Unallocated USB drive with TrueCrypt file/container

Discussion in 'encryption problems' started by ali123, Nov 7, 2012.

Thread Status:
Not open for further replies.
  1. ali123

    ali123 Registered Member

    Joined:
    Nov 4, 2012
    Posts:
    8
    Location:
    Poland
    Hello everyone
    I'm newbie here and unfortunately experienced a problem with USB HDD with TrueCrypt file.
    There is a USB 2.0 hard drive (500GB), around half of it is with TC file, encrypted, not hidden, second half is standard one, not encrypted, NTFS formatted.
    I'm not 100% sure but during rebooting the PC, hard drive was plugged in to USB socket and Windows XP check disk tool launched the verification on it.
    Probably a few files were fixed/corrected.
    After that when I plug in the drive to USB, it can be seen only as unallocated partition under "Computer Management --> Disk Management"
    I've double check it and disk has the same state in two PCs.

    My most important question as below:
    is there any chance to get back the TC file/container to readable condition?
    password is known, I did not change any status on this drive under any OS tool nor used any tools to repair any sector.

    I'd be really grateful for help/hint in this matter

    thank you
    Greg
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    From my read of your post it sounds like the TC volume is file based. That means the volume takes up space on the HD partition but is not a separate encrypted partition. Correct?

    If the TC volume is file based then you can simply copy it to another location like any other computer file. Room on your desktop, another drive, etc...

    The volume may open without any issues on another media. There is little or no danger to copying a file based volume in this fashion.

    Once you recover the file and volume you could then redo/format the USB drive and start over clean. Just an idea.
     
  3. ali123

    ali123 Registered Member

    Joined:
    Nov 4, 2012
    Posts:
    8
    Location:
    Poland
    indeed you're right about TC file Palancar
    but there is one thing - I cannot see any data on drive when attach it to the PC.
    Cannot see the partition on this HDD under Win XP nor Win7 - it's unallocated.
    I would like to avoid do any activities with reparing tools when I have TC on board.
    Maybe MFT or any markers missed when check disk was performed during rebooting the box.

    thank you
    Greg
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    It sounds like your 500 GB drive has somehow lost its file system due to an accident, and you say that you have lost a 250 GB (approx) file-hosted TC container due to the accident.

    Before we go on, are you positive that your TC container is file-based? Would you click on "Select File" in order to mount it? I ask this because if you used partition-based encryption then you would need to recover a lost partition and the procedure would be much different. And since your partition definitely seems to be gone, and Windows has a known habit of destroying TC partitions, I wonder if that's actually the situation here. Plus, you mentioned that the second half of the drive is another "standard one, NTFS formatted". Another what? File, or partition? Sure sounds like a partition to me! Let's get this part right so we won't waste too much time going down the wrong path. What have you actually lost, a file or a partition? Ask yourself this: Could you mount it by clicking on "Select File", or did you use "Select Device" and then choose a partition?

    Anyhow, going back to the assumption that your lost container is actually file based: A file-hosted TC container is a file much like any other. However, it has no fixed identifying characteristics, rather, it consists of random data from start to finish. There are tools for recovering lost files in this sort of situation. (You should know the name of the lost file, obviously.) I'd try various data-recovery tools such as GetDataBack, R-Studio, even Recuva. If the MFT still exists somewhere on the drive then these tools will usually be able to locate it and will use it to find the file.

    If the MFT is gone then your file is probably gone too, but if you don't want to give up then you could always try doing it the hard way by using a hex editor to browse through the drive looking for a very large (~250GB) block of random data. To complicate matters, it might be fragmented, especially by various pieces of the MFT itself. This approach definitely takes some practice and it often doesn't work, but you can easily set up a practice situation by creating a small TC container on a test drive and then trying to find it. However, I will say that overall this is a difficult, fairly involved process, so I won't go into detail unless you actually need to do this.
     
  5. ali123

    ali123 Registered Member

    Joined:
    Nov 4, 2012
    Posts:
    8
    Location:
    Poland
    Thank you so much for explanation what kind of things I need to challenge

    I'm sure that HDD has TC mounted as a file.
    All disk was prepared as below
    - Windows NTFS formatted all 500GB as a one partition
    - 1st half, create 250GB TrueCrypt file and encrypt it
    - 2nd half, 250GB volume remains as a NTFS, standard one for Windows, not encrypted

    Disk cannot be read under Windows. Present itself as a unallocated one.
    I did not use any tools to recover/check/verify data.

    You've mentioned that it looks like MFT is gone... I'd like not to describe my feelings about term "my data is permanently lost".
    Frankly I will try every possible way/tool to recover TC file and finally the data.

    I'd be grateful for further hints
    thank you again
    Greg
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    No, I did not. The MFT could very well still be there. It depends upon what happened to the drive. And even if the MFT is unusable the Truecrypt file might still be recoverable, although it'll be a lot more work and it might be incomplete.

    Try exploring the drive using one of the data recovery programs mentioned previously. They are generally read-only and are quite safe as long as you don't write any data back to the same drive. Make sure you don't do that! Your lost file is currently in free space and it is very vulnerable to being overwritten by new data. If you can recover the file intact then it might still be mountable.

    If you want to play it truly safe, make a sector-by-sector image or clone of the entire drive before you begin.
     
  7. ali123

    ali123 Registered Member

    Joined:
    Nov 4, 2012
    Posts:
    8
    Location:
    Poland
    any suggestions about tools for sector-by-sector imaging/cloning?

    thank you
    Greg
     
  8. Usermee

    Usermee Registered Member

    Joined:
    Nov 13, 2012
    Posts:
    12
    I just used WinHex, it has this function to clone the HDD sector by sector.
     
  9. ali123

    ali123 Registered Member

    Joined:
    Nov 4, 2012
    Posts:
    8
    Location:
    Poland
    apologies for no sound from my side
    I've cloned unallocated 500GB hard drive in to new 1TB one
    Could I ask what should be next step/move ?

    thank you
    Greg
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm glad you have made a backup. Hopefully you won't need it, and if you do I hope it will work.

    For starters I'd try GetDataBack (by Runtime software), as it's pretty good with damaged file systems. They have an evaluation version that you can try, and it should be able to find something. I'm not an expert on the program, but there is a user guide, and if you end up purchasing it I'm fairly sure you can get support from the site. I can't really provide step-by-step instructions on that program, but I've played with it under similar scenarios and have had pretty good results.

    Try other data-recovery programs as well. (R-Studio data recovery gets good reviews from TrueCrypt users as well.) It's best to have one of these programs use the data in your MFT to piece the file together for you, as it's much more difficult to do that sort of thing manually. The file could very well be split into two or more fragments because of its size, which complicates matters.

    You're sure it's a file, right? It resides in a folder and it has a filename? (I'm sorry to keep asking you this, but your descriptions are still a bit imprecise and can be viewed both ways). If so then there should be a record of it in the MFT, which we hope has survived the accident. Make sure you don't write anything to the drive, and definitely don't format it or anything like that.

    Anyway, try GetDataBack and let us know how you do. The eval version is able to find things and it will imply that it could recover them, but I think you have to pay before it will actually do anything.
     
  11. ali123

    ali123 Registered Member

    Joined:
    Nov 4, 2012
    Posts:
    8
    Location:
    Poland
    dantz,
    thank you for software suggestion
    it opens my mind and says I totally f...d up my wife's 10yrs photography life...
    it's speechless and unforgivable :(
    I've had this USB drive plugged to the PC when the new OS was installing.
    Now it looks like drive is formatted and contains folders and files with Win7 64bit...
    I've no idea where my mind was at that time and how come...

    GetDataBack shows OS folders on USB drive.
    Now I launch software called "testdisk" and trying to find something more... but based on the previous experience with formatted and overwritten HDD with TC file inside... it's nearly 0% possibility to get the data back to life...

    thank you so much for your time and patience
    Greg

    PS. if you hear/see any other solution in the future to grab the original bits - please drop me a note on this forum.
     
  12. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Unless Windows 7 performed a full format on the drive, there should still be some old data remaining. At this point I'd try a signature-based file recovery program such as PhotoRec (which comes with TestDisk). To prevent being overwhelmed by excessive results I'd set it up to look only for certain file extensions such as .jpg, .tif, .mov and/or whatever other file types you would expect to find in the photo collection.

    (Unless the photos were all stored inside the TrueCrypt file-hosted container, that is. In that case things are looking pretty bleak)
     
Loading...
Thread Status:
Not open for further replies.