Volume mounted correctly but not accessible

Discussion in 'encryption problems' started by pot36, May 9, 2014.

Thread Status:
Not open for further replies.
  1. pot36

    pot36 Registered Member

    Joined:
    May 9, 2014
    Posts:
    13
    Hi everybody
    after checking different threads which are relatively similar to my troubleshoot with truecrypt, I see that my problem is a little different from the discussed issues.
    Indeed I've an external HDD, with a size of 1TO, fully encrypted, it worked fine under windows 7 for several months, until one day I run it under KALILINUX, again it worked fine under that latter, when I came back to windows, I succed to mout the volume correctly but It becomes unreadable, it looks like it is not decrypted.

    thanks in advance for any help
     
  2. pot36

    pot36 Registered Member

    Joined:
    May 9, 2014
    Posts:
    13
    Any help ? could I run "header restore" option without risking data loss ??
     
  3. pot36

    pot36 Registered Member

    Joined:
    May 9, 2014
    Posts:
    13
    Additional informations:
    -I backed up header successfully, but the drive is still unaccessible
    -I mounted the drive then I examine it with winhex, all my files are visible at the top of winhex window, how can I access to them ?
    Still waiting for help
     
  4. pot36

    pot36 Registered Member

    Joined:
    May 9, 2014
    Posts:
    13
    A picture of winhex results : the size attributed to my files smaller than it should be !http://hpics.li/0e4bec8
     
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The TrueCrypt headers do not contain any information about how your volume is formatted or what sort of data it might contain. TrueCrypt has no idea what's in there. The volume could contain nothing but unallocated space and TrueCrypt would still encrypt/decrypt it on-the-fly.

    So if your data becomes partially corrupted for some reason, there's no point in focusing your attention on the TrueCrypt headers, as they do not know what is stored in there and they do not provide any mechanism for getting things back to the way they used to be. (The only exception would be if your data had become completely undecryptable, in which case you might suspect that the headers were damaged or had been moved out of position).

    Your TC headers are obviously working fine, as you are able to view (via WinHex) quite a lot of decrypted data (file and folder names, etc.). Thus, there's no need to restore the TC headers from a backup or anything like that. More likely your volume has sustained some sort of file-system damage, probably due to an accidental partial overwrite.

    I'd say your next steps should be 1) Make a full sector-by-sector backup of the damaged HDD, just in case you screw up the original, and 2) Use data-recovery software on the mounted volume.

    You might be able to skip Step #1 if you are careful to operate only in read-only mode, but that's not a complete guarantee of safety. For example, it's possible that your drive itself might be failing, in which case making a complete copy would be a number one priority.

    However, more likely it's just some sort of a software screwup. Perhaps Windows tried to initialize your disk, or something like that. There's still no easy solution, though. Try various types of data-recovery software to see what you can get back. Quite a lot, I would expect, since WinHex is displaying a fairly complete looking disk.
     
  6. pot36

    pot36 Registered Member

    Joined:
    May 9, 2014
    Posts:
    13
    Thank you Dantz for having answered me;

    Before I try your suggestions I would like to add additional informations:

    before I got that troubleshoot, truecrypt displays a message wich says that it hadn't been dismounted correctly the previous time, and that there could be errors on the volume., I ignore that message and I read correctly my data.

    Now when I try to read the mounted volume via winhex it diplays an error message "FILE OR DIRECTORY IS DAMAGED AN UNREADABLE", I click ok, then I could see the content of my mounted drive (as depicted in the image above) ,

    I've tried yet data recovery utility, I used "iCare data recovery software", just to see what it could recover, I let it run for some minutes then I abort it, I got some unreadable files, all with a SWF extension.
     
  7. pot36

    pot36 Registered Member

    Joined:
    May 9, 2014
    Posts:
    13
    @dantz
    is there any other option different from data recovery software ?
    I saw other suggestions in some threads wich are similar to mine
     
    Last edited: May 18, 2014
  8. pot36

    pot36 Registered Member

    Joined:
    May 9, 2014
    Posts:
    13
    An other crucial questions :
    in winhex to make a full backup of the damaged HDD, there are two options: we can create image, then we restore it on an other removable media, or we can create clone disk which we use immediately, waht is the best solution among these ?
    if we work on the backed up disk to recover data or to fix up problems, are the results the same as if we work on the original disk ?

    waiting for wise advises before beginning any stage.
    Thanks in advance
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Sorry, I tend to get really busy sometimes. I'm back for awhile until the next urgent situation comes up.
    That sounds like a Windows message, not a TrueCrypt message. To the best of my knowledge TC does not keep track of your previous dismounts, whether they were successful or not. TrueCrypt was designed for users who require extreme privacy, and as such it goes out of its way to avoid storing or revealing any extraneous information about your data.
    There are so many different data-recovery programs. I often suggest GetDataBack and PhotoRec, but that's just the beginning. The main thing is to perform your data-recovery safely. Ideally you would clone your disk to another disk and perform the data recovery on the clone, but you can also perform read-only actions on your existing disk. The idea is to avoid writing anything to the disk, as much of your lost data is now in free space and thus it could easily be overwritten by any new data.

    The problem with that approach, though, is that Windows might still end up writing to the disk. Windows is a very busy little OS and it does a lot of housekeeping chores. The other risk is that the disk might be failing, in which case you need to image or clone it as soon as possible before it gets any worse.

    Or are you asking if you can attempt to perform some type a file-system repair instead of recovering your data first? That would be highly dangerous. Many users would probably try that, but it's quite a bit riskier. (Of course, many users take huge risks all the time without even realizing it. I suppose the most obvious example would be failing to back up their important data while either hoping or assuming that nothing will go wrong.) If you make one or more backup copies of the disk then you can try stuff like that without suffering the consequences if you screw it up.

    It's more a matter of convenience than anything else. The two methods are almost equivalent except for the obvious fact that you will need to restore your image onto an additional storage device before you can use it. In this case an image and a clone will both be almost exactly the same size, for two reasons: A sector-by-sector image or clone doesn't skip anything, and encrypted data is essentially incompressible. I would probably choose to clone the disk, as it's easier to compare and check the clone to ensure that it got done correctly.

    It won't be exactly the same, but for your purposes it will probably be ok. It depends upon the type of TrueCrypt volume involved and whether or not you are cloning to a larger disk. For a partition-hosted volume (which is what I believe you have) it should work ok. (There will be some unallocated space at the end of a larger target disk, but the partition should still be ok.) However, a fully-encrypted disk will NOT be the same if you clone it onto a larger disk, as TrueCrypt will no longer be able to find its embedded backup headers.

    You can probably get better advice from data-recovery specialists, as I am more of a TrueCrypt troubleshooting guy and your TrueCrypt volume is working normally (whether you believe it or not). It merely has a damaged file system, which is not TrueCrypt's fault (or at least, not directly).
     
  10. pot36

    pot36 Registered Member

    Joined:
    May 9, 2014
    Posts:
    13
    Wich approach you mean ? recovering the data, cloning the disk or imaging it ?


    Since the problem I avoid to use the damaged HDD, will it fail spontaneously ?

    I don't ask for that

    You definitely advise me to clone the disk ?


    I've a wholly encrypted device, and I plan to back it up in an equal HDD, what you advise me I'm still confused about the choice ?
     
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I mean during a direct recovery attempt on the damaged disk. It's much safer to clone the disk and work on the clone.
    There's no way I can answer that. However, since the problem occurred right after using your volume with Linux system, I suspect that a software-related problem is more likely.
    I hate to "definitely advise" anything. I don't have your disk in front of me, and it's not my data. All I can do is make educated guesses and suggestions, not complete guidance.

    Also, please be informed that I am way too busy to guide you through a full recovery attempt, nor am I the best person to do that. I don't even have time to answer all of the threads that are appearing in this forum, and many of them are more within my area of expertise.

    My skills are mainly oriented towards helping those users who have totally lost access to their TrueCrypt volumes such that their passwords are not even being accepted. Depending upon the situation, sometimes I can help users rearrange things such that their passwords will once again be accepted and they are able to mount their volumes to a drive letter and verify that their data is decrypting.

    You are already able to successfully mount your volume to a drive letter and you can even see some of your data, so you obviously have full access to the decrypted contents of your volume. What you are dealing with is some sort of file system damage which has occurred within your fully-functioning volume. Fixing this and/or recovering from this is out of my area of expertise.

    All I can suggest is that you try various data-recovery programs (such as GetDataBack, Photorec, R-Studio, FileScavenger, etc.) or seek more specialized advice from actual data-recovery experts. And yes, it's best to make a full sector-by-sector clone of the affected, unmounted drive and to focus your recovery efforts on the clone.

    In your case you could even try cloning your mounted volume into a blank partition of the appropriate size, thus getting TrueCrypt completely out of the picture. I believe that WinHex can handle this. The resulting partition will be contain your damaged volume and it will be completely unencrypted, thus making it possible to use a wider variety of data-recovery tools.

    However, I would begin by cloning the entire disk onto another disk of the same size or larger.
     
  12. pot36

    pot36 Registered Member

    Joined:
    May 9, 2014
    Posts:
    13
    @dantz
    Thanks you for your advises, as soon as I attempt to recover my data, I'll give you results.
     
Loading...
Thread Status:
Not open for further replies.