Recovering TrueCrypt Volume after deleting MFT

[Lipi42]

Hello everyone!

I'm more of the read-everything kind of guy, but now I feel I've already tried everything

So, problem is, a year or two ago I - somehow - lost both my MFT and MFT-mirror on my 80GB HDD's last partition. Of course I had a TrueCrypt volume on it, with priceless, non-reproducable data.
There wasn't much discussion about restoring TC volumes without an MFT at the time, but now I just found TestCrypt, and also a few tried ways for recovery using a Hex Editor.

Well, I've ran TestCrypt a few times, but it doesn't really want to find the volume I'm looking for. It should also have a backup header, as it hadn't been created using a very old version.
Maybe it's something about the settings? Could anyone walk me through it, or help me find out what I'm doing wrong?

(I also tried finding the file using WinHex, and I even wrote a handy script that can help you find it if you know its size and/or it has 0x0000000000 in front of it. Well, it didn't work for me, but might work for someone interested, so if you need it, feel free to message me )

 

[Simpson474]

I have written some scripts and tools that can help you find a volume, too - with similar results to yours most of the time

However the latest version (see PM) looks quite promising in some tests done by me. Just select the disk to analyze, put the slider to 90% and click "Start". Unfortunately the progress bar stops shortly before the analysis has been finished - therefore only the "Start"-button will become clickable again (and CPU load will drop) after the analysis has finished but the progress bar will still display some progress. After the analysis you can select the output from the tool (click inside the text field and press CTRL-key & A-key to select everything, the scroll bars are still missing) and paste it here.

 

[Lipi42]

I have written some scripts and tools that can help you find a volume, too - with similar results to yours most of the time

However the latest version (see PM) looks quite promising in some tests done by me. Just select the disk to analyze, put the slider to 90% and click "Start". Unfortunately the progress bar stops shortly before the analysis has been finished - therefore only the "Start"-button will become clickable again (and CPU load will drop) after the analysis has finished but the progress bar will still display some progress. After the analysis you can select the output from the tool (click inside the text field and press CTRL-key & A-key to select everything, the scroll bars are still missing) and paste it here.

Simpson, thank you very much for your help!

I tried to use the tool you sent me, and it also almost finished, just like you wrote, CPU usage dropped, but nothing really changed in the output window. It only says: Scanning \\.\PhysicalDrive1
I tried clicking Start again, and it restarted, but same result

Am I doing something wrong?

Thank you again anyways!

 

[Simpson474]

How big was your TrueCrypt volume and how big was the partition where the volume was stored? My tool currently only displays blocks of random data bigger than 1GB. If you re-download the tool you will get an updated version which is able to locate my test-volumes with only some minor sector offset - however I don't believe the tool will detect something on your disk as it is more strictly in detecting the random block areas and I was getting less possible TrueCrypt volumes than with the old version of the tool.

 

[Lipi42]

How big was your TrueCrypt volume and how big was the partition where the volume was stored? My tool currently only displays blocks of random data bigger than 1GB. If you re-download the tool you will get an updated version which is able to locate my test-volumes with only some minor sector offset - however I don't believe the tool will detect something on your disk as it is more strictly in detecting the random block areas and I was getting less possible TrueCrypt volumes than with the old version of the tool.

Well problem is, I don't totally remember, although I'm pretty sure it was not larger than 1 GB. Might have been that big, but most likely smaller than that.
I'll try the updated tool next anyways!

And thank you again!

 

[Simpson474]

If it could have been smaller than 1 GB you don't have to try the updated version - it certainly won't find anything. I will change the limit of random block detection to 256 MB and upload an updated version of the tool.

EDIT: The version has been updated to detect random blocks starting from 256 MB instead of 1 GB

 

[Lipi42]

Tried it, results are here:

Scanning \\.\PhysicalDrive1
12794880LBA - 13337600LBA (277,87 MB)
12784880LBA-12804880LBA
13327600LBA-13347600LBA
14875648LBA - 16065536LBA (609,22 MB)
14865648LBA-14885648LBA
16055536LBA-16075536LBA

I tried copying the 609 megs file out from winhex, then trying to mount it, but it didn't really work. I guess it wasn't really the way to do it, and it might have not even been the correct one to try

 

[Simpson474]

The two LBA-ranges displayed for each random block are intended to be used with the custom analyzer of TestCrypt. Just try to enter all four ranges into TestCrypt and check if something is found.

 

[Lipi42]

The two LBA-ranges displayed for each random block are intended to be used with the custom analyzer of TestCrypt. Just try to enter all four ranges into TestCrypt and check if something is found.

Well, I've checked all of them - it took a few days, but I've done it one by one. No results I checked the first two as one, but all the other ones separately:

12794880LBA - 13337600LBA
12784880LBA-12804880LBA

14875648LBA - 16065536LBA

14865648LBA-14885648LBA

13327600LBA-13347600LBA

16055536LBA-16075536LBA

Is there a problem with this?
I'm very sorry to bother you for so long... But I can't seem to do it.

Oh, by the way, I select Do not analyze twice on the Volume Analyzer panel, right?

 

[Simpson474]

It should have been enough to only check the following ranges:

12784880LBA-12804880LBA
13327600LBA-13347600LBA
14865648LBA-14885648LBA
16055536LBA-16075536LBA

As you have also analyzed the complete random blocks, I have no real idea what you could do more. How did you loose the MFT on the disk? Could it be, that the TrueCrypt volume has been also overwritten when the MFT was destroyed? I have one further idea which could work at least for such small disks than yours: I will adapt the tool to decrypt each sector which might be a TrueCrypt header. I won't be able to do the changes today but I should be ready till tomorrow (its only a small change, I have to add the password field and add some parts from TestCrypt): I have no idea how long the scan of the 80GB will take - but maybe its worth a try.

 

[Lipi42]

Quote removed.

Thank you very much!
There's absolutely no need to hurry, it's already much more than anyone would have done for me.
Well, it was a user fault. When I got my new HDD, somehow I used bad jumpering (it wouldn't work with cable select), and so I suspected it might be a drive fault from the new environment. So I (obviously, like anyone totally out of their mind would) tried using some programs I didn't understand at the time to recover data on my last partition. Not knowing what I'm doing, I deleted (or more like rewrote) both of the MFT's. I didn't really do anything else, but this has just been enough.

 

[Simpson474]

I tried to modify the tool to scan all sectors which might be potentially a TrueCrypt header: unfortunately an analysis on a 80 GB disk which contains data would take several weeks or even months to complete with this approach. Therefore the only thing I could offer would be to extend the tool to be able to locate random blocks smaller than 256 MB - but if the fragments get this small it seems that the volume was heavily fragmented and there is almost no chance to recover volumes with more than 2 fragments.

 

[Lipi42]

I tried to modify the tool to scan all sectors which might be potentially a TrueCrypt header: unfortunately an analysis on a 80 GB disk which contains data would take several weeks or even months to complete with this approach. Therefore the only thing I could offer would be to extend the tool to be able to locate random blocks smaller than 256 MB - but if the fragments get this small it seems that the volume was heavily fragmented and there is almost no chance to recover volumes with more than 2 fragments.

Sorry for the question, but could that be a problem, that I haven't scanned the given ranges at once? I mean, every quote I made above was scanned at a totally different time, not in the same take. From what I understand the volume could have been split into more than one of these?

 

[Simpson474]

There should be no difference if you scan all ranges at once or one after another. If a volume is split due to a fragmented disk into two blocks, there is a good chance to put the volume together when both the fragment with the normal header and the fragment with the backup header has been found. However if the volume is split in three or more parts it is almost impossible to find the correct blocks except for the first and the last block.

EDIT: I have added a slider to the tool to be able to select the minimum block size - can you try it again with the slider set to 100 MB?

 

[Lipi42]

Ok, thanks, I've scanned it again, set to 100MB

Here's the download link for the results: http://www.speedyshare.com/TEwSS/lba-found.xlsx
Also, I tried calculating sizes for the containers and after the first half, it always became around 10 times the size of your predictions. But I don't really understand LBA, so it's just an idea, maybe it could be something that helps you

 

[Simpson474]

Your formula is wrong - D(x)*512/1024/100 & " MB" should be D(x)*512/1024/1024 & " MB". You will get slightly different values than printed by the tool because the tool uses the "official" formula for MB (Megabyte) and not MiB (Mebibyte): D(x)*512/1000/1000.

For the scan in TestCrypt it should be enough to add only the two small blocks (10MB) displayed after each big block: you can add all the ranges at once and start the scan or you can add them one after another.

 

[Lipi42]

Thank you, I'm on it!