Truecrypt, Veracrypt, new Win 7 install. Possible lost data. Encrypted drive changed to NTFS

Discussion in 'encryption problems' started by breathe87, Jan 10, 2015.

  1. breathe87

    breathe87 Registered Member

    Joined:
    Jan 10, 2015
    Posts:
    11
    Well, I messed up my 2tb drive big time. I'm trying to remember the exact sequence but it's hard.

    first, a few things:

    1. the 2tb drive was just a data drive (the drive i am trying to repair/recover), with no OS.

    2. as such, i had no "specific rescue disc for it in particular. but, i do have the rescue disc for the os that it regularly was mounted on.
    ______________________________________________________

    * I Accidentally had my boot order in the BIOS screwed up. my ssd was secondary, my 2tb was first in line for the default hdd to boot.

    * formatted my small 60gb ssd and put windows 7 on it. i'm sure the 2tb was not touched. after windows loads up for the first time, thankfully, the 2tb does not show as present.

    * went to put veracrypt on my new windows 7 install. had issues with veracrypt (and later truecrypt) giving an error about, "Windows is not installed on the drive from which it boots" and thus they would fail the preencryption test. I wish I understood the warning for what it was.

    went here and read up. http://shiftkeysoftware.wordpress.c...t-installed-on-the-drive-from-which-it-boots/

    * i ran cmd as admin and gave the command: bcdboot c:\windows /s c:

    * (reboot)

    * went into disc management and marked c: as active

    * (reboot)

    * uninstalled truecrypt and veracrypt. reinstalled veracrypt. veracrypt now gives error about previous veracrypt boot loader present, even though truecrypt was uninstalled and veracrypt was freshly installed.

    * reboot, and i'm met with a truecrypt password screen. oh ****. i try the new password i've been working with and it denies me. i then hit escape and windows loads.

    * from there i notice in windows explorer there's a new 2tb drive, empty, that's NTFS formatted. **ever feel your blood run cold?**

    * read up here: http://webcache.googleusercontent.com/search?q=cache:UtPGs3O9tiAJ:www.wilderssecurity.com/threads/accidently-overwrote-truecrypt-mbr-need-to-recover-data.349881/ &cd=4&hl=en&ct=clnk&gl=us

    * looked back in my logs, i installed the 2tb drive in question oct 2013. i have no specific truecrypt rescue disc for it as it was just a commonly mounted secondary data drive.

    * booted to my newer truecrypt rescue disc and selected option 3, restore key data. i hit yes for modifying the drive.

    * i am booted into parted magic now, the drive will not mount with the copy of truecrypt on here and gives wrong password message no matter how I try and mount it.

    * (I do have a clone of the original OS/60gb SSD -- the 2tb was shared by both win 7 and linux -- on an old drive. not sure if i could load it up and repair the volume on that)

    * 2tb drive with possible lost data currently shows boot, system volume information, $recycle.bin typical blank drive NTFS hidden directories. it had an encrypted NTFS file system via truecrypt.

    any ideas? i just went through a failure of an older 2tb drive, so of course all my data is sitting on this new 2tb drive while i wait for a replacement from WD.

    i'd prefer to repair and mount it as an encrypted volume, but i guess i might have to decrypt the entire drive (if the rescue disc will work) and recover it manually.

    i'm heartbroken. i have a lifetime of photos, music, documents, etc. on it.

    lessons re-learned:

    * avoid multiple complicated projects at the same time

    * disconnect the power and/or data cable of a hdd you absolutely don't want to touch. i've told this to people for years and didn't follow my own advice.

    * don't do complicated stuff when tired

    * listen to warning signs.

    ________________________________________________________

    EDIT/UPDATES:

    * I was able to boot the clone of the 60gb ssd (windows 7 & linux dual boot, two partitions).

    * on the cloned 60gb ssd, the windows 7 partition would not boot after the truecrypt password was entered. which was certainly odd as i booted to both OSes from the clone before I disconnected and stored the drive.

    * i was able to get into the linux portion of the 60gb ssd clone. i started truecrypt and attempted to mount the drive. same issue.

    * while booted to the 60gb ssd clone, i selected the 2tb volume in truecrypt and told it to restore the volume header from a backup embedded in the volume. it asked for the password, i entered it and it finished, saying it had restored the volume header. i got a little excited, but now I get an system error in linux when trying to mount the drive with truecrypt: "mount: you must specify the filesystem type"

    * in the terminal: sudo truecrypt /dev/sdb1 --filesystem=ntfs
    gives error of "incorrect password or not a truecrypt volume"

    * An update: http://i.imgur.com/GQeGVgm.jpg back in the new windows 7 os on the 60gb ssd, It will mount if I do not the select system encryption option, but shows as raw and offers to format. (of course, i didn't choose yes to format! ;)) Not sure if my previous attempt to repair the drive in linux helped or not. Hopefully it didn't hurt.
     
    Last edited: Jan 11, 2015
  2. breathe87

    breathe87 Registered Member

    Joined:
    Jan 10, 2015
    Posts:
    11
    if I do need to completely decrypt the drive and try a basic data recovery, possibly after using the latest rescue CD, does it have to be done with it?

    or, can i do the same procedure in something like parted magic from the main truecrypt GUI in efforts to speed up the process? i've heard it's really, really slow via the rescue disc.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    I am sorry but I only have a few minutes to donate here today. You mentioned that your 2TB external is data only making it a non-system disk? The main question for starting with is whether or not you encrypted this 2TB independently such as a device based volume - OR - was it encrypted doing "whole disk" with TC at the same time you encrypted the C drive (system disk)?

    I am going to springboard from the larger possibility that you encrypted the 2TB as its own volume (independent of any system disk), which is the better way to go operational wise. If that is the case then I must inform you that there is NO way to decrypt a non-system disk with TrueCrypt. That option is only available for a system disk/whole disk encryption scheme. Your rescue disk is of no value if my assumption is correct, because that personal data applies only to the system disk header from which it was created.

    However; if you were prepared and created a TC backup volume header for the 2TB that may be invaluable to you. A TC backup volume header would only be 128K in size but has all the header key info you need to restore access, if the header keys are the issue. Do you have a volume header backup for this volume?
     
  4. breathe87

    breathe87 Registered Member

    Joined:
    Jan 10, 2015
    Posts:
    11
    Palancar, thank you so much for any time you've spared for me. I appreciate it.

    You mentioned that your 2TB external is data only making it a non-system disk?

    That's correct.

    The main question for starting with is whether or not you encrypted this 2TB independently such as a device based volume - OR - was it encrypted doing "whole disk" with TC at the same time you encrypted the C drive (system disk)?

    No, not encrypted on the same day as the 60gb ssd. My logs show The 60gb ssd was formatted by win 7 on 2013-07-17. That same day I installed debian on the other half.

    then the logs for the win7 partition of the 60gb ssd show:

    17 JUL 2013: mounted 750gb drive to D and 2tb drive to E and added them to system favorites (this is my old 750 and my older 2tb, not the one i need to repair)
    13 OCT 2013: Installed Eraser http://eraser.heidi.ie/ and testing new WD2002FAEX (Serial Number XXXXXXXXXXX) hard drive for permanent installation
    13 OCT 2013: WD2002FAEX (Serial Number XXXXXXXXXXX) Passed Quick test via Western Digital Diag for windows.
    13 OCT 2013: WD2002FAEX (Serial Number XXXXXXXXXXX) Passed Extended test via Western Digital Diag for windows.
    13 OCT 2013: WD2002FAEX (Serial Number XXXXXXXXXXX) drive successfully wiped to all zeros.
    14 OCT 2013: Initialized new 2TB WD2002FAEX (Serial Number XXXXXXXXXXX) hard drive -> new simple volume -> (select size) -> "do not assign a drive letter or drive path" -> Format this volume (NTFS, Default Allocation Unit Size, no label, quick format)
    14 OCT 2013: Encrypted new 2TB WD2002FAEX (Serial Number XXXXXXXXXXX) hard drive via truecrypt.


    So, I'm not sure how the 2tb was encrypted beyond that based on the above logs. I was vague, sadly. Though, I wonder if I can boot up the 60gb SSD image I have and check truecrypt's settings/logs etc. to answer your question.

    However; if you were prepared and created a TC backup volume header for the 2TB that may be invaluable to you. A TC backup volume header would only be 128K in size but has all the header key info you need to restore access, if the header keys are the issue. Do you have a volume header backup for this volume?

    No intentional backup. Just the rescue disc, which doesn't seem to apply...and of course anything on the 60gb SSD image containing windows 7 and linux, which both shared the drive i'm trying to repair. First I tried to restore the header with the newest recovery disc, no dice. I then, had an AH-HA moment and booted up the 60gb image, into linux, started truecrypt and tried to do the second repair of the header from it and told it to use the copy on the disc itself. I actually had two western digital 2tb drives (see above log for more info), so I could have possibly done the repair directed at the wrong drive, but maybe truecrypt would have thrown an error. this is all new to me. I bet I can find the UUID of both drives somehow, through the command line, but matching it to the correct 2tb may be tricky. I guess it wouldn't hurt to try to restore the header from both 2tb, would it? (one 2tb is the one i'm trying to crack, the other 2tb just went out.)

    I restored the header and truecrypt says it was completed. Who knows though If I did it correctly. I could mount the drive afterwards in my current 60gb ssd new win 7 install, but now it shows as RAW, AES encrypted (http://i.imgur.com/GQeGVgm.jpg) (also mentioned in the updates section of my first post).

    I tried to mount it in linux and it just says I need to specify file system type, which is bad news.

    I've also posted this to reddit:
    http://www.reddit.com/r/TrueCrypt/comments/2ry7af/possible_lost_data_drive_now_shows_as_ntfs/
    http://www.reddit.com/r/techsupport/comments/2rzfhc/truecrypt_veracrypt_new_win_7_install_possible/

    But I will post updates at each place.

    I know this is really complicated in some ways, and I appreciate any help people give.
     
    Last edited: Jan 11, 2015
  5. breathe87

    breathe87 Registered Member

    Joined:
    Jan 10, 2015
    Posts:
    11
    To clarify:

    I can access the original OS(es) to which the drive in question would commonly be mounted to. On the day I caused the issue, In the windows 7 command prompt, I overwrote a new bootloader/files to my 2tb encrypted drive (this was not the OS or encrypted "system" drive) with the bcdboot c:\windows /s c: command. I remember that back when I first encrypted any new non OS drive, I would commonly point truecrypt to the device itself, rather than a partition. Of course, truecrypt always gave a warning so I cancelled that. So, I think I always went with a NTFS quick format of the maximum sized partition possible, then pointed truecrypt to that new NTFS partition. I hope that explains just what type of drive encryption I was using.

    update/bump:

    24 JAN 2015: was able to clone the 2tb with broken encryption to an image on a new 3tb drive

    25 JAN 2015: tried again to restore the header via truecrypt, this time in win7 (instead of #!), but it still mounts with nothing helpful as the result.

    25 JAN 2015: ran testcrypt and found two headers on the disc, they seem to be identical. mounting either seems to provide no help. (i do remember though that when i boot to windows, occasionally the drive is shown as empty raw, unformatted space) but it seems mounting the drive manually with truecrypt or testcrypt results in something a bit different.

    25 JAN 2015: mounted the drive as f: and i am currently scanning it with r-studio data recovery software. may also want to try getdataback, testdisk and Active@.

    26 JAN 2015: drive finished scan and shows a lot of different blocks of data, only one seems legit, a 1.8TB NTFS block. The process to get here takes about 5 hours to scan the drive. When done, I try to browse the 1.8TB NTFS block and r-studio locks up and freezes. Need to try another version. The list of blocks is saved to a usb flash drive as a r-studio file. But, I just tried to overwrite/repair the header again in truecrypt (via linux) so hopefully the r-studio file is still good. Using the file saves about 5 hours!

    R-Studio / TestCrypt / Truecrypt Screenshot
    http://i.imgur.com/ezdIW2u.jpg



    R-Studio with one promising partition
    http://i.imgur.com/SL90JHI.jpg
     
    Last edited: Jan 28, 2015
  6. breathe87

    breathe87 Registered Member

    Joined:
    Jan 10, 2015
    Posts:
    11
    More updates:
    I don't think mounting the volume and pointing a data recovery program at it is going to work. All of them seem to find nothing, though, I'm not sure if I pointed getdataback at the bare drive or the mounted volume.

    Here are some WinHex shots of the drive:

    winhex (strange non random data later on in drive):
    https://farm8.staticflickr.com/7417/16414627086_b495fb2bc6_b.jpg


    winhex (strange non random data later on in drive .. ending - maybe):

    https://farm9.staticflickr.com/8581/16253831897_a3059ec406_b.jpg


    winhex (strange non random data later on in drive part 2 begin):

    https://farm8.staticflickr.com/7391/16438797242_f1eb361ac4_b.jpg

    winhex (strange non random data later on in drive part 2 continued)
    :
    https://farm8.staticflickr.com/7431/16253831257_7a8b9e5b15_b.jpg


    winhex (strange non random data later on in drive part 2 contd .. boot)
    :
    https://farm8.staticflickr.com/7294/16439744435_5df5794d28_b.jpg

    winhex (start of more random data 01):
    https://farm8.staticflickr.com/7423/16254351549_bbcb39ee73_b.jpg

    winhex (end of random main block of data):
    https://farm8.staticflickr.com/7294/16254694657_256038be97_b.jpg

    sector 243201:
    https://farm8.staticflickr.com/7352/16253195010_feff4e5a8a_b.jpg
     
    Last edited: Feb 4, 2015
  7. breathe87

    breathe87 Registered Member

    Joined:
    Jan 10, 2015
    Posts:
    11
    I am SLOWLY recovering files! (about 10GB per 60min @ SATA III, i7-2600k at 4.6ghz, 8gb ram)

    But, the file structure for now is appearing to be broken a bit but r-studio is still just getting started. Directories like "$$$Folder00127" are now appearing in the destination 3tb drive I purchased for the recovery.

    I need to re-try it though, as I should recover drives to the root of the 3tb drive and not put them in a directory. I have a decent amount of 255 characters or longer paths on the drive I'm trying to recover and I should retry. (They often get made when I'm using linux or something like roadkil's unstoppable copier in windows)

    As such, should I be trying something outside of windows to do the recovery?

    more from my log:


    3 FEB 2015: opened drive in winhex to keep looking at it. find blocks of likely encrypted data and also blocks of repeating symbols and plain text. i have a feeling the header was restored but due to the large block of possibily overwritten data (the win 7 boot files) I may need to copy the random data with a hex editor to the 3tb drive.

    3 FEB 2015: deleted image of 2tb drive on 3tb drive in order to have space for a possbile copy. remember to run winhex in read-only mode!

    4 FEB 2015: having testdisk look at the drive. mounted volume to d with truecrypt, ran testdisk as admin. then:
    1. append log file. 2. selected drive D. 3. [none] for partition type. 4. analyze 5. enter / quick search

    5 FEB 2015: testdisk never got to 1% in 6.5hrs. May need to try different settings. Also tried to copy block of random data from 12D000 to 1D1C1115FFF as a file of "12d000 to 1d1c1115fff.tc" in winhex. Volume would not mount to a drive letter even if I checked "use backup headers". Got the "incorrect password or not a truecrypt volume" message. Need to try and read more and may need to copy the block at different starting and ending points. The end did have a lot of empty space in it!

    6 FEB 2015: installed older version of r-studio (R-Studio 6.3). Mounted TC partition as read only (no other options checked) with TC. (more info: http://www.r-tt.com/Articles/Data_Recovery_from_File-Containers_and_Encrypted_Disks/ ). (other ideas: 1. Also have option to try just the bare volume without the drive letter / volume being mounted next, though, it will probably not be as promising. 2: have winhex look at mounted volume instead of bare device)

    6 FEB 2015: Instead of using (or letting) TC to mount the disk, I'm going to try testcrypt: 1. dismounted drive/volume from D using truecrypt (TC). 2: using testcrypt in automatic mode to look at the 2tb drive. 3: using "backup header" to mount volume in testcrypt. 4: having r-studio look at test crypt mounted volume overnight. -> SUCCESS! R-Studio is pulling some files out, like images, that I know I had. They are opening and displaying and they don't appear to be corrupted. Text files, and PDFs are also coming out and are working!

    6 FEB 2015: I started to get some errors on a long (~255+ characters path) files from the 2tb drive. Plus, the recovery will take quite some time. So, I encrypted the destination 3tb "drive" as well: I tried to wipe the small amount of files copied so far (2.6gb) but "file shredder" probably did not work. Thankfully, I could not see anything sensitive had been written so far. So, I used truecrypt to quick format and encrypt the NTFS partition instead on the 3tb drive. Now r-studio is recovering the files to the new encrypted 3tb volume at 11:55pm.

    6 FEB 2015: r-studio has pulled out ~36gb in 3h 30min (both drives are running as SATA III). the files are coming back and thankfully all the SHA1 checksum files in a lot of directories are showing the files are perfect after r-studio has recovered them. WIN!
     
    Last edited: Feb 6, 2015
  8. breathe87

    breathe87 Registered Member

    Joined:
    Jan 10, 2015
    Posts:
    11
    as an update, I'm nearly done it seems. currently at 1.7tb off of a 2000gb drive. I can't remember how full it was, but I recently freed up a lot of space before the issue.

    r-studio rocks! it's currently rebuilding the structure for me basically. it's currently either making directories like "$$$Folder00127" and then it seems to be moving the files back to the proper structure/tree when it's done with that section. NICE! having the data back is obviously the most important part, but still, it would take me a long time to put everything back where it belongs if r-studio wasn't doing it for me!

    i'll post more updates if anything fresh comes up!
     
  9. breathe87

    breathe87 Registered Member

    Joined:
    Jan 10, 2015
    Posts:
    11
    well, i had to stop the r-studio's recovery before it showed itself as completed. last night it seemed hung up and the current used space was 1.7tb. r-studio just began to fill up the hard drive with large text, .gz and other files with garbage in them. this morning, the total used space on my new 3tb drive is 2.24TB when i was recovering from a 2000gb drive! Obviously, something has gone a bit wrong. Thankfully, everything seems to be there! I just have to piece it back together a bit.

    Consider this issue resolved!
     
  10. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,290
    Location:
    England
    Nice to hear you managed to get all your stuff back :thumb:
     
  11. breathe87

    breathe87 Registered Member

    Joined:
    Jan 10, 2015
    Posts:
    11
    Thank you! Besides for the 1gb .m3u files (yeah, who knows!) and other trash, r-studio really saved my bacon!

    I still have a long road ahead as I need to merge the recovered data with an older 2tb and 750gb drive using roadkil's unstoppable copier after fixing the directory tree. But still, this turned out better than I expected!

    I hope I've provided enough details for others to follow along should the need arise!
     
  12. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,290
    Location:
    England
    An often overlooked piece of software. Even works on badly scratched dvd's !!
     
Loading...