Truecrypt volume mounts but doesn't decrypt any data

Discussion in 'encryption problems' started by pbellchambers, May 28, 2014.

Thread Status:
Not open for further replies.
  1. pbellchambers

    pbellchambers Registered Member

    Joined:
    May 28, 2014
    Posts:
    2
    Hi,

    I think I've totally screwed my data. I can't mount my truecrypt partition normally, but I *can* mount it successfully using the embedded volume header backup, however no data seems to be decrypted (viewing it in winhex just shows random data throughout).

    So the background is I had windows running on an SSD, and then 2 hard drives in a raid 1 array (i.e. data mirrored between the two drives) that were encrypted with truecrypt.

    The problem happened when my computer blue screened and then wouldn't boot from the main SSD, drive completely died, no longer detected in bios etc. So mistake 1 then happened: I used the windows dvd to attempt to recover the main drive and restore the mbr not realising the drive wasn't being detected, so I have a feeling it may have done something to my truecrypt drive (these were still connected) when it said it was attempting recovery.

    Mistake 2: I then bought a new SSD, reinstalled windows but still had the truecrypt encrypted hard drives connected. I guess windows will have attempted to "fix" them again automatically here?

    After I eventually got into windows again on my new SSD that's where I discovered the problem with my truecrypt drive. As mentioned above I can't mount it normally, I receive the error: "Incorrect password or not a TrueCrypt volume". But I can mount successfully with the embedded volume header backup. Just that no data shows up and as far as I can tell winhex also shows nothing was decrypted.

    Is there any hope, what are my next steps?


    EDIT: Some additional info and screenshots...
    Data at the very start of the drive: https://i.imgur.com/0qRaxBT.png
    Seemingly encrypted data both before and after the start of the partition: https://i.imgur.com/rRFv53K.png
    The end of the partition (i guess the embedded volume key comes from here?): https://i.imgur.com/cODfqjx.png
    Truecrypt volume properties: https://i.imgur.com/3QtIcUl.png

    Doing some math if I take the end point of the partition: 1900409782272
    Subtract the truecrypt volume size and truecrypt headers: 1900409782272 - 1900408471552 - 262144 = 1048576

    This matches the start of the partition, so I guess the partition is in the correct place?

    Why would I be able to mount it with the embedded volume key but not decrypt anything then? :(
     
    Last edited: May 28, 2014
  2. pbellchambers

    pbellchambers Registered Member

    Joined:
    May 28, 2014
    Posts:
    2
    This is solved...

    I left photorec running for a while and it did find some stuff! :) So it looks like it is decrypting data, but nothing anywhere near the start of the partition. I guess it's possible perhaps that there wasn't actually any data at the start of the partition, the drive was 2TB but only about 30% used. I guess I'll look into testdisk for recovering the actual file structure, but at least I can see some files and data. :)
     
Loading...
Thread Status:
Not open for further replies.