WinHex. WinHex allows it, but it can tell that the numbers don't actually match up. WinHex also discovers that the file system is broken (because the test file contains just a tiny portion of the actual volume that you're trying to rescue). And when you scroll past the actual data into the 'imaginary' data it displays "unreadable sector" errors. This is all normal for the situation.

    No need, you're good, and all of the screens you posted are normal for the situation. Both of your headers worked, and both of your test volumes are decrypting. Fabulous! There's still a question about the size of the first test file and how that even happened, but it doesn't really matter aside from the inconvenience. I'm more concerned about the slow mounting times, but we should still be able to save your data. Your backup headers are probably good, as I've never heard of TrueCrypt creating bad ones.

    Now we have to decide which approach we want to take to recover your volumes. Our choices are either to restore the original partition tables (or as close as we can get it) using a variety of methods, or use a registered copy of WinHex to copy off the entire huge blocks of data and save them as files. There is also the question of backups. I normally recommend backing up the entire drive before going forward, but it's up to you. Recreating the partition table hardly writes anything to the drive, as long as you are careful not to format it. It often wipes the encryption headers, but we can restore those from your header backups. (Don't mix them up, by the way! Make sure you know which header backup is which.)
     
    Last edited: Nov 28, 2012
  9. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    I think I can explain away the 3GB WinHex file but here might not be the place so lets just assume it did the right thing then :)

    With the mounting times I will try again after a reboot but I suspect that my RAM or Mobo are on their way out so I will be replacing all of it fairly soon.

    So for recovery on the 2 drives I have one chock full of important stuff that I will back up and one with just a few things on it that aren't a real big issue should they be lost (Though of course it would be nice to get them back). I will use the second drive as my experimental one for the recovery process. We can iron out our bugs on that!

    I've given the headers unique names so they aren't mixed up. I am happy to proceed with either methodh that you wish to use.
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    OK, before we go any further, a little information. Did you partition the drives yourself using Windows 7, or did they come that way? Also, is there anything 'unusual' about your system that might make a difference here? Sorry for asking such a vague question, but hopefully you know what I mean.

    I'm also still wondering what you did to lose both partitions. Do you have any explanation?

    Anyway, my current method for fixing this problem is embarrasingly crude, but it seems to work. I'm sure there are better ways to do this. I've tried DiskPart and TestDisk and even WinHex, and they can all do it, but each has its drawbacks. I could play around with other programs until I find something that works better, but I don't have the time right now. So, the simplest approach is merely to use Windows 7's disk management console to recreate the default partition (which is very close to what you have), being careful not to format it, and then use TrueCrypt to restore the volume header (from your header backup file) to the new partition.

    Apparently you are running Windows 7? If so I have a procedure you can follow, but I'll wait to hear back from you before I post it, in case you have any new information.
     
  11. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    dantz, If you're not careful you're going to blow your cover.

    (Just kidding!)

    Just wanted to pop in and say how lucky Wilders is to have you participating here. You amaze me at what you've soaked up of Truecrypt. I use it everyday and think I know a lot - until I read one of your posts and I'll learn something new, and the way you go to such great lengths to help people - you're top-notch.
     
  12. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    Hey Dantz,

    I've noticed some strange issues on this PC and had trouble with some things recently. What I might do is connect the HDDs to my laptop which is more reliable and perform the recovery there (Unless of course this will prevent it working as it's not on the PC where the corruption/loss occured)

    Running Win 7, drives were formatted through Truecrypt which I assume probably uses Win 7 to format anyway?

    Ready to go :)
     
  13. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Thanks, LockBox, I appreciate that.
     
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    OK, give this a try, but be careful. If anything seems to be going wrong then cancel out if possible and post back.

    In Windows 7, go into Computer Management / Disk Management.

    In the lower section of the screen, click on the disk that we want to work on. It should be listed as "unallocated" and should have the expected size. It should also be numbered Disk 1 or higher, based on how many other disks are installed/connected.

    Right click inside the disk display (should say 'Unallocated') and choose New Simple Volume. (If it doesn't say unallocated, stop! You might have the wrong disk.)

    Use the Simple Volume wizard. Accept the default Volume Size, which will fill as much of the drive as possible. Click Next.

    Select "Do not assign a drive letter or path" (not that it matters that much, but since this will be a TrueCrypt partition, you don't need one). Click Next.

    Select "Do not format this volume". (Be really careful to get this step right.) Click Next.

    Read the summary screen, make sure it's right, then click Finish.

    You should now have a healthy RAW drive with a Primary Partition. That's most of it. Close Disk Management.

    Here comes the crude part: When you follow the above procedure, for some godawful reason Windows 7 zeroes out the first sector of the partition, which is where the most crucial portion of the TrueCrypt header is stored. So you have to restore the TrueCrypt header to the partition by using your header backup file. It's kind of a shame, because the correct header is already on the disk and we shouldn't have to do this. Maybe some other tool could do this job better. I know TestDisk can do it without disturbing the existing header, but it's so technical that I don't want to walk you through it, plus I might make a wrong assumption about something and end up making things worse.

    So close Disk Management, open TrueCrypt, click on "Select Device", select the newly created partition (be very careful to select the correct partition), click on "Volume Tools", choose "Restore Volume Header", choose "From an External Backup File", then point to the correct backup file and follow the rest of the screens. This ought to work, although I can't make any guarantees. (Ideally you should have a full backup of the disk to fall back on if necessary.)

    Once you recreate the partition and restore the TrueCrypt header, everything should work normally. Try it! Well, almost everything. TrueCrypt's embedded backup header might not work anymore, because the partition's end boundary will probably be different, and TrueCrypt uses it to find its embedded backup header.

    So, after you have confirmed that you can access your encrypted files in the usual manner, please perform a test of the embedded backup header: After selecting the device and clicking on "Mount", choose "Mount Options" then select "Use backup header embedded in volume if available" and see if it works. Let me know, ok?

    The prudent approach at this point would be to make a full backup of your data onto another disk, because you might not be so lucky the next time. There's still the question of how you lost those two partitions in the first place. Could it happen again?

    Anyway, I hope this works. Good luck!

    (edit: typos)
     
    Last edited: Nov 30, 2012
  15. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    Hey Dantz,

    I went to do these instructions however get stuck early on. I opened Disk Management. Located the drive I wanted to work on however when I right click the unallocated disk 'New Simple Volume' is greyed out :(

    The disk does come up asking to be initialized when disk management opens however that formats the disk and is undesirable right?

    Did the same thing for both disks. I tried one on my laptop and one on the PC with the same result... I was also sure to check they were not mounted in TrueCrypt at the time.
     
  16. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Right, I should have thought of that. The disk's first sector has been overwritten by what appears to be a misplaced TrueCrypt header. (Maybe that's how you lost access to the disk!) The first sector no longer contains an MBR, a partition table or a disk signature, and thus it has to be initialized before Windows can work with it.

    If you had used TrueCrypt to encrypt the entire disk I would say not to initialize it, as this would wipe your TrueCrypt header, but our test results show that you encrypted a partition, so the beginning of the disk needs to be set up like a normal disk.

    Go ahead and initialize the disk. Initialization only writes to the disk's first sector, so this shouldn't harm any of your data, which begins 1 MB farther in. As long as you still have the mountable test file and the recently created header backup file, I believe it's ok to initialize the disk and then follow the procedure I posted previously.

    Edit: If you want to play it safe you can make a backup copy of the disk's first sector (first 512 bytes) before you begin. It's very similar to the procedure we followed when we used WinHex to block-copy certain portions of the disk and save them as test files.
     
  17. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    Dantz...You are my absolute hero. :)

    Both drives were recovered successfully following the initialize and new simple volume procedure.

    I will now be able to get in and back up the drives properly to combat any future problems!

    I really don't know how properly to say thanks. I'd love to buy you a beer sometime!

    As an interesting aside, I did the recovery on my laptop rather than PC. I mounted the small test files in Truecrypt and noticed that it still took 30s - 1m to mount even on the laptop just like it had on the PC.

    I will be keeping a close eye on these drives that's for sure.
     
  18. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    That's great new. Congratulations!

    Please don't forget to test the embedded backup headers (via Mount Options etc., described previously), as they might not be available any longer due to changes in the partition end boundaries. (And please let me know.)

    If it turns out that the embedded backup headers are broken (actually, out of position) then it would probably be best to copy off the data, format the partitions (quick format would be ok), re-encrypt the partitions, make fresh backup copies of the headers and then move or copy the data back on. Or if you don't want to do all of that then at the very least make sure you always have backup copies of the current headers and of course the data.

    We still don't know how you lost the two partitions in the first place. Any ideas?
     
  19. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yikes! Not good. I'll try to figure out why that's happening. But your partitions mount much more quickly, right? Should take less than a second.
     
  20. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    Yeah once they were repaired the mounting was lightning quick again like it used to be.
     
  21. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm still waiting for you to test your embedded backup headers and report back. I need this information to further understand the problem.
     
  22. InterestedParty

    InterestedParty Registered Member

    Joined:
    Nov 26, 2012
    Posts:
    10
    Hey Dantz,

    Sorry it took me a month to get back to you. Holidays are a crazy time!

    To answer your question the embedded backup headers were successful when I did the test.

    Thanks again for all your help :)
     
  23. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Thanks for getting back to me, I appreciate it. Happy New Year!
     
  24. Brynjard

    Brynjard Registered Member

    Joined:
    Apr 28, 2013
    Posts:
    3
    Hey guys, the situation I'm in is the same as InterestedParty (apart from the fact that it's a 500gb HDD and mounting is almost instantaneous, also positive test results, TC password accepted etc.). Thus I was able to follow the steps provided by Dantz up to the point of this quoted post.

    Problem is, where on Terra is "Initialize Disk"? Please see images for troubleshooting. All respects to Dantz for such dedication to help, few people are that well intended and they're worthy of huge amounts of respect.
    (Also please note it is Disk 0 as opposed to you saying "should be numbered Disk 1 or higher, based on how many other disks are installed/connected." I don't believe that's an issue however)

    http://imgur.com/kGRThha,py1GUq2,qvjdrlw#1
    http://imgur.com/kGRThha,py1GUq2,qvjdrlw#2
    http://imgur.com/kGRThha,py1GUq2,qvjdrlw#3

    Dantz please, I am asking you to reply to this as I believe I'm almost done and I won't be wasting much of your time. However, I don't see the workaround to the "Initialize Disk" issue. Thanks in advance.
     
  25. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm a bit busy right now, but I'll study your situation and get back to you soon. In the meantime, don't try to initialize the disk, as I don't think it needs it. There is apparently already a healthy partition present, and initializing the disk would wipe that out.

    It would help if you described your configuration and your situation in a bit more detail, as it seems to be different than that of the OP.
     
Loading...