TrueCrypt partition disappeared

Discussion in 'encryption problems' started by Xemnarth, Jun 30, 2014.

Thread Status:
Not open for further replies.
  1. Xemnarth

    Xemnarth Registered Member

    Joined:
    Jun 30, 2014
    Posts:
    7
    Hello, I've been using TrueCrypt on my \Device\Harddisk9\Partition1 (for more than a year) but today it auto-dismounted and I could only see \Device\Harddisk9\Partition0

    This is not the first time it auto-dismounted in fact it happened a couple of times but I could always simply re-mount it from TrueCrypt partition list. However this time around, the encrypted partition just wont show up no matter what I do (tried restarting, finding lost partition using Find and Mount to no avail). The drive has always been connected to USB 3.0

    When I go to disk management, it asks me to initialize the said disk.. I haven't initialized. In the past the drive used to show as "RAW/initialized" but now it shows as "Unallocated/not initialized"

    Also I went to my event viewer and noticed the following errors around the time the auto-dismount occured:

    "The device, \Device\Harddisk9\DR9, has a bad block."

    "The system failed to flush data to the transaction log. Corruption may occur."

    "The default transaction resource manager on volume Z: encountered a non-retryable error and could not start. The data contains the error code."

    Unfortunately I haven't backed up the volume header. Now what options do I have? I feel depressed.. Any help is greatly appreciated!!

    EDIT: I'm running Testdisk on the drive in hopes it will find the lost partition..
     
    Last edited: Jun 30, 2014
  2. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    853
    I don't use truecrypt and know little to nothing about it, but doesn't it have a hidden backup header you can call into play?
     
  3. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes, but it won't work if the partition is not intact, as TrueCrypt will not be able to find the exact beginning of the volume.

    It sounds like your disk is failing, so there's little point in trying to fix the problem "in-place". Your disk has apparently lost its MBR and partition table, among other things. I would suggest cloning or imaging your entire disk onto another disk, and then using that disk to recover your data. DDRescue is a good tool for cloning/imaging a damaged disk, but there are a number of other imaging tools that can also do it.

    You might want to look at some of the other encrypted-partition recovery threads I've contributed to in this forum, as your recovery will probably follow a similar route.

    Was this the only partition on the disk? Was it the default partition that filled as much of the disk as possible? If so then you might be able to take a shortcut.
     
  4. Xemnarth

    Xemnarth Registered Member

    Joined:
    Jun 30, 2014
    Posts:
    7
    yes I'm getting a new HDD today to create an image of my corrupted drive to it using ghost32. what happens if I just initialize the drive to get back its MBR? Should I experiment with the original drive or the backup drive?

    I looked into some of the threads here but I'm still not sure how to go about doing all the details.

    yes it's the only partition on the disk and it takes up the size of the whole disk.

    many thanks!

    EDIT: I hope Windows 7 didn't write anything to the volume header...
    EDIT: I haven't mentioned this but if I try to mount partition0 it gives "incorrect password or not a truecrypt volume" error (so I can't even mount partition0 to figure out the offset). I get the same error when trying to restore embedded volume header backup.
    EDIT: I'm usin WinHex as suggested here https://www.wilderssecurity.com/threads/tc-volume-lost-partion.364916
    EDIT: here is a snip of the corrupted disk in winhex:
    https://cdn.mediacru.sh/hlTKyO80jn6Y.png
    https://cdn.mediacru.sh/A8GjgTWSWLhK.png
    EDIT: more info
    https://cdn.mediacru.sh/Pc1asAtwgBTb.png
    https://cdn.mediacru.sh/_cgw-Pu-nVgK.png
    https://cdn.mediacru.sh/Nik8JMsNPcQf.png
     
    Last edited: Jul 1, 2014
  5. Xemnarth

    Xemnarth Registered Member

    Joined:
    Jun 30, 2014
    Posts:
    7
    Hey I followed your below post in another website and my password got accepted! What do I do next?

     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    That's great news! I wasn't sure if your TrueCrypt header survived the accident or not, but it obviously did, and thus your data will also probably be intact, as the file system and the data are located directly after the header.

    However, I have to go out right now and can't post the next steps until tomorrow. But basically you will just follow the same procedure that you followed when you created the test file, but this time include all of the data from 1048576 (decimal) to the very end of the disk (or to the exact end of the partition, if you can find it, but that's not strictly necessary), and save it as a single gigantic file. The file should be mountable by TrueCrypt. At that point you will need to create a new encrypted volume somewhere and copy your data into it. You should not continue to use the gigantic file because it might not have the correct endpoint, and thus the embedded backup header (among other things) won't be available.

    You can use WinHex to do this, and I believe HxD can do it as well. If you are good with dd, that would work too, but be careful not to mix up the source and the target or you will be very sorry.

    I'm not familiar with the capabilities of Ghost32, so I'm not sure if it will allow you to perform the operation in a single step (such as WinHex can do). It might, but if not then you could always use Ghost32 to image the entire disk, restore the image to a clean disk (or just clone your source directly to the new disk) and then initialize and partition that disk with the default partition (but make sure you DON'T format the partition). Then you would need to restore the TrueCrypt header to the partition from your backup, and then use TrueCrypt to mount the partition. That would most likely work.

    If the bad block (and the apparent disk damage) causes problems then you might need to image the disk using ddrescue before you are able to copy off the desired data, but you don't need to try that yet.

    I hope the above is mostly correct, but I had to type it quickly, as I have to get going. Good luck if you try it, or if not then I will be able to post back tomorrow.
     
  7. Xemnarth

    Xemnarth Registered Member

    Joined:
    Jun 30, 2014
    Posts:
    7
    What data you mean, the big file? So after creating the gigantic file I should mount it and extract my files from it into a new encrypted volume?

    Source and target?

    Okay, I'm not entirely sure I got all that. Can I skip the creation of the gigantic file and just start with this instead? I just bought a 4TB drive as my backup drive. I can directly create an entire disk image to another disk or file using Ghost32; it's fairly simple. From what you said here, it seems I need more than 1 HDD for backup if I were to create the gigantic file. I was just planning to clone my source (corrupted disk) directly to the new unformatted/uninitialized disk.

    You mean restore the header to the partition from the test file I created?


    EDIT: nevermind Ghost32 can't work with the source drive for some reason (it's greyed/can't select it). I will try creating the big file into the new drive for now.

    EDIT: I need to purchase a WinHex license to be able to define more blocks. I was able to select the blocks in HxD but I'm not sure how to copy them into a new .tc file. It seems I can only save as the whole disk to a file using HxD.. Should I just do that?
     
    Last edited: Jul 1, 2014
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes, That's one way to do it. Another way would be to clone the drive and then rebuild the MBR & partition table on the clone. It should go fairly easily. You can use Windows to initialize the disk and create (but not format) the partition, and based on what you've described, I think it would work.

    Those terms are commonly used when discussing imaging and cloning. Since you are using Ghost I thought you'd be familiar with them. Unwary users sometimes mix up their source and their target when they are using dd, and as a result they end up overwriting their original drive with the contents of their blank drive. So if you decide to try using dd, make sure you don't do that.

    Yes.

    That would be fine. But I'm sorry to hear that Ghost can't work with the drive. If it's because the drive is damaged then you may have problems with other imaging programs as well.

    Yes. If you clone the drive and then initialize and repartition the clone then Windows will destroy the perfectly good TrueCrypt header, so you will need to restore the header from a backup. You can create a header backup from the test file and restore the backup to your new partition. It should work. It's all done within the TrueCrypt interface under "Volume Tools". You'll see backup volume header and restore volume header in that menu.

    If you just create the big file instead of cloning the drive then this won't be an issue, as WinHex will not destroy the header when you save the block as a file.

    I'll take a look at HxD to see how that is done. I'm pretty sure I did it once a long time ago, but I've forgotten how. I'll post back when I figure it out.
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Sorry, I missed your last edit. Hang on, I'll give HxD a try. But I'm surprised that Ghost is failing you. Are you sure you're using it correctly?
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I just tried using HxD to create the file. It works well on a small scale. Here's what I did:

    Open the source disk (the disk that you wish to copy data from)
    "File: New" to open a new empty file
    Click on the tab that represents the data disk
    "View: Offset Base: Decimal"
    "Edit: Select block" (in your case, specify from 1048576 to the end)
    "Edit: Copy"
    Click on the other tab to open the blank file
    "Edit: Paste Write"

    However, after further testing I rather doubt that HxD will be able to create a file of the desired size (I got an "out of memory" message when I tried to copy a large block). HxD obviously wasn't designed to handle large-scale cloning or imaging tasks, wheras WinHex was. You could use WinHex, or (if you don't want to buy a WinHex license) you could use a freeware cloning/imaging software to clone the entire disk, use Windows to initialize/partition the clone and use TC to restore the TC header onto the partition, as mentioned earlier.
     
    Last edited: Jul 1, 2014
  11. Xemnarth

    Xemnarth Registered Member

    Joined:
    Jun 30, 2014
    Posts:
    7
    Ghost does list the corrupted drive but I can't select it as I mentioned earlier (it's greyed) perhaps that's because it's uninitialized.

    OK so it seems creating the big file is more guaranteed to work than cloning, initializing and repartitioning the disk (also I'm tempted to try intializing the corrupted disk without backup since I have the test file). Alright so to be in the safe side, I will have to buy a WinHex license to be able to copy the blocks (from 1048576 to the end of the last offset). Just need to confirm the below steps before proceeding:

    -Initialize the new backup disk (GPT part.) and quick format accordingly.
    -Define and copy blocks to a .tc file in WinHex.
    -Mount the .tc file in TC after successfully copied.
    -Enter password.
    -Magic?
     
    Last edited: Jul 2, 2014
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Ghost should be capable of cloning a raw disk. I'll be very surprised if it can't. If you want to go that route you should reconsider your settings before you give up.

    But ok, if you want to use WinHex to create the large file (which is my preferred method, but unfortunately it costs money) then your steps are essentially correct. Just use Windows to prepare the new disk (initialize it if needed, then create and format a partition), and then use WinHex to select the desired block and copy it to a file on the new disk.

    It will take quite awhile, of course. And yes, if your test file started at 1048576 decimal and it worked (was mountable by TrueCrypt), then your large file should also be mountable by TrueCrypt, and this time it will (we hope) contain all of your data.
     
  13. Xemnarth

    Xemnarth Registered Member

    Joined:
    Jun 30, 2014
    Posts:
    7
    https://cdn.mediacru.sh/Wn4KRYS-pPVa.png

    Paid version supports disk imaging (raw/dd) and disk cloning. Does any of that ring a bell?

    I think I will just stick to the big file method because I can have more freedom with the backup disk should I need to copy the files (inside the tc container) into it.
     
    Last edited: Jul 2, 2014
  14. Xemnarth

    Xemnarth Registered Member

    Joined:
    Jun 30, 2014
    Posts:
    7
    All data recovered!! This is awesome. Thanks a million dantz for being a life saver. :)
     
  15. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    That's great news! You're very welcome.
     
Loading...
Thread Status:
Not open for further replies.