TestCrypt and Restoring a Deleted TruCrypt Volume #2

[PopsiclePete]

Hello,

Apologies for creating a similar thread to 1 that already exists. I've recently lost a TrueCrypt volume and have been working hard at locating possible recovery solutions. I discovered TestCrypt and TestDisk but am not all that familiar with disk design. I want to check in with the experts before I make any changes.

A bit of background...

I have a 1 TB Western Digital hard drive in an external enclosure connected to my system (Windows 7 64-bit Enterprise) via USB. The disk drive was fully encrypted with TrueCrypt 7 (?), so I believe it only contains a single volume. I connected another 1 TB USB drive the other day and meant to format it but mistakenly ran a quick format across my TrueCrypt drive, which I discovered later when I tried to mount the TrueCrypt volume.

The quick format that I ran setup a new partition called "DB-Backup", which was mounting in Windows as a working NTFS volume. After realizing what I had done I deleted this partition.

Steps taken so far...

I ran TestCrypt on the disk and recovered the following details:

• Sector: 121601/76/60
• Volume Size: 1.00 TB
• Hidden: False
• Version 5
• Supported: True
• Normal Header: N/A
• Embedded Backup Header: 0/0/1 - 121601/80/63

I saw Simpson474's notes on how to recreate the partition, but I wasn't sure which values to enter for [Cylinder][Head][Sector]. Currently when I run an analyze with TestDisk it keeps finding the 'DB-Backup' volume that I created earlier.

Start testdisk and select [Create], select the disk and press return. Select [Intel], [Analyse], [Quick Search] (cancel the quick search if it takes longer than a few seconds) and press the "A"-key. The next screen requires to enter [Cylinder][Head][Sector] two times and [Type]: here you have to insert the beginning and the end of the volume found by TestCrypt, choose type "07 NTFS" and confirm with [Done]. Then you have to change the type of the partition to primary (can be done with left/right arrow keys) and it would be best to post a screenshot here for confirmation before you continue to write the partition table.

I really appreciate any help you can provide.

 

[derBobby]

I'm not an expert about data recovery, but i would say that your data is lost. If the new partition was created by overwriting your existing data, there should not be any way to get it back!? I think that it is not possible to restore parts of an encrypted volume?

Did you format the disc with any tool, or the native windows function? Why should it auto-create a new partition called "DB-Backup"? Maybe it was a tool with which you can restore the FAT/MFT etc.!?

Another question would be, if TrueCrypt encrypts only the data on the drive or also the FAT/MFT.

I could not give you an answer, but maybe new options to think about.

 

[PopsiclePete]

Hello derBobby - thank you for the reply.

Although I don't have super high expectations - I'm hoping complete data loss is not the case. I discovered the following 2 threads on this forum that lead me to believe recovery might still be possible.

https://www.computerbase.de/forum/t...-recover-true-crypt-hidden-partition.1104484/
https://www.computerbase.de/forum/t...estoring-a-deleted-trucrypt-volume-2.1142645/

In regards to your formatting question - I used the native Windows function (ie. right click - New Simple Volume). As part of this sequence the wizard asks you to assign a volume label and file system format (NTFS in my case). This process applies a quick format, which finishes in ~ 20 seconds. Its my understanding that the data is still on the disk but available to be overwritten. I have not made any additional rights to the disk since this action occurred.

Hello derBobby - thank you for your reply.

 

[Simpson474]

There is one big difference compared to the other threads: your partition is not only deleted but also formatted. In this case you need recovery software like GetDataBack or R-Studio (better results in the last months especially for formatted volumes) in or in combination with TestCrypt: use TestCrypt to mount the header via right click context menu and afterwards use the recovery software on the mounted volume.

 

[PopsiclePete]

Understood. That makes perfect sense.

1 question - when I choose "Mount as Backup Header" within TestCrypt the action completes successfully. When I attempt to access the drive from Windows Explorer I get the following error:

F:\ is not accessible.
The parameter is incorrect.

I assume this is expected due to the formatting issue. However when I use a recovery tool such as GetDataBack, the tool is unable to see the F:\ volume that TestCrypt mounted. I'm only able to select the entire disk at that point.

I suppose things must be really hosed up in this case? 11 hours remaining on the file scan...

 

[Ernst@at]

Sure, you will see in step 1 only the physical disk menu opened at the beginning.
You must click the header text "logical disks" to open the window where F: will appear.