Truecrypt Missing Partition Table

Discussion in 'encryption problems' started by InterestedParty, Nov 26, 2012.

  1. fearturtle03

    fearturtle03 Registered Member

    Joined:
    Dec 6, 2013
    Posts:
    3
    Dantz,

    I was came upon this thread as I just wrote a file to a true crypt container that had a hidden container and I forgot to protect it and now I can no longer access the hidden container.

    I can mount the hidden container just fine and it accepts my password but when i go to open it, it asks if I want to format and I click no. It then tells me it is an unrecognized file format.

    I have downloaded testdisk and photorec and took an image of the hidden container and then ran photorec on both the mounted hidden container and image. Both times photorec pulled out about half of the content except for all the pictures I had in there. This obviously tells me the container is no longer encrypted so I guess that is good.

    I try to right click on the mounted hidden container and repair filesystem and it trys to run CHKDSK but comes back with " Unable to Determine volume version and state".

    If photorec is pulling out SOME stuff and not others does that basically mean the other stuff it is NOT pulling out is too far gone for recovery? Is there another method or thing I can try?

    Thank You
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    The hidden volume is almost certainly still encrypted on the hard disk and thus it can be accessed only after using TrueCrypt to mount the volume. However, the image that you took of the hidden volume is probably not encrypted at all, since it was copied (I assume) from the mounted volume.
    Every case is different, so it's difficult to say which data got overwritten during the accident or which approach would be the most likely to succeed. You could always try to looking at the mounted volume using a hex editor, but it's going to be somewhat difficult to interpret. All of the overwritten areas will look like totally random data. I would expect to see a large swath of damage, kind of like the charred remnants of a forest fire, adjacent to some surviving (non-random) data. Looking at it that way might be interesting, but I doubt if it will help you to recover any more data, although you might learn what percentage of your volume was overwritten.

    Have you tried any other data-recovery tools? Also, does Photorec support the specific file types that you are trying to recover? If not, there are various other data-recovery tools that also provide advanced "file carving" capabilities.

    But the general concept is that any data that was overwritten during the accident will have been replaced by totally random data (or at least, that's what it will look like from within the mounted volume) and thus it will be unrecoverable.
     
  3. fearturtle03

    fearturtle03 Registered Member

    Joined:
    Dec 6, 2013
    Posts:
    3
    Thanks for the input. Yes I first mount the hidden volume/decrypt it and then created an image from that.

    I believe photorec can access my picture file type. It looks like they go .jpeg, .gif, and .png so I would assume even just 1 of the 30-40 pictures would be that type.

    Is it common for photos to be more likely to be over-written and unrecoverable? I find it odd that it found all my videos yet could not find a single picture. Would that be because the video has more data that it would need to corrupt before making it unrecoverable? Cannot imagine it is just random that no pictures were found...
     
  4. fearturtle03

    fearturtle03 Registered Member

    Joined:
    Dec 6, 2013
    Posts:
    3
    Also outside of photorec what can you suggest for data recovery for this type of issue?
     
  5. antexity

    antexity Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    3
    Dantz,

    Hopefully this is something simple.

    On my machine I was running TC for my Win 7 installation. I decided to install an additional new SSD into my machine. My goal was to dual boot. After the installation Windows 7 with TC still worked. I then began the installation processs of Windows 8.1, Popped in DVD follow the wizard, selected the new drive and finished. Restarted, no TC menu came up, and then machine proceeded to my Win 8 OS. Seems like my Win 7 Partition disappeared and no dual boot menu. In windows 8 I see the other disk, but 476gb of 476gb .

    I then proceeded to WinHex and here are the Screen shots

    HD0 (Original Win 7 TC, at least I hope it is)
    http://i.imgur.com/SwF6XJ0s.jpg

    HD1 (New SSD Win 8.1)
    http://i.imgur.com/SVih31ds.jpg

    If you need more info please let me know. I really appreciate this, Thank you
     
  6. antexity

    antexity Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    3
    To further add to this, I don' t have a rescue disk. I also tried your steps in this post on page 1. Winhex (copying 200k) bringing the file to TC and gives me invalid password. I used 1048576 - 1248576.

    Thank you
     
  7. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
    Hi, new user here. I tried to follow this process and the drive is not decrypting at all. I'm not sure if I'm doing the right thing, although, maybe it did start decrypting. How can I tell?

    *edit* sorry if I don't respond right away, I have limited internet access.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    The info that I posted in this thread doesn't really pertain to your situation, as system encryption is set up differently. And unfortunately, I'm not that knowledegable about dual booting with system encryption. I suggest you post this in the TrueCrypt forums, preferably in the "Problems - System Encryption" forum.

    Also, for some reason your images came out too small to read.
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    Please start a new thread and try to include more details about exactly what went wrong and what you have done so far.
     
  10. zorkling

    zorkling Registered Member

    Joined:
    Jan 11, 2014
    Posts:
    40
    Location:
    U.S.
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    For late readers of this thread, I should mention that I've been "backing away" from the partition recovery technique that I described in Post #14, as I feel that the procedure is too risky for the majority of non-expert users.

    Although the procedure that I presented will probably work much of the time, especially for users with "plain-vanilla" configurations, I am aware that many users have non-standard or advanced configurations that would not be compatible with the described method, and in fact it might end up with the user causing even greater harm. I also realize that most users aren't even aware of the details of their own system configuration, so they can't be relied on to describe them properly.

    Thus, I can't comfortably suggest that anyone attempt the method described in Post #14 when I don't even know what their full setup is like. Maybe if I had their PC sitting in front of me and I could study it first then I would give it a try (and I would most likely be using DiskPart, not Disk Management).

    At this point I'm recommending that users merely copy the entire contents of their lost, encrypted partitions onto another disk and recover them there. WinHex can generally do this quite well, and it's a lot safer to do it this way.
     
  12. btak

    btak Registered Member

    Joined:
    Nov 23, 2014
    Posts:
    1
    Hi Dantz
    Thank you for useful tutorials.
    few days ago when i remove my Seagate Backup Plus Enclosure and try to use my 3TB HDD internally i encourage a problem.
    when i connect my hdd windows cannot detect it and when i go to disk management ask me for initialize the disk (GPT or MBR).
    i know from last time that my partition table is GPT and i click re initialize it.
    at first i think lost all my data.
    but after that i found out that partition table lost.
    my HDD Scheme is some thing like below:
    128MB + 2.7TB (Un-encrypted) + 195GB (Encrypted with tc)
    i use MiniTool Partition Wizard and my 2.7TB partition restored successfully. (by restoring partition table).
    at first both 128MB and 195GB TC volumes are un allocated and truecrypt cannot detect them.
    according to your tutorials i create un-formatted partition with windows both 128 mb and 195GB (windows can't create 195GB unallocated to a new partition,but i do it with minitools partition wizard).
    but when i try to mount my true crypt (195GB) i failed. and i cannot mount it.(Wrong Password)
    i do a full raw backup of both 128mb and 195GB with dd tools on linux to a file.
    is it possible i recover my truecrypt volume? or it is impossible?
    thank you Dantz.
     
  13. Maciastek

    Maciastek Registered Member

    Joined:
    Aug 24, 2015
    Posts:
    1
    Hello Dantz,

    It's 2015 and your expertise still saves data, 1.81 TB of it in my case. Thank you!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.