Veracrypt volume muck-up after diskpart clean

Discussion in 'encryption problems' started by karakinkleinz, Jan 26, 2021.

  1. karakinkleinz

    karakinkleinz Registered Member

    Joined:
    Jan 26, 2021
    Posts:
    4
    Location:
    Osaka
    Hi

    I accidentally ran
    Code:
    diskpart clean
    on an EFI partition that sat in front of a non-system drive veracrypt volume today. This caused the volume to become instantly dismounted. I made a grave mistake in re-initializing the disk in
    Code:
    diskmgmt
    and am unable to decrypt the partition as the Veracrypt volume header seems to have shifted. Also, about 2MB of data at the end of the Veracrypt volume partition has become zeroed out.

    As chance has it, I have two disks that are exact copies, so I was able to find the Veracrypt volume header offset from the working drive. This offset worked for recovering the dysfunctional drive's volume header, however, I am unsure as to how to proceed.

    If someone could help me verify the maths and solution going forward that would be terrific.

    My plan is to:

    1) Make a full-disk copy to file. This will take about 12hrs with Testdisk.
    2) Using HxD, make a file from the offset 210763776 through 5000980856831. This should amount to 5 000 770 093 055 bytes, which corresponds to Veracrypt's volume total size of 5000769830912 plus 256kB (262144). However, this becomes 5 000 770 093 056, which is one byte more. Is this okay?
    3) Try to mount the file.
    4) If mounting does not work, try to restore the volume header using the backup I created after finding the header at offset 210763776.

    What I am fearing is that I will be able to mount, but not decrypt the data. I have read that one can try to recover the file system. I am unsure what resided in the last 2MB of the partition. Hopefully nothing that will prevent me from decrypting.

    Any tips? I my strategy sound? :)
     
  2. karakinkleinz

    karakinkleinz Registered Member

    Joined:
    Jan 26, 2021
    Posts:
    4
    Location:
    Osaka
    I took a small selection off of HxD just to test a little more while the clone job finishes. I tested offset 210763776 to 3210763776.

    I mounted it in Veracrypt as a file and then opened it in WinHex. Seems to display the NTFS Master File Table which is extremely promising.

    All of the sectors are UNREADABLE, but I surmise this is because none of those sectors/offsets are available in this chunk.
     
  3. karakinkleinz

    karakinkleinz Registered Member

    Joined:
    Jan 26, 2021
    Posts:
    4
    Location:
    Osaka
    I was able to decrypt everything using the plan I laid out in my initial post on the first attempt. It took 12 hours to copy the external 5TB drive to an image.dd file, and later 5 hours to carve out just the Veracrypt volume. :)

    I want to thank the users on this forum who have helped others in similar threads, without which I wouldn't have known what to do!

    Case closed!
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    I just stopped by for a quick visit, as I have not been active on Wilders for quite some time.

    I want to congratulate you! I assume that you have been reading some of my old TrueCrypt-related threads and posts. As you found, many of those tricks will still work for VeraCrypt.

    I am very happy that you were able to recover your data.
     
  5. karakinkleinz

    karakinkleinz Registered Member

    Joined:
    Jan 26, 2021
    Posts:
    4
    Location:
    Osaka
    Thanks @dantz, it was you in particular I wanted to come in contact with by posting here. Your advice was inspirational in knowing how to proceed. :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.