Solved

How would one recover a TrueCrypt partition inadvertently deleted during Windows XP setup?

Posted on 2008-10-02
23
9,745 Views
Last Modified: 2012-11-15
Overview:
In installing Windows XP to a system with several attached drives, I inadvertently deleted an incorrect partition. The drive of the partition had only this one partition which spanned the entire volume. This particular partition was formatted with TrueCrypt and has encrypted data on it.


The gory detail:
During the Windows XP setup, just after pressing F8 to accept the agreement, I selected this partition thinking that it was a different drive and pressed the key combination ("D", then "L", or whatever it is) to delete it. I realized my error a few seconds later, then immediately exited the Windows XP setup (by pressing "F3" twice, or whatever the key sequence is to exit it properly). I was hoping that maybe the disk partitioning software was coded in such a manner as to delay execution of the re-partitioning functions until a target partition for installation was selected, but no such luck.


My hopes:
Does anyone possibly know what steps I can take to restore this lost TrueCrypt partition aside from making a visit to a data recover specialist? I see there are tools for supposedly for recovering partitions. I've tried a few, but so far they all seem to look for *files* on a specific type (NTFS/FAT/etc.) of partition. None of them seem to actually look to recover a partition table of an otherwise healthy volume.

I just need to restore the partition table as it was so I can reach the TrueCrypt data which (I hope) hasn't been altered. I've read that it may be possible to create the same partition layout (in this case a single, primary partition), using the same tool I originally partitioned the disk with (in this case, Windows Disk Management). That would seem to make sense, but I'm adverse to rushing into trying that as I'm afraid I might really trash the partition if it's the wrong move.

I'm also obviously concerned whether the Windows Setup CD could have written to some data that would adversely affect the TrueCrypt data of the disk.

I've read the article here, discussing the basics of recovering a partition table:
http://www.datarescue.com/laboratory/partition.htm

And I've also read the Wikipedia article on PC partition tables:
http://en.wikipedia.org/wiki/Disk_partitioning#PC_BIOS_partition_types

So I'm understanding that the partition table is in the first few bytes of the disk and safely out of the way of most things, but I don't know if TrueCrypt perhaps stores some data in the partition table as well-- data which might have been corrupted by the Windows Setup CD when I press "D" then "L" to delete the only partition of the disk.

Any help or advice at all in this matter would be appreciated. Thank you!
0
Comment
Question by:haruhi
  • 7
  • 6
  • 2
  • +3
23 Comments
 
LVL 25

Expert Comment

by:slam69
Comment Utility
have you looked into using getdataback?

Aside from tehdata recovery experts thsi is teh best software i have found commercially available for recovery?
0
 
LVL 25

Expert Comment

by:slam69
Comment Utility
0
 

Author Comment

by:haruhi
Comment Utility
Thank you for your recommendation. Their software was the first I tried last night. As far as I can tell, it does not list partitions for recovery, only the files found where the partitions once were. I select my disk and then it begins searching it for files, which it won't and doesn't find because there is just one massive block of TrueCrypt-encrypted bits.

I'm currently trying to recover this partition table with TestDisk and these TestDisk step-by-step tutorials:
http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step
http://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume

Unfortunately, I don't understand some of the rather terse instructions. I'm following the directions on the latter page under the smaller heading which reads, "Under Windows". I've tried running the testdisk.exe file, selecting "none", then selecting "advanced", selecting "NTFS" as the type, and then I don't know what to do. My options are "type" (to change from NTFS to something else), "boot' (for boot sector recovery), "image creation" (to create an image) and "quit". None of these sound like what I want, yet this is where the instructions seem to lead. I see they're talking about an ext2/ext3 superblock, but I don't understand how that correlates to a Windows TrueCrypt volume as those are Linux partition types.

Clues or guidance are always appreciated. Thank you!
0
 
LVL 25

Expert Comment

by:slam69
Comment Utility
Hmm i think you need to be using photorec then to redcover and not test disk

test disk recovers yout boot sector fine but not the deleted parttion take a look here

http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
0
 

Author Comment

by:haruhi
Comment Utility
I'm really wondering at this point whether I can just use Windows XP Disk Management to create a new, primary partition without formatting to restore the table. When I attempt this operation on a test volume, the Disk Management Window gives me the hour glass for at least 10 long seconds before returning, even though I've neither assigned a drive letter nor even applied a quick format. (I selected "none" for both.) So what's it doing there? And would it be destructive to my TrueCrypt volume?
0
 

Author Comment

by:haruhi
Comment Utility
Okay, looks promising. I'll try that and report back (though possibly tomorrow as it's so late here it's almost early).

:P
0
 
LVL 25

Expert Comment

by:slam69
Comment Utility
i was consdiering teh same, create a new installation of xp called windows 2 and then use that to recreate parttion table trouble is you COULD lose your data

did you take a look at photo rec?
0
 
LVL 25

Expert Comment

by:slam69
Comment Utility
Np im in work for another 4 hours then will be leaving in tomorrow then leav ethis ob so wont knwo when ill be back on EE
0
 

Author Comment

by:haruhi
Comment Utility
Okay, PhotoRec appears to offer the same functionality as GetDataBack in that it is used to recover files from a partition. It has options for scanning to recover all manner of file types, but there appear to be no options to recover a partition. TestDisk appears to be the right tool, I'm just afraid to get to wild with it as it seems obvious that I could shoot myself in the foot.

Well, for now I'm going to sleep on it. Thanks for your help! :)
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 23

Expert Comment

by:DanCh99
Comment Utility
I would not install *anything* to your troublesome disk.  Don't create any partitions, even.  Anything that writes to the disk will risk your data.

If you need a working OS, fit the disk as a slave to another pc, or even fit a temporary hard disk to your currrent pc.  

I've not tried TestDisk, but Acronis Disk Director is a good tool too, and will do partitions.  GetDataBack has saved files on 2 properly hosed systems for me in the past, but never tried it on partitions.

Acronis:
http://www.acronis.com/homecomputing/products/diskdirector/partition-recovery.html
0
 

Author Comment

by:haruhi
Comment Utility
Nothing has been written to the disk. I leave it disconnected whenever I'm not trying to inspect it. I'm uber-paranoid about doing any destructive operations to the disk, so I haven't so much as written a byte to it, unless TestDisk, GetDataBack, Acronis Disk Directory Suite or Windows has written data to this disk without informing. I'm doubting any of the apps have tried writing anything to the disk. Again, it shows as having no partitions, so there's no where to really write anything. I haven't created any new partitions since accidentally deleting the original partition with the Windows XP setup CD partitioning wizard.

No dice with Acronis Disk Director Suite. I've tried both the quick and complete methods, neither do anything at all with my disk. All I get is an empty window that says "Please select the partitions you want to recover from the list below." No partitions are listed.

Any other ideas?
0
 
LVL 25

Expert Comment

by:slam69
Comment Utility
Im afraid im struggling now have you tried manually rebuilding the partition table? might be possible but i tyhink thats a very very long shot and could again cause more trouble if its vital id be considering contacting a recovery expert at this point but might still not work and could be veru expensive
0
 
LVL 23

Expert Comment

by:DanCh99
Comment Utility
If a couple of big names in the software recovery world aren't showing anything for you, I'd say you need to look at the specialist data recovery providers now... Once they reconstruct the VERY low level data for you, I'd think it should be highly probable that the rest of the data can be recovered.  Just expensive, that's all...

War1 has an impressive list of utilities here that you may want to give a spin as well:
http://www.experts-exchange.com/Software/System_Utilities/Q_23785044.html
0
 

Expert Comment

by:rudderlesschild
Comment Utility
WAIT!  Ok, don't close this just yet.  haruhi, if you are still out there, here is what you do.  

Before you begin, know that testdisk will not find an encrypted partition, so using it is worthless.  However, if the partition spanned the entire disk, then you don't need it anyway.

A)  First of all, do NOT restore the partition in any way that will format the partition.  Even a "quick" format will screw things up.  The best way to restore the partition is from within windows.  Click Start-> Programs-> Administrative Tools-> Computer Management.  In the popup, double click "Disk Management".  Highlight the drive the partition was located, right click and choose "create new partition" or whatever.  Proceed through the Wizard to recreate your partition but DO NOT format the partition in any way.  You don't need to assign a letter or name, either, but it won't hurt if you do.  Most importantly, do not format at all.

B)  If the data you are trying to recover is on a HIDDEN volume, skip to Part E, below.  If on a NORMAL or OUTER volume AND you are created the volume using version 5.0 or higher, then proceed to Part C.  If on a NORMAL or OUTER volume AND created using version LOWER THAN 5.0, skip to Part D.

C)  If you encrypted the partition with Truecrypt version 5.0 or higher, you can simply open Truecrypt, select the volume as if you planned to mount it, but instead choose "Tools" -> "Restore Volume Header".  In the popup, choose the first option, "restore header from backup header", or whatever it says.  This is a backup header located at the END of the volume and will still be intact.  Enter the password for the volume, and truecrypt will restore the Volume Header.  If the partition contained both a Normal and a Hidden volume, you will need to use the "restore volume header" function twice, though sometimes the hidden volume will mount even if you don't restore the header (see below).  Mount the volume with the restored header, and, as long as no data was written to the volume, you data will be there, intact, as good as new.  If data was accidentally written to the volume, then you will get a "file system" error when you try to view the contents.  The second time you try to access the volume it will ask you if you want to format the volume.  You don't, of course, but you won't be able to anyway.  If this is the case, you may be hosed.  I am myself trying to find a way to "read" a damaged truecrypt volume that had the first <10mb overwritten.  I know all the data is there, but truecrypt won't decrypt the drive :(  If I find a way, I'll let you know.  If you find or found a way, let ME know, please.

D)  Ok, so, if you used Truecrypt below version 5.0 you may again be screwed if you did not create you own volume header.  If you DID create a backup of your Volume Header and have it stored on a disk somewhere, then just follow the instructions above to restore the volume, except choose the second option to restore from an external backup (if you are still using a version below 5.0 then you won't have the two options, just one, and you will need an external backup header that YOU created).

E)  If you don't have a backup header, the data MAY still be there if you stored the data on a HIDDEN volume.  For some reason deleting a partition and then restoring it only damages the primary volume header of the outer volume.  The hidden volume header will probably still be intact.  If the data is on a hidden volume then simply try to mount the volume as normal, without restoring the header.  If this fails to mount the volume, the go back up to Part C (for version 5.0 or higher) or Part D (for versions below 5.0).

GOOD LUCK, I hope this helps . . .

And, if you have been successful at recovering data off a DAMAGED partition, (rather than just deleted) let me know how you did it, I'll be very interested to know myself.
0
 

Author Comment

by:haruhi
Comment Utility
Apologies for my delay in getting back to this. I've been very busy, but meaning to post a follow-up. I found my solution via phone support with a data recovery specialist, which I intend to post here. Basically, I manually coded a new partition table by writing a table with a single partition that spanned the entire volume (using a DOS-based disk editor). It was a little tricky in that the drive in question was an external volume, but the disk editor only worked with internal disks, so I had to remove the disk from its enclosure and install it into a desktop PC to perform this step. Once I had mounted the TrueCrypt partition and seen that my data was readable, I then went a step further by using the disk editor to read the partition table of a disk of the same exact size having a single partition. I took those parameters and coded them into the problem disk's partition table, and now I have the disk right back to where it was before.

I'm very appreciative to rudderlesschild for the verbose reply. As it is, I deleted the partition table and never committed any writes to the drive, so no data at all was touched within the partitioned space ever. This is why I posted the question with confidence that there must be a way to simply recreate the partition. I really wanted to try creating the partition with the Disk Management interface, but because it operates like a black box with no knowing what it's really doing behind the scenes, I felt it would be way too risky. The way it turned out, it's actually very simple to code a single partition into a partition table.

I'll post the solution in detail later today or tomorrow. Again, I didn't meant to abandon the question, I just didn't receive any working answers and then was struggling to find the time to reply once I had addressed the matter. Thank you for your patience.=.
0
 

Expert Comment

by:rudderlesschild
Comment Utility
Glad to hear you got that partition back.

I have a question, which may be answered in you more detailed reply (which I hope you still post), but I'll ask it now in case.  After you recoded the partition, did you have to restore the Volume Header, or did the volume mount without restoring?  Using Disk Management I have always had to restore the Volume Header (for the outer volume, but not for any hidden volumes).  Because if you did not have to restore the header please let me know what editor you used to rewrite the partition.  Disk Management must write a few sectors of code, overwriting the header . . .

Also I would be interested in whom you spoke with, and how much it cost for their advice.  I still can not recover the data on my partition, which must have had some data written in the first few MB beyond the Volume Header.  Restoring the Header mounts the volume, but Truecrypt won't decrypt the data.  I know it is there, at least 99.9% of it, but something happened to make it unreadable.  Maybe your contact can help me with my problem . . .
0
 

Accepted Solution

by:
haruhi earned 0 total points
Comment Utility
In brief, these are the steps I took:
(You can see photos of many of these DOS screens at the following URL:
http://gallery.me.com/analogduck#100016&bgcolor=black&view=grid )

* I created a bootable CD which had Norton Disk Doctor 2002 on it. Specifically, I used Hiren's  Boot CD 9.5.

* I detached all drives from the system.

* The problem drive was a USB drive, so I removed it from its encasing and attached its SATA connector directly to the motherboard. (Disk Doctor doesn't see USB drives.)

*  Within Disk Doctor, I took the following steps:

> From the menu I selected Object > Drive... > Type: Physical disks > Hard disk 1 > Okay.

> From the menu I selected Object > Physical Sector...

> I made a note of the second number, which is the last legal value for the physical sector, in my case 976,773,168. I then escaped this dialog.

> From the menu I navigated to Tools > Configuration and unchecked Read Only so that I could write to the partition table.

>  From the menu I then selected View > as Partition Table and this brings up the partition table that was completely blank. (Listed as all zeros.)

> I entered data in the top row as:
HPFS No 1 0 1 254 1023 63 63 976773168

All the data in each field except the last field ("976,773,168") would be the same on any drive having only one NTFS partition. This last number was of course take from the above (the last legal physical sector value for this disk).

In my gallery this is photo IMG_0102.JPG

> I exited and committed the changes. (If I recall correctly, Norton Disk doctor automatically prompts you regarding this.)


It turns out that these steps restored the partition to be both visible and mountable. I booted up, mounted the drive, and did some test navigation successfully. Now that I knew the general method was successful, it was time to refine the repair to do it properly.

I then performed a partitioning of a drive of the same size (same make and model as well), using the Disk Management console as I had done with the problem drive when I had purchased it. I shut down the computer. Removed the newly partitioned drive from its enclosure, attached it directly the the SATA port of the motherboard, and booted back into Norton Disk Doctor. I then navigated to the Partition Table and read the last number: 976,768,002.

Why did I go through this effort, because I know that Windows Disk Management has an affinity to partition on some sort of block boundary whose specifics are unknown to me. What I did when I initially fixed the disk was to just fudge the partition by simply inputting the last sector of the drive. However, this might eventually cause a problem, because the actual partition did not extend that far. So I took this second reading from a just-paritioned drive of the same size to see what the number was supposed to be.

I then shutdown, reconnected the (now-mostly-fixed) problem drive, booted into Disk Doctor, navigated to the partition editor, and changed the last number in the top row of the partition table from 976,773,168 to 976,768,002, saved and exited.

As far as I can tell, my drive is as good as ever now. It's been almost two months and everything still works fine.
0
 

Expert Comment

by:PityReport
Comment Utility
Rudderlesschild !!! I used you suggested solution and it helped me getting my partition back. Thank you soo much for your solution.
0
 
LVL 1

Expert Comment

by:AshridgeTechServices
Comment Utility
I had a similar problem: As I understand it, most recovery progs recreate the partition table only by looking at the disk and working out what the partition table should be like to make the disk work, rather than directly recovering the original partition table itself. A deleted partition which has been encrypted can't be identified as a partition by most recovery progs since the prog is unable to distinguish encrypted data from blank space on the disk. I found a program called TestCrypt which can specifically scan for TrueCrypt file headers to overcome this problem- it worked brilliantly!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
This article is an update and follow-up of my previous article:   Storage 101: common concepts in the IT enterprise storage This time, I expand on more frequently used storage concepts.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now