Testcrypt - Testdisk - Recover True crypt hidden partition

[Cast away]

Hi all,

TestCrypt sourceforge page directed me here I need some help with recovering 2 an external disk with 2 partitions!


Here is my situation :


- Had an external 500Gb Usb disk.
Was givin a lot of failures, due to the usb controler. Therefore, I had a lot of "$Mft could not be written" etc.. I beleive this damaged the disk header (of MFT, or Partition table? ..)
Many people from the internet had the same issues with this specific drive, they installed it into a computer (internal sata) and voila.
So I did the same. The drive is now an internal WesternDigital Caviar 500Gb, Sata.
BUT..


- Drive was not recognized by win Xp
It was asking me to "initialize" it, which of course i did not
Drive appears "BAD" in partition magic.
The two partitions (normally appears clearly in windows disk manager) are not recognized anymore..


- Tryed to testdisk it : to find the partitions. No luck
Normal scan, then deeper scan found nothing


- Tryed to testcrypt it : it found the second partition
I could backup me files from the second partition.
I left everything to "automatic", since I didnt find any help file for testcrypt yet and dont know how to configure it manually

However, it didnt find the first partition


- Easus partition master : when cheking the surface, it found bad tracks at the very beginning of the disk (but I stopped it it was running for hours and only at 1/8 of the disk


- Ran Spinrite
The all night, with option 2 ("recover bad tracks")
It finished the job, not showing any bad recovered tracks, but I know it was on some specific sectors for quite a time


- Partition magic info : here is the log

Info: End C,H,S values were large drive placeholders.
  Actual values are:
        0  0  80      0    1    1  AA  60801   80   63         0 976773168
Error #109: Partition ends after end of disk.
  ucEndCylinder (60801) must be less than 60801.
Info: Partition didn't end on cylinder boundary.
  ucEndHead expected to be 254, not 80.
Error #116: Starting sector of partition is inconsistent.
  ulStartSect = 0
  Begin C,H,S = 63
Error #120: Logical Drive chain extends toward start of drive.
Error #110: Number of sectors in partition is inconsistent.
  ucSectors   = 976773168
  end - begin = 976773105

So right now, there are 2 options :


1) fix the partition table (so I will find my true crypt partitions again)

I dont really know were to fix the problem.
It looks like the disk has bad sectors (or bad "tracks"). But whats the problem exactly ?

- Partition table was damaged ?
- Mft ?
- Boot sector ? (it's a data disk, no OS is installed, but because it was an external usb disk it is showned as 'bootable')



2) mount the lost partition with testcrypt

Where can I find a help page explaining how to use testcrypt ?
(The first partition, the one I need to recover, is only about 40Gigs, at the very begining of the disk. Then theres a blank space of 40Gb -I deleted the partition- and then the big 400Gb partition.
To be more effective, I would like to search only for the first one !




Either way, I would like the thank you in advance if you can help!
Testcrypt is such a good software!! nice programming mate!

Cast away

 

[Simpson474]

Unfortunately there is no real documentation for TestCrypt up till now and I am planning to rewrite the GUI because some options are very hard to understand and more complicated as they should be. Can you provide the screenshot of TestCrypt which shows the second partition - to find the partition more quickly only set "Automatic" at the "End of Volume" analyzer. Is the missing volume also a hidden TrueCrypt volume? Do you know the version of TrueCrypt which has been used to encrypt the partitions? Have both partitions been encrypted with the same version of TrueCrypt (especially important if you do not know the exact version of TrueCrypt anymore)?

 

[Cast away]

Hi Simpson474,
Thanks a lot for helping me. And again, thanks for this amazing soft

Can you provide the screenshot of TestCrypt which shows the second partition - to find the partition more quickly only set "Automatic" at the "End of Volume" analyzer.

I didnt take a screenshot but I did write down all info before exiting the program :

Sector : 60800/236/46
Vol size : 405,91
hidden : True
Version : 4
Embedded backup header" : 11443/239/48 - 60800/238/47

(If you prefer a screeshot, I'll run testcrypt again for you, just tell me).

Is the missing volume also a hidden TrueCrypt volume?

Yes !
Actually, both partitions have been built the same way.
They also have the same password (same outer volume password, and same hidden volume password)

Do you know the version of TrueCrypt which has been used to encrypt the partitions?

I highly believe it was 7.0a at the time of creation

Have both partitions been encrypted with the same version of TrueCrypt (especially important if you do not know the exact version of TrueCrypt anymore)?

Yes it was done the same day.

I also used same settings in truecrypt (hash, encryption algorytm..)



Also, I know the way I have build the partitions on this drive (i wrote it down in a file the day I did it)

Theres exactly 3 partitions:

#1 - Primary - 43Gb - Hidden True crypt -Was Not Found in TestCrypt-
#2 - Primary - 44Gb - *deleted*
#3 - Extended - 378Gb - Hidden True crypt -Was found 100% working in testCrypt-

I had those 3 partitions for data storage. But once I decided to get rid of the second, so I deleted the partition totally (under partition magic). I did not touch it since, because I wanted to add it to the big one but it was not important at that moment.

CastAway

 

[Simpson474]

Version 4 should be TrueCrypt 6 - however TrueCrypt 6 is already using the new header format and therefore even a hidden partition should have been found with the "Automatic" option of the "Begin of Volume" analyzer.

As the normal header of the volume seems to be damaged, the backup header has to be found. Was the second partition also TrueCrypt encrypted? In this case you could try to enter the following range into the custom analyzer of TestCrypt:
11440/239/48 - 11443/239/48

If the second partition is found the end of the first partition could be reconstructed. Otherwise you could just try to scan around the 43 GB offset of the HDD. The following range will scan 2 GB around this location and would take almost 3 days on my PC:
88080384 - 92274688

 

[Cast away]

Hi!

Unfortunatly the second partition was not encrypted with truecrypt. Too bad

Yesterday, while trying to figure out how it works, I did a custum scan with : 5612/1/1 > 5616/1/1
(I usually like to have nice numbers in windows explorer : therfore to have 43.0 I would have chosen 44029,7 in partition magic, the program I'm usually using to partition)
But this morning nothing found.
So I going to scan more and more. Maybe I had 43002,11 in partition magic >> 88068329

The range you gave me would last 6 days on this machine, it's not a very recent machine :/
so I'll go step by step !

 

[Cast away]

DONE !! =)

Simpson474 > It was very hard to gigure out, but I finally found it.
Sector: 5629/236/46
Vol size : 46,14
hidden : True
Version : 5
"Normal header" : 5629/234/44 - 11243/233/43
"Embedded backup header" : 11443/239/48 - 60800/238/47


So yes it is a version 5. I must have done that with another TC version.
I have two different solution : normal or backup.

Or course, I knew it was a backup version (because I was scanning fir the END of the partition location.



Now, let me EXPLAIN why it took so long for me to figure out where was the location of the sector :

A full scan, as you mentionned, would have been good. But was taking one entire week to scan.
SO I decided to find it myself. Because I usually keep a "map" of my hard drives, I knew the exact size of my partitions.

Problem was : I STILL could find anything in test_crypt

Yesterday, after deleting the all partition table, and re-building it with test_disk, I understood : my old acomdata hybrid drive as a special space (about 120Mb) at the very begining of the drive! This is to mount a fake cdrom peripheric in windows (encryption and backup softwares).

SO, I had to move everything by about 120Mb !

I ended up scanning this range this night : 5625 > 5631 (when my guess was at 5629 !!) and it appreared to be 5629 !!!

SO COOL (even after 3 days of research )

Simpson474 : THANKS !
It was a good experience to understand how partitions and stuff work in the computer I read a lot of stuff during my research.

CastAway

 

[Simpson474]

If you are unable to find the partition with the step by step approach there is also the chance to use TestDisk in order to find the unencrypted partition. If the unencrypted partition has been found, the end of the encrypted partition can be narrowed to a much smaller range.