Truecrypt volume mounts, but possible damaged sectors on USB flash?

Discussion in 'encryption problems' started by Josh120, Mar 22, 2017.

  1. Josh120

    Josh120 Registered Member

    Joined:
    Mar 21, 2017
    Posts:
    1
    Location:
    USA
    OK, so I'm holding out hope that I can still recover the files from this flash drive. Here's my situation:

    Created a Truecrypt volume as a USB device, that is, to mount it I would choose "select device", choose the flash drive, and enter the password. This worked well for some time, until this started happening:

    Select device, OK. Enter password, OK. Seems to work, mounts with a new drive letter, shows up in Windows Explorer. However if I try to open it to view the files, the drive dismounts immediately. Truecrypt shows the message: "WARNING: TRUECRYPT volume auto-dismounted Before you physically remove or turn off a device containing a mounted volume, you should always dismount the voume in TrueCrypt first. Unexpected spontaneous dismount is usually caused by an intermittently failing cable, drive (enclosure) etc."

    I had pretty much given up, after a long hiatus I plugged the drive back in, it's working the exact same way, but I tried one little thing that gave me hope. I tried mounting it again, this time with the read-only option enabled, and I got a bit father. It mounts and shows up in Explorer, showing the correct capacity/free space of the volume. I can briefly see my folders and files, but it dismounts again before I can do anything. I can recreate this in read-only mode every time. I right-clicked the mounted volume in Truecrypt and ran CHKDSK on it:

    Checking the file system on the TrueCrypt volume mounted as Q:...
    The type of the file system is NTFS.
    The volume is in use by another process. Chkdsk
    might report errors when no corruption is present.
    WARNING! F parameter not specified.
    Running CHKDSK in read-only mode.
    CHKDSK is verifying files (stage 1 of 3)...
    0 percent complete. (0 of 44800 file records processed)
    Attribute record (48, "") from file record segment 158
    is corrupt.
    Attribute record (48, "") from file record segment 158
    is corrupt.
    Attribute record (64, "") from file record segment 158
    is corrupt.
    File record segment 1661 is corrupt.
    1 percent complete. (7681 of 44800 file records processed)
    Errors found. CHKDSK cannot continue in read-only mode.
    Press any key to continue . . .

    Having gotten that far, I wanted to try running CHKDSK without read-only enabled so it could try to fix things. But, I decided to attempt making a sector-by-sector copy of the flash drive before continuing. I tried a couple of different tools with mediocre results. Acronis TrueImage 2017's clone option won't see either the flash drive or the Truecrypt volume after it's been mounted, even when visible in Windows Explorer. Here's a log from HDD Raw Copy Tool 1.10:

    3/21/2017 9:25:14 PM Source: [12] PNY USB 2.0 FD 8191 [16.23 GB]
    3/21/2017 9:25:14 PM Target: [11] SanDisk SanDisk Ultra PMAP [31.62 GB]
    3/21/2017 9:25:28 PM Locking device...
    3/21/2017 9:25:28 PM Copying...
    3/21/2017 9:25:37 PM Read Error occurred at offset 8,323,072; LBA 16,256 (The system cannot find the file specified)
    3/21/2017 9:25:37 PM Source was unplugged, aborting...
    3/21/2017 9:25:37 PM Average speed: 2.1 MB/s
    3/21/2017 9:25:37 PM Operation terminated at offset 8,323,072 LBA 16,256

    You can just see the point above where the drive decided to dismount (9:25:37 PM Read Error occurred at offset 8,323,072) .

    Something similar happens if I open the flash drive in WinHex. While I see data, sure enough, I get an error to the tune of the Windows USB unplugged soundbyte in a few seconds. Using its clone feature however, something VERY interesting happened.

    As expected, early in the cloning process the drive dismounted as it always does when being read, but WinHex didn't hit me with an error. Instead, it just kept going, as the drive was re-detected and mounted by Windows again (which it always does instantly). The only hiccup is the one referenced above that always happens when I try to read from the drive...except WinHex just kept going despite the drive dismounting/mounting during the operation. It created a partition on my destination flash drive the full size of the source (probably less a few KB!)

    When I tried to mount this clone in Truecrypt, it takes my password and mounts, but when I try to open the volume, it tells me that it's corrupt. Running CHKDSK on it gets me "corrupt master file table. Windows will attempt to recover master file table from disk". Using the repair rile system option returns "Attempting to repair the file system on the TrueCrypt volume mounted as Q:...
    Access Denied as you do not have sufficient privileges.
    You have to invoke this utility running in elevated mode.
    Press any key to continue . . .

    It's the same if I run TrueCrypt as administrator. Attempting to scan this cloned volume with recovery tools like Recuva or GetDataBack results in a single tiny system file.

    Here is where it got even more interesting though. After some pondering I tried something else. Every time I look at the root of the mounted volume (off the original flash drive), it dismounts after giving me just enough time to see some files and folders. I took a quick screencap before it dismounted and used this to type in directories with contents I knew to be small, going directly to them in Explorer, bypassing the root directory. In this way I was able to copy some small images about 20kb each from the drive! It's not much, but at least it's something that worked. On repeated attempts though, my success rate is about 1 small file every ten times I remount the image. It dismounts very quickly unless I get real lucky. At this time I also realized that it's not showing the full files/folders I knew to be there.

    Given that the flash drive dismounts/mounts again even without Truecrypt, just using tools to make a raw copy of the drive, I'm pretty nervous of damaged sectors. I believe this was caused by power loss or yanking the drive out of the port (how graphic!)

    I'm not exactly forensic at this stuff but it's clear my volume header is OK, as for the partition table I don't know whether being able to get this far means it's OK or still potentially damaged. If anybody has any insight of this problem or the logical next steps, it would be GREATLY appreciated. I will provide any detailed information necessary. After so much effort it was great to get SOME data off, so I don't want to give up yet! Thanks so much for your time with this wall of text.
     
  2. newbeez

    newbeez Registered Member

    Joined:
    Aug 26, 2017
    Posts:
    6
    Location:
    USA
    josh, winhex is a very powerful tool. are you using the licensed version? if winhex can detect the data on the USB, you can try to export it into a file but only the licensed version will allow you to save more than 200 KB. If your data is worth more than $40 USD to you, I strongly suggest you buy the license.
     
Loading...