Truecrypt MOUNTS but Windows can't access...

Discussion in 'privacy technology' started by popppa, Sep 9, 2011.

Thread Status:
Not open for further replies.
  1. popppa

    popppa Registered Member

    Joined:
    Sep 9, 2011
    Posts:
    2
    Hello,

    First of all this forum is great! Thanks to all who participate.

    I have a problem that has been talked about here but I would like to get situation specific advice.

    Have a Truecrypt encrypted 2TB external drive to backup (but ultimately be the new main central storage point) a myriad of older encrypted drives. Everything went swimmingly until I had to send my other laptop to be repaired. like a good kid I made a backup of the laptop HDD before sending it off. The laptop wouldn't boot (cpu error) so I had to take the hdd out of the laptop, put it in a USB equipped enclosure & backup the data from there. Using EaseUS I made a backup & placed it on my Truecrypt hidden drive. I tried placing it in the outer volume (after being SURE to enable write protection of the hidden drive) but TC said there wasn't enough space. I knew there was but didn't worry because I had enough space on the hidden volume. Backed it up. No error messages or problems. As I wanted to eject (safely remove hardware) the laptop hdd & replace it back in the laptop, Windows kept saying it was still in use. Everything was done & all programs (involved in the backup process...including explorer) had been closed for hours. I shut down windows & disconnected the hdd & placed it back in laptop & gave it to the UPS man.

    Fast forward to this morning. I wanted to access my Truecrypt hidden volume. No dice. Keeps telling me that the password is wrong...yada, yada, yada. I can't mount the inner OR outer volume. I start googling & they suggest to restore backup header. I follow the prompts & do the whole "move the mouse " thing & try again. Still no dice. I then try to mount it using the backed-up header. It mounts...but the drive is not accessible! (I get the "This disc is not formatted, would you like screw yourself over & format it now?" message...I decline). :rolleyes: I find contradictory information about what steps to take to recover the data. Some say CHKDSK, some say use CHKDSK & you're hosed. I am currently analyzing it using Testdisk 6.12...but I have to be honest...I'm not really sure what to make of the results that are still coming in.

    With ~78% of the "Analyse Cylinder" process complete it's displaying things like:

    0 D FAT16 LBA (then six groupings of 10 digit numbers)
    FAT16 LBA
    check_FAT: can't read FAT boot sector
    Invalid FAT boot sector.
    0 D FAT12 (six 10-digit numbers)....

    It repeats this four times (each time with different set of six 10-digit numbers) except one says 0 D FAT 16 <32M & the last one says 0 D FAT16 LBA....

    I'm scared to do anything else after reading so many posts where one wrong click means you're toast. I'm afraid of overwriting the backup header because that's the only way I got it to even mount...but I would REALLY like to secure a copy of it because it is apparently different from the one that I restored (that didn't work).

    I haven't had any problems with TC in years of using it (except trying to mount a volume whose password I had forgotten). I DESPERATELY need to recover the files/filesystem...& hopefully with the original names intact (If I have to rename 100,000 file names...I'll just shoot myself now).

    Please help...that funny shaking you felt was my world coming to a complete stop....:gack:
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    If your data is particularly important and you don't want to risk making things worse then the smart thing to do would be to make a complete sector-by-sector backup of the affected disk.

    I suggest using GetDataBack to explore the mounted volume (probably listed under "Logical volumes" or something like that, I forget the exact details.) But don't expect miracles - if you trashed/overwrote the volume's internal filesystem then you're not likely experience an easy, organized restore of all your files.
     
  3. popppa

    popppa Registered Member

    Joined:
    Sep 9, 2011
    Posts:
    2
    Thanks for your reply.

    Is there a process to secure the backup version of the header? I cannot mount it normally (using the regular header) even after "restoring" the header. The so-called "new" header results in the "Password/not a Truecrypt volume error). I'm concerned about losing the backup of the original header because it is the only way I can get either volume to mount (despit having a potentially non-existant filesystem thereafter).

    What is the difference between GetDataBack & PhotoRec, TestDisk, etc.?

    Thanks again.
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Sorry, I'm way too busy to put much time into this problem right now. I also don't know why your restored headers don't work. Very strange.

    You can copy the embedded backup headers manually using WinHex or another hex editor, but you have to know where to find them. Each embedded backup header is 64KB and is located a specific distance back from the end of the volume, which can be either the end of the partition, the end of the disk or the end of the file, based on which type of encryption you set up. Details can be found in the help file in the Volume Format Specification section. It's also usually possible to test the backed-up headers externally by either manually copying them (via WinHex) or by restoring them (via the TrueCrypt interface) onto a throwaway test file and then seeing if you can get it to "mount".

    Another approach is to copy the entire disk, as I mentioned previously.

    GetDataBack will try to make use of your FAT or MFT (whichever applies, and assuming you use the appropriate version) or their backups, if they are usable. It's usually a good way to start off a recovery attempt unless you already know that the file system is beyond redemption. PhotoRec ignores the file system (or what's left of it) and tries to recover individual files from the disk based upon their known signatures (common headers, etc.) There's a list of supported file types on the website. If your files are supported and they aren't fragmented then PhotoRec can probably help, although the results will not be particularly organized. TestDisk can be used to try to restore/rebuild a broken filesystem, but this is not a read-only procedure, so it's the most dangerous of the three.

    It's generally safest to do all of this work on a copy of the disk. I also suggest you get help from data-recovery experts on other forums. Since you are able to mount the volume, you don't necessarily need to obtain TrueCrypt-specific advice.
     
Loading...
Thread Status:
Not open for further replies.