TrueCrypt partition disappeared

Discussion in 'encryption problems' started by praisethecasulsun, Nov 27, 2015.

  1. praisethecasulsun

    praisethecasulsun Registered Member

    Joined:
    Nov 27, 2015
    Posts:
    7
    Hello!
    Something bad happened and I need your input!

    Back when I had Win XP I bought one 1TB HDD and made 3 partitions and encrypted each one with TrueCrypt. Everything went fine for years. I have my OS on another HDD. So I upgraded my OS for years, to Win 7, then 8 and finally to 10.

    Until Win 8 everything was fine. Now that I installed Win 10 (not the upgrade, I formated the other HDD an installed it there completely new) suddenly the first partition of my 1TB HDD is gone.

    At first it didn't have a drive letter, so I went to diskmgmt.msc and gave it one. It shows up as NTFS system, unlike the other two partitions which are RAW.

    When I try to mount it in TrueCrypt, it says: "WARNING: host file/device is already in use". And when I continue anyway it says "Error: Cannot Mount Volume. The Host File/Device is already in use. Attempt to mount with exclusive access failed as well."

    In the System explorer window it shows the first partition as if it's completely empty.

    Help! Is my data gone?
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Your post reads like those made by a thousand others before you. Now, just to be sure, lets confirm I am not misreading and jumping to conclusions which are wrong. What I am seeing between the lines is instead of an upgrade you did a fresh/clean install of Windows 10 on a HDD using a windows install disk. Further; the other TC encrypted HDD was also connected to the machine during the process. Is that correct?

    Assuming the answer is YES then here is what happened. The windows installer will almost always break the partition table/header on the second drive IF it was connected to the computer while you were using the installer EVEN if it was on another connected hard drive. Isn't Windows a beautiful thing --- not!

    We can continue once a confirmation is made as to my suspicions. I actually hope to be wrong!
     
  3. praisethecasulsun

    praisethecasulsun Registered Member

    Joined:
    Nov 27, 2015
    Posts:
    7
    What you are assumining is unfortunately correct.
    Since I've been doing clean installs since XP on the other HDD I didn't think that such a thing would suddenly happen with Win 10.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    I am cringing as I ask this, sort of expecting a NO but hoping for the reverse (YES). Do you have TC volume header backups and/or a backup of the MBR for the TC encrypted HDD? That MBR of 512 bytes would contain valuable partition configuration specifics.

    Do you have full access and can you read the data (open and unencrypted) on the second and third partitions of the TC encrypted drive?

    Do you have the data backed up on the first partition and therefore you could just blow away partition one and start over? Chances are the thread wouldn't be in this forum if you did but I am asking just to be sure.
     
  5. praisethecasulsun

    praisethecasulsun Registered Member

    Joined:
    Nov 27, 2015
    Posts:
    7
    First of all, thanks for the answer!

    I'm sorry to keep disappointing you. I don't have backups of TC volume header or the MBR.
    Second question: Yes, I can read and write data on the second and third partitions with no problems at all and have full access.
    Unfortunately I didn't make a backup of the first partition because I wasn't expecting this ;_;
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    OK all your answers are as expected. Before you do anything else you may want to make SURE partitions 2 and 3 are backed up. At least their volume headers being stored on removable media such as a flash drive. They are small, only a few meg each. Once that is completed so things don't get worse on those 2 partitions you can proceed.

    If you go back into disk mgmt and remove the drive letter can you THEN see partition 1 in the TC control panel? If so, there is some chance that trying to restore the header from the automatic backup might be successful. When you created the volume there was a backup header placed near the end of the volume. Just look at the TC control panel or read the manual and you will see that option. Its nowhere near as sure fire as an actual backup volume header would have been. Its worth your time to give it a try. If you cannot see the device in the TC control panel you will not be able to use this option. Partition 1 as you described it, is a device based encrypted volume.You'll need to look under device to find the volume in the control panel -- duhhh.

    Report back and keep your fingers crossed.
     
  7. praisethecasulsun

    praisethecasulsun Registered Member

    Joined:
    Nov 27, 2015
    Posts:
    7
    Thanks again for your reply!

    I did as you told me, restored the automatic backup header (with the outer volume pw) and it succeeded. Now I can mount partition 1 with the outer volume password however when I open it, Windows says that the volume needs to be formated. When I try to mount it with the hidden volume pw I get "Incorrect Password or not a TrueCrypt Volume".

    Keeping my fingers crossed!
     
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    When you restored the backup header did you get a prompt for the hidden password too? Its been a long time since I restored a volume using windows volume header without a full volume header backup on removable media. I am just wondering if there was an option to include the hidden volume header too and you didn't do that?

    TC code specifies the exact same size of header whether or not there is a hidden volume. If there is a hidden volume the header is placed in a specified location, but if there isn't TC creates random code for that slot during volume creation. This keeps an adversary from knowing if there is a hidden volume.

    e.g. -- when you make a true volume header backup it asks IF there is a hidden volume and YOU enter the hidden password too in order to save the entire volume header. Without doing so the slot for the hidden volume would be filled with random data thus destroying any chance to restore the hidden volume from the backup you just made. Make sense?

    Fortunately the hidden volume itself is completely outside of the volume header location so if you can restore the header chances are decent you can get to your hidden volume data. You may have to pick between the outer and hidden volumes when/if you get to the point of using data recovery software. That is still down the road for you now.
     
  9. praisethecasulsun

    praisethecasulsun Registered Member

    Joined:
    Nov 27, 2015
    Posts:
    7
    When I restored the volume header there was sadly no option to enter the hidden volume password.

    Can you recommend any specific data recovery software? Or is there something else I can do before that?
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Man I hate that Windows installer! Not trying to add insult to injury but for those reading along (if any) please underscore the importance of volume header backups in a safe place. Additionally a copy of the device MBR and partition tables would make things a snap! All these files are so small but they are Gold when it hits the fan.

    OP, you should realize that if you run recovery software on the outer volume unlocked/unprotected you will overwrite ANY chance of getting to the hidden volume data. Recovery of the hidden volume is beyond the scope of public discovery for me in this forum. Perhaps someone else is willing or able. I only know of two here that have done it in public workspace, and one doesn't attend here any longer. There must be more but they prefer to "lurk" to protect themselves.

    Recognizing that recovery of the outer volume will kill your hidden data you can attempt recovery of the files in the outer any number of FREE ways. Try looking through the imaging forum and ask questions. I am hesitant to give a specific answer because there are a dozen great software products that are free and easy to download.

    I realize this isn't ending how you wanted. You have learned a bunch about why those recovery tools are coded in the software in the first place. I have thought about coding a pop up every six months that would require a restoration of the volume header virtually mandating that a copy is made and kept. It sounds harsh and maybe childish but it sure would have helped in this case and many many others along the road of encryption!!
     
  11. praisethecasulsun

    praisethecasulsun Registered Member

    Joined:
    Nov 27, 2015
    Posts:
    7
    I learned my lesson. ¯\_(ツ)_/¯
    Funny/ironic thing is, I wanted to decrypt all volumes when this happened. In hindsight, I should have done that before upgrading to Windows 10.
    There's nothing worth saving on the outer volume, so I guess I'll just format it and decrypt the other two volumes using that one as temporay backup volume.

    Thank you for your support, it was much appreciated!
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    You are welcome. You don't need to decrypt (AND YOU CANNOT ANYWAY), just copy the "mounted" data to partition one and format the other partitions and write the data back as desired. TC code limits decryption to system disks only!

    Another easy option BEFORE you used the windows installer would have been to unplug the HDD with TC on it so that the windows installer couldn't destroy it.
     
  13. praisethecasulsun

    praisethecasulsun Registered Member

    Joined:
    Nov 27, 2015
    Posts:
    7
    Yes, that was what I meant :D

    Thanks again for your help ;)
     
Loading...