Solved

Truecrypt Partition Accidentally Overwritten

Posted on 2010-08-26
11
2,543 Views
Last Modified: 2013-12-01
Truecrypt Partition Accidentally Overwritten: PLEASE HELP!


Overview:

I mistakenly selected the wrong external HDD and deleted two partitions (simple wipe, no zero out) and created two new ones over top of them.  I caught the mistake right after I established the two new partitions and nothing has been written to the drive.  I have mounted the disk to my Mac to run TestDisk.

The original HDD partition arrangement:

Partition 1: Mac OS Extended named "Macintosh HD 2"
Partition 2: TrueCrypt Partition

The current situation:

http://dl.dropbox.com/u/1864771/Testdisk/diskutility.jpg


The Ask:

Does anyone know of a solution to restore the TrueCrypt partition other then calling a data recovery specialist?  I don't have a backup of the partition header and the tools I've tried so far all seem to focus on retrieving files.  There aren't any that recover a partition table of an otherwise healthy volume.

I just need to restore the partition table to mount the drive via TrueCrypt to access the data.  I've read that it might be possible to recreate the same partition layout, but I don't want to attempt anything for fear of ruining my chances of recovery.

Resources:

I referenced a lot of information from this EE question:
http://www.experts-exchange.com/Storage/Hard_Drives/Q_23780932.html

TestDisk wiki entry on TrueCrypt volume recovery:
http://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume


I also went through TestDisk partition recovery and ended up hitting a road block where write access for the disk isn't available.

1 [Sudo] Root access
2 [Create] Create a new log file
3 Select the raw disk "/dev/rdisk2 - 500 GB/465 GiB (RO)"

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_volumes.jpg

4 "Write access for this media is not available."

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_nowrite.jpg

5 [Continue] I go ahead and continue w/o write access
6 [EFI GPT]
7 [Analyse]

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_analyze.jpg

8 [Quick Search]

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_quickscan.jpg



Any and all help is greatly appreciated!
diskutility.jpg
testdisk-volumes.jpg
testdisk-nowrite.jpg
testdisk-analyze.jpg
testdisk-quickscan.jpg
0
Comment
Question by:gnos
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 27

Accepted Solution

by:
Tolomir earned 500 total points
ID: 33539250
as the wiki entry says, you need a backup of the header to proceed.

If the header gets corrupted or the container reformatted, TrueCrypt will display Incorrect password or not a TrueCrypt volume.. Using a backup of the volume header is the only possibility to recover the data.

After restoring the backup you use testdisk to recover the remaining disk.

---

Truecrypt stores the decryption schema of a partition in the header, each header is unique, even when using the same password for the encryption, so there is no way to redo tasks and get "some header" back to get access to the partition.

Sorry but  you should really think of a backup plan next time.

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33539290
Just an explanation: the master key is not your password, but a unique key that is made during the truecrypt partition creation and used to encrypt the actual data.
The master key is only used internally to grant access to the data and it is unlocked when you enter the password.

You can change the header key deviation algorithm and truecrypt password for accessing the partition, changing the master key would involve modifying each bit in the encrypted volume, with todays large harddisks this would take several hours.

27.08.png
0
 
LVL 46

Expert Comment

by:noxcho
ID: 33539771
It seems to me that your data is lost completely. Encrypted partitions are not designed to let someone to retrieve the data from any HDD which has been encrypted. Also data recovery specialist will not help you here as well.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33540422
A data recovery specialist could recover the mentioned header. Even when deleted. Then he could unformat the deleted partition. There is no need to recover the encrypted
files, because the asker knows the password.
Default tools can only recover files in their original form. So they are of no use here.  
0
 
LVL 46

Expert Comment

by:noxcho
ID: 33540663
Would be nice if recovery specialist could do that. One of my friends did work for encryption software company and he told me that recovery chances in such cases are very little.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 27

Expert Comment

by:Tolomir
ID: 33541183
Well that depends on if the original data is overwritten.

If, in this case, the master key is not recoverable there is no way to decrypt the partition. You got no redundancy as on unencrypted data where guessing is possible. "w0rt" - could be "word" but "x5ersx" is what ....
0
 
LVL 47

Expert Comment

by:dlethe
ID: 33543319
I will make it short and sweet.  Give up. There is no way to recover w/o the master key (or some quantum computers).
0
 
LVL 7

Expert Comment

by:justadad
ID: 33547851
If you want to try and recreate the partition table I suggest trying it on a clone of the drive.  Boot with a Linux rescue CD such as sysresccd.org and do a DD and copy 100% of the drive to another same size drive (or to a file) and then do the recovery test on the copy instead of the original.

I would even consider doing the DD across the network to a identically sized Virtual machine HDD (ie VHD) ...that way you can try your partition recreation after a snapshot is taken so that if it doesn't work you can undo the snapshot and try again....and again.

From a Linux virtual machine you should at least be able to see when it recognizes the Mac partion propertly then you could try connecting truecrypt.

But alas I don't give much hope, but it would be much faster to try iterations of changing the partition sizes than trying to crack the encyption which would never happen.

0
 
LVL 7

Expert Comment

by:justadad
ID: 33547872
Oops...I didn's see the response that the master key was in the partition table.  Yep no hope then.  Sorry.
0
 

Author Comment

by:gnos
ID: 33549057
Okay, thanks all.  I'm letting go of the data.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33549734
If you intend to use encrypted partitions again, please use the suggestions to backup the data and export the header from the truecrypt volume.

It happened to me too, that I did kill an encrypted partition, luckily I had a 2 months old backup. So the dataloss was acceptible.  

Tolomir
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now