Hi! I am in urgent need of help. I have a 40 GB HDD which had a truecrypt partition at the beginning followed by many other partitions after. The partition was a FAT32 file system. Have used this for a couple of years without ever having a single issue. However some time ago, one of my partitions (of those following the truecrypt one) got unpartitioned only because of using a windows 7 disk management to create a partition on the drive. That's not of much importance. So anyways that one was an ext3 which contained a Linux OS. It was my main OS on the system and it had some 3 months settings, updates workstation setup etc. which I wasn't willing to lose though I wish I just disregarded it anyway after what I have done. So after the unparitioned definition of the partition, I let it stay like that for a few months while I used another Linux OS to do my business since all my work data was OK. Then a couple of days ago, without even thinking I hastily and successfully recovered the lost partition via testdisk using some blog post I came across online. I'll just quickly explain what I did though I can try to pin down things from memory on request. I opened the testdisk on terminal, selected the drive(sdb), selected quick search, then it showed me what I needed which was my lost partition in full. I remember clearly selecting it (sdb6) and then processing it. Only took few seconds and testdisk conveyed completion. Throughout the testdisk process, I was still accessing and writing data on my truecrypt partition and other partitions while working on the recovery process and continued with my work after the said conveyance of testdisk. Everything seemed fine and I hoped for the best when I would check out the results later. Later on after time to check if the OS partition was fully recovered came, I rebooted and yes it was recovered. Upon mounting my truecrypt volume it refused to do so. I thought 'misstyped password' but NO! eek. I opened gparted and saw the partition is now showing as NTFS and has a boot flag and was like WTF? This might sound calm and I'm trying to keep it calm but I'm actually in serious trouble. That partition is my life as it contains very important data I grant you that. I have thouroughly read many posts in here and tried many things. Some of them most similar to my situation include https://www.wilderssecurity.com/threads/truecrypt-missing-partition-table.336671/ . I have tried to save as a file the supposed truecrypt header located in the first partition using winhex but it doesn't mount in truecrypt. I have also tried the embedded header but also didn't. As in below screenshots The partition is showing as 9.07 Gb in windows 7 stock partition manager whereas in winhex shows as 9.1 GB. Also in the said windows 7 it shows as RAW partition whereas as mentioned earlier in gparted on linux it shows as NTFS. Following are screenshots of the HDD info in Winhex directory browser and Windows 7 disk management http://intttddcts.xtgem.com/HDD_info_in_winhex.jpg http://intttddcts.xtgem.com/HDD_info_in_Dsk_Mgmt_Win7.jpg I cannot recall the exact size of the partition before the tragedy took place but I vaguely remember the digits 9 and 7. Maybe it was 9.7 GB or maybe it was 9.07 as currently showing in WinHex but what I know for a fact is that it was FAT32 and not NTFS. Regarding my trials in saving the header as a file which required calculating the offset of the partition, I assumed the size of the lost truecrypt parition by equating the now showing as RAW in win7 disk management and partition1 in WinHex, partition's measurements with the supposed truecrypt partition's in the dantz's posts. Although I'm not knowledgable about filesystems, I currently gather that probably testdisk defined the partition as NTFS which I guess too that it can have different measurements from the FAT32 in it's partition definition. If that's the case, probably the header located in the first sector of the partition is overwritten and the embedded header supposedly located near the end of a truecrypt partition should therefore be impossible to locate in my case since the initial FAT32 partition definition had different offset with regard to hex editor's from the current NTFS and/or RAW partition definition. Just brainstorming. Since I cannot be able to insert tables in this post, you can view more information and facts such as my full partition table information here By the way regarding backup, I only had 11GB free space on my storages, so I used dd to at least backup the first 11 Gigs of the HDD just incase. But I haven't touched nothing after what testdisk did. Thanks in advance for your help. I'm in a very desperate situation.
Actually I think testdisk probably recovered a very old partition table possibly from a long time ago when I wasn't a truecrypt user. This is because I'm wondering whether testdisk would define a partition as NTFS when it was supposed to recover another. That just doesn't make sense. But not certain though just a thought. Additionally, I followed the steps at https://ubuverse.com/recover-a-disk-partition-with-testdisk-and-gparted-live/ when I used testdisk to recover the OS partition Also when I summate all the partitions' sizes diplayed in gpartedhttp://intttddcts.xtgem.com/Scrnst_HDD_gprted.jpg (I have attached screenshot), I get 46.98 Gigs even though the HDD is exactly 40020664320 bytes.
Hi! I'm nearly done recovering my partition. I've followed the ptmoy2's doings in https://www.wilderssecurity.com/threads/how-to-recover-deleted-truecrypt-partition.366150/ where testcrypt has taken 10 hours to analyze and find my lost truecrypt volume and mounted it also. Now testcrypt has provided me with accurate information that has made me feel so stupid. All along I was thinking the partition was 9.7GB though it was really 16.7 Gigs. What a terrible memory my mind seems to be having. Anyways, now I'm stuck in calculating the testcrypt's found header offset from the numbers on the analyzer result so that I can back it up using winhex editor. The numbers have left me clueless as to what I could insert in the define block in winhex. Under normal header column the testcrypt analyzer window shows 0/32/33-2185/43/34 of which I don't know whether that means division and subtraction or sector path. All I need is the starting sector of the header? Very complicated add to that I don't know how to convert sector to decimal offset but I reason the formula to be multiply sector by 512. I have attached a screenshot of the testcrypt analyzer results. Thanks to anyone willing to help me.
