Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2751
  • Last Modified:

Truecrypt Partition Accidentally Overwritten

Truecrypt Partition Accidentally Overwritten: PLEASE HELP!


Overview:

I mistakenly selected the wrong external HDD and deleted two partitions (simple wipe, no zero out) and created two new ones over top of them.  I caught the mistake right after I established the two new partitions and nothing has been written to the drive.  I have mounted the disk to my Mac to run TestDisk.

The original HDD partition arrangement:

Partition 1: Mac OS Extended named "Macintosh HD 2"
Partition 2: TrueCrypt Partition

The current situation:

http://dl.dropbox.com/u/1864771/Testdisk/diskutility.jpg


The Ask:

Does anyone know of a solution to restore the TrueCrypt partition other then calling a data recovery specialist?  I don't have a backup of the partition header and the tools I've tried so far all seem to focus on retrieving files.  There aren't any that recover a partition table of an otherwise healthy volume.

I just need to restore the partition table to mount the drive via TrueCrypt to access the data.  I've read that it might be possible to recreate the same partition layout, but I don't want to attempt anything for fear of ruining my chances of recovery.

Resources:

I referenced a lot of information from this EE question:
http://www.experts-exchange.com/Storage/Hard_Drives/Q_23780932.html

TestDisk wiki entry on TrueCrypt volume recovery:
http://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume


I also went through TestDisk partition recovery and ended up hitting a road block where write access for the disk isn't available.

1 [Sudo] Root access
2 [Create] Create a new log file
3 Select the raw disk "/dev/rdisk2 - 500 GB/465 GiB (RO)"

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_volumes.jpg

4 "Write access for this media is not available."

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_nowrite.jpg

5 [Continue] I go ahead and continue w/o write access
6 [EFI GPT]
7 [Analyse]

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_analyze.jpg

8 [Quick Search]

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_quickscan.jpg



Any and all help is greatly appreciated!
diskutility.jpg
testdisk-volumes.jpg
testdisk-nowrite.jpg
testdisk-analyze.jpg
testdisk-quickscan.jpg
0
gnos
Asked:
gnos
  • 5
  • 2
  • 2
  • +2
1 Solution
 
TolomirAdministratorCommented:
as the wiki entry says, you need a backup of the header to proceed.

If the header gets corrupted or the container reformatted, TrueCrypt will display Incorrect password or not a TrueCrypt volume.. Using a backup of the volume header is the only possibility to recover the data.

After restoring the backup you use testdisk to recover the remaining disk.

---

Truecrypt stores the decryption schema of a partition in the header, each header is unique, even when using the same password for the encryption, so there is no way to redo tasks and get "some header" back to get access to the partition.

Sorry but  you should really think of a backup plan next time.

Tolomir
0
 
TolomirAdministratorCommented:
Just an explanation: the master key is not your password, but a unique key that is made during the truecrypt partition creation and used to encrypt the actual data.
The master key is only used internally to grant access to the data and it is unlocked when you enter the password.

You can change the header key deviation algorithm and truecrypt password for accessing the partition, changing the master key would involve modifying each bit in the encrypted volume, with todays large harddisks this would take several hours.

27.08.png
0
 
noxchoGlobal Support CoordinatorCommented:
It seems to me that your data is lost completely. Encrypted partitions are not designed to let someone to retrieve the data from any HDD which has been encrypted. Also data recovery specialist will not help you here as well.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
TolomirAdministratorCommented:
A data recovery specialist could recover the mentioned header. Even when deleted. Then he could unformat the deleted partition. There is no need to recover the encrypted
files, because the asker knows the password.
Default tools can only recover files in their original form. So they are of no use here.  
0
 
noxchoGlobal Support CoordinatorCommented:
Would be nice if recovery specialist could do that. One of my friends did work for encryption software company and he told me that recovery chances in such cases are very little.
0
 
TolomirAdministratorCommented:
Well that depends on if the original data is overwritten.

If, in this case, the master key is not recoverable there is no way to decrypt the partition. You got no redundancy as on unencrypted data where guessing is possible. "w0rt" - could be "word" but "x5ersx" is what ....
0
 
DavidPresidentCommented:
I will make it short and sweet.  Give up. There is no way to recover w/o the master key (or some quantum computers).
0
 
justadadCommented:
If you want to try and recreate the partition table I suggest trying it on a clone of the drive.  Boot with a Linux rescue CD such as sysresccd.org and do a DD and copy 100% of the drive to another same size drive (or to a file) and then do the recovery test on the copy instead of the original.

I would even consider doing the DD across the network to a identically sized Virtual machine HDD (ie VHD) ...that way you can try your partition recreation after a snapshot is taken so that if it doesn't work you can undo the snapshot and try again....and again.

From a Linux virtual machine you should at least be able to see when it recognizes the Mac partion propertly then you could try connecting truecrypt.

But alas I don't give much hope, but it would be much faster to try iterations of changing the partition sizes than trying to crack the encyption which would never happen.

0
 
justadadCommented:
Oops...I didn's see the response that the master key was in the partition table.  Yep no hope then.  Sorry.
0
 
gnosAuthor Commented:
Okay, thanks all.  I'm letting go of the data.
0
 
TolomirAdministratorCommented:
If you intend to use encrypted partitions again, please use the suggestions to backup the data and export the header from the truecrypt volume.

It happened to me too, that I did kill an encrypted partition, luckily I had a 2 months old backup. So the dataloss was acceptible.  

Tolomir
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 5
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now