TrueCrypt volume corrupted/non-accessible

Discussion in 'encryption problems' started by rsteed, Dec 1, 2012.

Thread Status:
Not open for further replies.
  1. rsteed

    rsteed Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    8
    Location:
    United States
    Greetings all, first time-poster here. My issue is this:

    I have an encrypted flash HD that was set up using TrueCrypt. Today, as I was trying to access it, it told me the header was corrupted and told me to repair it. Sadly, it is 500gb and I am not able to back up all the data in another place, so I had to go ahead and have TC repair the header using backup stored on the HD.

    TC said it successfully repaired the header, but now when I try to access the volume this happens:

    1) I CAN successfully mount it, it accepts the password, and lists itself as \Device\Harddisk1\Partition0

    2) After mounting, when I try to access the volume it says "(drive letter) is not accessible. The volume does not contain a recognized file system."

    This HD contains the backup from my at-home recording studio and I would very much love to get it back. I've never had to recover a partition before (if it's even possible to recover all the data) but I'm rather adept with computers and certainly capable of understanding and following any advice someone might be able to offer.
     
  2. rsteed

    rsteed Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    8
    Location:
    United States
    I have Testdisk and Photorec, and if there's any other information needed to help diagnose a solution, please let me know.
     
  3. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    992
    Location:
    Hawaii
    Was this always the case, or did it used to be Partition1 back when you could access your data?
     
  4. rsteed

    rsteed Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    8
    Location:
    United States
    I'm fairly sure it used to be partition1
     
  5. rsteed

    rsteed Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    8
    Location:
    United States
    Test Disk analysis yields the message

    "Partition sector doesn't have the endmark 0xAA55"
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    992
    Location:
    Hawaii
    Read the related thread https://www.wilderssecurity.com/showthread.php?t=336671 to get an idea of where things may be headed and then try this:

    Mount your volume (as it is now) and then try viewing its contents by opening the appropriate Logical Disk in WinHex (as described in the referenced thread, Post #6, Part 3, beginning at Step 3. Stop at the end of Part 3). We want to know whether or not your volume is decrypting. If you find non-random data then it is (and this would show that your TrueCrypt header is in the right location and that you must have encrypted the entire device), but more likely you won't find anything but a huge block of totally random (still encrypted) data, which would imply that you most likely had an encrypted partition and then somehow you lost it. (We've been seeing a lot of that lately, for some reason).

    Post the outcome and we'll try to go from there. What's your OS, by the way?
     
  7. rsteed

    rsteed Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    8
    Location:
    United States
    My OS is Win7 Home Premium 64bit.

    To the best of my knowledge, the entire device should either be encrypted, or contain only one massive encrypted partition spanning all available space on the HD.

    I followed the steps and got the following results:

    1) Size of lost partition = 500072972288 bytes

    2) Mounted the test volume in TC, then opened in WinHex, got this message

    Cannot read from Sector 134...59,642 of Drive G:.
    Cannot read from Sector 119,264...119,391 of Drive G:.
    Drive G: Invalid, corrupt or simply unexpected directory entry found at offset 61063168.
    Notices about directly following invalid entries have been suppressed.
    Notices about invalid directory entries are no longer displayed.

    3) I continued on with the instructions, and in Step 3 (Trying to see if the data is decrypting) I got the error found in the attached jpeg image (winhextestsector)
     

    Attached Files:

  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    992
    Location:
    Hawaii
    Hmmm, this is not quite what I asked you to do, but ok, I guess we can just go from here. (I had actually asked you to begin at Part 3, Step 3, but apparently you did more than that.)

    Whatever you have displayed here is obviously unencrypted, so if this screenshot represents a mounted test sample of the beginning of your lost TrueCrypt partition then things are looking good.

    So what are we looking at? Is this a mounted test file that you created using WinHex, and did you copy it from the disk by starting at decimal offset 1048576?
     
  9. rsteed

    rsteed Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    8
    Location:
    United States
    Yes this is a mounted test partition created in WinHex, the block used is from
    1048576 to 1248576 (using trial version of WinHex, so it's gotta be 200kb).
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    992
    Location:
    Hawaii
    Well then, good news. Your lost partition is apparently just sitting there in free space and its TrueCrypt header is intact. All you have to do is recover it. I wish I could offer you a better technique for doing so, but as you saw in the other thread, my current recovery method is fairly crude. Let me think it over and see if I can come up with a method that won't overwrite the encryption header.

    In the meantime I suggest you do NOT delete the test file that you created, as it contains a very important backup copy of your TrueCrypt header. Also, I suggest you use TrueCrypt to back up the test file's headers, just in case they're needed during the recovery. This is all pretty much going the same way as the other thread, the only difference being that I'm trying to find a more elegant way to recover your volume. Please give me a couple of days if you can.

    If you can't wait and you don't mind taking the extra risk of having your encryption headers wiped and then restoring them from your backup then you could try following the same procedure I outlined in the other thread. However, it makes me kind of nervous that you don't have a backup and you say you can't even create one. If your data is important then you really ought to make a complete sector-by-sector backup before proceeding, because one bad screwup could lock you out permanently.
     
  11. rsteed

    rsteed Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    8
    Location:
    United States
    I'm in no rush, as the data is worth the wait for me. I very much appreciate the help.
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    992
    Location:
    Hawaii
    I have so far been unable to find a tool that is both safe and easy to use, and which can safely restore your lost boot sector and recreate your lost partition table exactly as it was. I can't devote any more time to the search right now, as I have other work to do, but I will get back to it in the future.

    Thus, the most sensible approach that I can recommend would be to make a complete sector-by-sector clone of the disk and then attempt to recover your data from the clone.

    After cloning the disk, the simplest technique that seems to work (although not perfectly) would be to merely to follow my instructions in the other thread; i.e. use Windows 7's Disk Management to initialize the disk and then create (but not format) a new maximally-sized (default size) partition, and then open TrueCrypt and use it to restore the partition's header from a backup header that was created from the test file that you created previously.

    If you want to try following the above steps without having a backup in place or using a clone, that's up to you. It will probably work, but I can't guarantee anything, especially since I haven't seen your disk or your setup and I may be unaware of other factors that might make a difference. For example, for all I know Disk Management might decide to use different partition boundaries based on the size & type of your disk etc.

    The problem with the Windows Disk Management solution is that even when it works, it tends to overwrite the perfectly good TrueCrypt header that's already on the disk. It may also be inaccurate, as I've noticed that when you use Disk Management to create a partition it normally leaves some unpartitionable space at the end of the disk, and yet many users (you included) seem to have partitions that extend clear to the ends of your disks with no wasted space. I'm still looking into this and I can't really recommend anything until I get completely clear on why it's happening and how to deal with it. Unfortunately, I don't have a wide-enough range of hardware to test all of the scenarios, i.e. different versions of Windows, different partitioning schemes, etc.

    An alternate and reasonably safe approach, if you are able to purchase a registered copy of WinHex and obtain a large enough backup drive, would be to use WinHex to save your entire lost partition as a file. Basically, you go through the same steps that you did to create the test file, but you extend the block selection all the way to the end of the disk and then block-save practically the entire disk as one humongous file. According to smaller-scale testing I have done, TrueCrypt will be able to mount the volume that is stored within the file, and it will be complete and will function normally. (To mount it, you merely "Select File" instead of "Select Device".)

    With either solution, after obtaining access to your volume you should immediately copy your important data to a backup drive.

    Sorry I can't be of more help. If I come up with a better solution one day I'll let you know, but in the meantime I have to admit that I don't fully understand the situation and thus I don't want to take unnecessary risks with your data. Yes, it worked for the last guy that we tried it on, and it's worked many times in the past, but I can't keep on recommending it with a good conscience when I consider the known flaws as well as the various things that could go wrong.

    As I stated earlier, my best advice is for you to obtain a backup drive, clone your drive onto it, and then use the Windows Disk Management technique on the clone. Good luck!
     
  13. rsteed

    rsteed Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    8
    Location:
    United States
    I chanced it and followed your guide from the other post and it worked!

    Fantastic advice mate, thanks a million!
     
Loading...
Thread Status:
Not open for further replies.