dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2961

derp
@174.67.240.x

derp

Anon

truecrypt hard drive recovery problem

Hard drive is a 128gb SSD. OS installed on it is Windows 7.

I started with a windows boot problem, where a particular driver would hang the operating system when it loaded. I could see the file in the safe mode, boot and it would always freeze when it reached that file.

So I put in the windows disk and boot into it thinking I can reinstall this driver.

My hard drive was full-disk encrypted with truecrypt.

I thought the windows cd would give me repair options, but once I selected the C drive, it starts installing right away. I was like O.O, realized I hadn't been prompted for my password, realized it was writing over the encrypted disk to load the windows files, and stopped it. But apparently the damage was done.

I then rebooted and got to my truecrypt loader, which seemed to be working fine. I type in my password. Nothing. I type it in 10 more times. nothing. My password doesn't work.

So I put in a new hard drive, install windows 7 on THAT hard drive, download truecrypt to THAT hard drive, and try to mount the original drive there. I try to recover the volume header from the internal backup and type in my password: not recognized as a truecrypt file. I was able to mount it without pre-boot authorization, which DOES require a password and my password DOES work, but when I mount it, it says "the file or directory is corrupted and unreadable".

I also have a truecrypt rescue disk. When I boot to it, I can restore the volume key, but that doesn't actually fix anything. My password still doesn't work when I do that. I can restore the boot loader, but that doesn't make any difference either. I can't restore the system loader, because it says you need to decrypt first for that.

So I try decryption. I set this to run. It is a 128 gb hard drive. It takes about 36 hours... except... it doesn't finish, because it hits bad disk errors and gets stuck on one (the sector number is very low, like 60 or something) and then spams that to the screen and won't do anything else. Also, if I interrupt the decryption early with Esc, the same thing happens.

I booted to Spinrite to try to fix the bad sectors, and it can see the disk, but hangs once I click to have it start checking. CHKDSK doesn't work at all because "Windows can't access the disk" and it can't work on reboot because on reboot the disk wouldn't be mounted.

As this point I just want to salvage as much data as I can from the disk. The bad sectors seem to be what caused the boot problem with windows, although my trying to get into windows repair is what made it stop accepting my password. My recovery disk accepts my password, but the repair options there don't work, or with full disk decryption, it can't complete. Even though I tell it to ignore bad sectors, it gets hung up on one and even pausing the decryption triggers that.

I can take and post screen shots of anything if anyone needs to see it. I tried to be thorough. Since I have the recovery disk CD, I wonder if I can use my password to pull the key out of it, and then use 3rd party software to decrypt using the key? then I can run the windows repair or simply copy out my data and wipe the drive (and probably trash it if the bad sectors are such a problem).

I hope someone has some ideas because I seem to have hit a wall.
Max_War
join:2002-11-30
Scarborough, ON

Max_War

Member

I'm not sure if Spinrite is the best tool to use on a SSD. Try this:

-Use your second hard drive and mount the SSD using Truecrypt
-try a data recovery tool like TestDisk from cgsecurity or GetDataBack. See if either program can repair the partition or recover any data.

You should also check the health of the SSD.

derp
@174.67.240.x

derp

Anon

I mounted the drive using truecrypt without pre-boot authentication. It works if I type in the correct password, but I can't see any files or access the disk once mounted.

Using testdisk, even with deep search, it can't find any partition.

getdataback says no file system found.

even though I can mount the drive, mounting it doesn't seem to matter as far as the contents being decrypted. it looks like these programs only see garbage when they scan the drive. getdataback found 2 file headers or something early on but that is probably just the truecrypt boot loader

sbconslt
join:2009-07-28
Los Angeles, CA

sbconslt

Member

You said you could mount it at one point, get back to that point and create a disk image of the mounted volume, then afterwards turn testdisk on that image.

Derp
@174.67.240.x

Derp

Anon

I can mount it. It shows that it is mounted in truecrypt. However, it is mounted without pre-boot authorization, and as far as I can tell, it is still encrypted or something. I mounted it and then ran testdisk and getdataback, but neither of them found anything at all. They fully scanned the drive while it was mounted.

In windows, while mounted, the drive says it is unreadable or inaccessible.

sbconslt
join:2009-07-28
Los Angeles, CA

sbconslt

Member

Testdisk has a mode where it extracts files by signature from the raw stream that does not require a valid partition table. Is that what you're referring to as deep mode?

Edit: actually I am thinking of »www.cgsecurity.org/wiki/PhotoRec
rfnut
Premium Member
join:2002-04-27
Fisher, IL

rfnut

Premium Member

I have had good luck with their test disk as well. Dont know if it would help with th TC issues but if there is any reafable blocks test disk will find em
Max_War
join:2002-11-30
Scarborough, ON

Max_War to derp

Member

to derp
Try Parted Magic. It has Truecrypt as an addon.

I had someone who had a corrupted Truecrypt drive. But the drive wasn't fully encrypted, so they couldn't do anything to retrieve the data. I think they tried all the things you did. I suggested Parted Magic, so they booted up Parted Magic. Started Truecrypt and mounted the drive.

When they accessed the decrypted drive, all the data was there. So hopefully the same thing may work for you.

Derp
@174.67.240.x

Derp

Anon

I will give it a try and let you know how it went

ahtrap
@172.5.213.x

ahtrap to Max_War

Anon

to Max_War
Similar issue, in that I have a truecrypt encrypted drive, and failing windows.

I grabbed Parted Magic, and booted up using it, but I'm unable to see the encrypted volume.

When you say, "Started Truecrypt and mounted the drive", how exactly do you accomplish that from the parted magic interface?
ahtrap

ahtrap

Anon

Cancel request...I'm not as dumb as I thought I was 10 minutes ago.

Checking the box that asked for pre-boot authentication got me past the initial "no encrypted volume found" warning that I was running up against. Files accessed, and now to try and move them to safer ground.