TrueCrypt Recovery Help: Installed FreeBSD over Non-System Partition

Discussion in 'encryption problems' started by grdk, Sep 23, 2013.

Thread Status:
Not open for further replies.
  1. grdk

    grdk Registered Member

    Joined:
    Sep 23, 2013
    Posts:
    5
    Hi everyone (and dantz),

    I'm a bit red-faced here, so I'll try to explain concisely what happened:

    1.) I have 2 x 2TB drives fully encrypted with TrueCrypt permanently attached in my workstation

    2.) I am not using Hidden Partitions, just simple non-system partition encryption, e.g. \Device\Harddisk1\Partition0

    3.) I was flashing a FreeBSD (pfSense) disk *.img to a CompactFlash card in Windows using dd/PhysWrite and inadvertently chose a TrueCrypt drive and a non TrueCrypt drive as the target :(

    4.) pfSense's *.img overwrote the both drives (1.8TB formatted), with the following:
    a) \Device\Harddisk1\Partition1 -- 1.83GB
    b) \Device\Harddisk1\Partition2 -- 1.83GB
    c) \Device\Harddisk1\Partition3 -- 50.2MB
    d) 1,859.30GB Unallocated

    5.) I was able to recover the Boot Sector and MFT for the non-TrueCrypt drive successfully so we're OK there

    6.) I am able to mount the TrueCrypt drive using the backup header after reading this post on the TC forums

    7.) The encrypted volume now appears, but trying to access it in Windows gives an error of: "X:\ is not accessible. The file or directory is corrupted and unreadable."

    8.) Due to initial panic, I had recovered the backup Boot Sector from the mounted drive using TestDisk and overwrote the main Boot Sector on said mounted drive. The MFT and MFT Mirror are corrupted and unreadable.

    9.) I also tried using freeware and commercial file recovery tools (Recurva, GetDataBack, Zero Assumption Recovery, etc) and they weren't able to find anything interesting (the data).

    I'm halfway tempted to try cloning the disk to a backup disk with WinHex or Acronis, and deleting the FreeBSD partitions... and seeing if that will work, although reading through a few of dantz's posts in threads regarding the volume start, I'm not so sure now. Hopefully when dantz gets back from his trip he'll have some ideas if he sees this post.

    The data is semi-precious. I suppose I'll just cry over its lost if it's not recoverable and eventually get over it, but I would be ecstatic if dantz or others can give some insight on how to recover from this.

    The big lesson is to use my VMs to write images, especially when using dd (data destroyer :().
     
  2. jackcrowley

    jackcrowley Registered Member

    Joined:
    Oct 27, 2013
    Posts:
    3
    You have done exactly the same as me, down to a T. I DD'd IPCop instead of pfSense though but it's amazing someone else had done the exact same thing after trying to solve this problem on my own now for what must be a year by now. That horrible feeling you get after DD'ing the wrong drive sure sucks, especially such an encrypted drive.

    So I over-wrote the first 60mb (with IPCop img) of the drive with my TC partition on it. I can mount it using the backup header too, which is easy to do with TestCrypt. You'll want to backup the drive to another (brand new if possible) same size drive. Use DD to do a recoverable copy of the original. I say use a new drive as I've had bad luck with errors on older drives while doing my recovery.

    Let me tell you what I've tried so far, so you might know what doesn't work:
    Deleting the router partition, creating an unformatted partition the size of the whole drive, recovering the truecrypt header from the end of the drive, mounting the drive, running testdisk to analyse the mounted volume and try to recover the old partition. (This takes a week at least, 8 days for 2Tb)

    Using Testcrypt to mount the drive using the backup header, then using testdisk to analyse the mounted volume and try to recover the old partition.

    Using testdisk to try to recover the old partition table on the drive without touching the backup header, etc. This was before I knew how to recover the backup header and mount the drive.

    ------

    A few things that might work for you though:
    Mount the drive using the backup header. Run testdisk, select mounted TC volume. Select "partition table type" "None", Go to "advanced, Select "type" and choose your old truecrypt partition type (what filesystem was formatted to in the TC volume). Go to "Boot",
    In there you'll be able to see if testdisk can view the Boot sector or the Backup boot sector. If you have either of these listed as Good, then try the "Rebuild BS" option. This will rebuild your boot sector from the backup. Then that will hopefully allow you to recover your whole partition minus a few little files that might have been lost due to DD.


    The second option worked for me for part of the files on my drive, Mount the truecrypt volume using the backup header. Then open "Photorec" which is part of the testdisk software. Select your mounted truecrypt volume, go to "file opt" to select what file types you want to recover. Then Select "Search" to recover files from the drive. This will take a fair while but as a rule it's quicker than the Testdisk deeper search. Around 1.5-2 days per Tb to recover your files. It searches for signatures of the files even if the drive is raw and recovers files that way.
    You'll lose all of your file names though and for me I've only recovered and started renaming around 200Gb of my 2Tb so far.

    Good luck though, hopefully you can recover your drive completely. If you have any q's, let me know. Let me know if you find a way to recover your drive too, I'm still searching for a way to recover my file names and most of my files. They're irreplacable and I need them back so I've been frustrated with this mess for a year now. No one seems to know how to recover these either so it's been tough finding help.
     
  3. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    @grdk: I'm back now and I can take a look at your situation, if you're still around. Fun problem. It sounds like some new partitions were created along with the overwriting of some data.

    My first question is, what did you start out with? Did your two encrypted disks contain partitions, or did they use full disk (non-partition) encryption? I realize that you stated you used partition encryption, but in that same sentence you also used "\Device\Harddisk1\Partition0" as your example, and Partition0 represents the entire disk, not a partition.
     
  4. grdk

    grdk Registered Member

    Joined:
    Sep 23, 2013
    Posts:
    5
    Hi there dantz, sorry for my late reply! I've been traveling, and just got back home and situated. The hard drive has not been touched since I last posted.

    To answer your question, yes, dd created new partitions from the image file, and overwrote the existing encrypted disk (full disk encryption). I apologize for not using the correct terminology, but hopefully that clarification made sense.

    I started out with a disk with full disk encryption. In TrueCrypt, to access the disk, I'd choose "Select Device" and choose "\Device\Harddisk1\Partition0" for example. When dd overwrote the disk, it created the partitions mentioned in my OP. I then performed the subsequent steps, to no avail.

    Btw, I tried using PhotoRec to attempt restoring some of the files, sans their directory structure and original file names, to a second disk. It successfully recovered some files, but not everything I need. There are files of types that PhotoRec doesn't pick up (incorrect signature?). It's been this long, and of course after a data loss there is the immense soul-crushing feeling, but I'm sort of OK with it now. Of course, that wouldn't mean I'd be ecstatic about recovering the entire disk, including the directory structure and original file names. Since the disk was used to store sensitive client files, and most of the files are small in size, there are probably thousands if not tens of thousands of files that should be recovered (if possible).
     
  5. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    it's possible to manually add new file types to photorec, if you can determine how to identify them (you'll need some good samples ) the process is in the photorec doumentation on their website.
     
  6. grdk

    grdk Registered Member

    Joined:
    Sep 23, 2013
    Posts:
    5
    Ah I didn't know that BeardyFace. I'll look into that if I can't restore the drive in its entirety somehow. I'm just trying to avoid having to do a RAW recovery, since then stuff will just all be dumped to a recovery folder. Because of the nature of the files, without the directory structure + file names, it would be difficult and take a long time to reconstruct the data into a useable form... even if we could bring the files back with auto-generated file names.
     
  7. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    By all means try other methods first, however, my gut feeling is you'll end up back with that laborious process dd didn't earn the nickname data destroyer by accident (by lots of accidents perhaps), it's an error we all make eventually if we use the tool, and making the mistake seems the only way anyone (myself included) learns to be sufficiently cautious with it. If ever a tool needed a pause to say:
    please check "of=......" is the correct target, the current contents will be destroyed" dd is the tool.

    dantz may have some other ideas how to get things back in a more easily sorted way, I hope he does, but since you have the volume itself decrypting enough to recover something, I'm afraid I have none, the sheer extent of damage a mistargetted dd operation does pretty much precludes attempts to repair the filesystem and directory structure working in my limited experience.
     
  8. grdk

    grdk Registered Member

    Joined:
    Sep 23, 2013
    Posts:
    5
    Since dantz seems busy, I probably should go ahead and do a clone of the disk so there's a second copy to work from... are there any suggestions on which disk cloning software works best? I imagine it'll take a while, so I should get on it as soon as possible.
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'll read through your thread again and see if I can come up with any ideas.
     
  10. grdk

    grdk Registered Member

    Joined:
    Sep 23, 2013
    Posts:
    5
    Thank you dantz. I'll stand by...

    In the meantime, I've got two spare disks ready to clone the affected disk... I'd like to make an exact duplicate if possible, but I don't think Acronis can do that. Any suggestions on what software I should be using?
     
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    You obviously have access to the "smoking remains" of your TrueCrypt volume, and it is decrypting, so this is primarily a data-recovery problem.

    Since your original file system has apparently been badly damaged, I suggest you try other data-recovery programs that specialize in file-carving (in addition to photorec, that is). See if your known file types are on the supported list of files for each program. Or as BeardyFace suggests, create your own signature definitions if needed.

    If you come across a program that looks promising, but which lacks the technical ability to explore the contents of a mounted TrueCrypt volume, then you always have the option of copying the entire decrypted contents of your mounted volume (on a sector-by-sector basis) into an identically-sized empty partition on another disk. This will permanently convert your volume into plaintext and thus it will get TrueCrypt entirely out of the picture. I believe that WinHex can accomplish this. I'm fairly sure that I tested this procedure a few years ago, just to see if it would work. And there are undoubtedly some other equally effective methods that I haven't yet tested, such as using good old dd (data destroyer).

    The above approach might not help you much, but if you find that an otherwise promising-looking program balks at reading a virtual TC volume then you could give it a try.

    PS: I've used Acronis True Image in the past to make sector-by-sector copies of disks and partitions. There's a switch somewhere that you have to find. It might even go into that mode automatically if it detects a damaged file system. (And of course, since you are already familiar with dd, there's always that, although you need to really be careful not to mess it up this time).

    As I mentioned above, you can either sector-by-sector clone the unmounted disk, or you can mount the volume and then copy its entire contents into an empty partition. I think that cloning the unmounted disk is the best way to begin, but keep in mind that the other approach might also be useful under certain circumstances.

    I'm truly sorry, but I don't know of any magical way to get back your missing metadata and/or unscramble your broken file system. Once something like that is overwritten it's pretty much gone. But perhaps you should be asking for advice on some of the data-recovery forums. There are undoubtedly some users and developers out there who know a whole lot more about these sorts of things than we do. Check each data-recovery program that you use to see if it has a support forum associated with it. Sorry I can't be more helpful.
     
Loading...
Thread Status:
Not open for further replies.