?
Solved

Truecrypt Partition Accidentally Overwritten

Posted on 2010-08-26
11
Medium Priority
?
2,673 Views
Last Modified: 2013-12-01
Truecrypt Partition Accidentally Overwritten: PLEASE HELP!


Overview:

I mistakenly selected the wrong external HDD and deleted two partitions (simple wipe, no zero out) and created two new ones over top of them.  I caught the mistake right after I established the two new partitions and nothing has been written to the drive.  I have mounted the disk to my Mac to run TestDisk.

The original HDD partition arrangement:

Partition 1: Mac OS Extended named "Macintosh HD 2"
Partition 2: TrueCrypt Partition

The current situation:

http://dl.dropbox.com/u/1864771/Testdisk/diskutility.jpg


The Ask:

Does anyone know of a solution to restore the TrueCrypt partition other then calling a data recovery specialist?  I don't have a backup of the partition header and the tools I've tried so far all seem to focus on retrieving files.  There aren't any that recover a partition table of an otherwise healthy volume.

I just need to restore the partition table to mount the drive via TrueCrypt to access the data.  I've read that it might be possible to recreate the same partition layout, but I don't want to attempt anything for fear of ruining my chances of recovery.

Resources:

I referenced a lot of information from this EE question:
http://www.experts-exchange.com/Storage/Hard_Drives/Q_23780932.html

TestDisk wiki entry on TrueCrypt volume recovery:
http://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume


I also went through TestDisk partition recovery and ended up hitting a road block where write access for the disk isn't available.

1 [Sudo] Root access
2 [Create] Create a new log file
3 Select the raw disk "/dev/rdisk2 - 500 GB/465 GiB (RO)"

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_volumes.jpg

4 "Write access for this media is not available."

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_nowrite.jpg

5 [Continue] I go ahead and continue w/o write access
6 [EFI GPT]
7 [Analyse]

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_analyze.jpg

8 [Quick Search]

http://dl.dropbox.com/u/1864771/Testdisk/testdisk_quickscan.jpg



Any and all help is greatly appreciated!
diskutility.jpg
testdisk-volumes.jpg
testdisk-nowrite.jpg
testdisk-analyze.jpg
testdisk-quickscan.jpg
0
Comment
Question by:gnos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 27

Accepted Solution

by:
Tolomir earned 2000 total points
ID: 33539250
as the wiki entry says, you need a backup of the header to proceed.

If the header gets corrupted or the container reformatted, TrueCrypt will display Incorrect password or not a TrueCrypt volume.. Using a backup of the volume header is the only possibility to recover the data.

After restoring the backup you use testdisk to recover the remaining disk.

---

Truecrypt stores the decryption schema of a partition in the header, each header is unique, even when using the same password for the encryption, so there is no way to redo tasks and get "some header" back to get access to the partition.

Sorry but  you should really think of a backup plan next time.

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33539290
Just an explanation: the master key is not your password, but a unique key that is made during the truecrypt partition creation and used to encrypt the actual data.
The master key is only used internally to grant access to the data and it is unlocked when you enter the password.

You can change the header key deviation algorithm and truecrypt password for accessing the partition, changing the master key would involve modifying each bit in the encrypted volume, with todays large harddisks this would take several hours.

27.08.png
0
 
LVL 47

Expert Comment

by:noxcho
ID: 33539771
It seems to me that your data is lost completely. Encrypted partitions are not designed to let someone to retrieve the data from any HDD which has been encrypted. Also data recovery specialist will not help you here as well.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 27

Expert Comment

by:Tolomir
ID: 33540422
A data recovery specialist could recover the mentioned header. Even when deleted. Then he could unformat the deleted partition. There is no need to recover the encrypted
files, because the asker knows the password.
Default tools can only recover files in their original form. So they are of no use here.  
0
 
LVL 47

Expert Comment

by:noxcho
ID: 33540663
Would be nice if recovery specialist could do that. One of my friends did work for encryption software company and he told me that recovery chances in such cases are very little.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33541183
Well that depends on if the original data is overwritten.

If, in this case, the master key is not recoverable there is no way to decrypt the partition. You got no redundancy as on unencrypted data where guessing is possible. "w0rt" - could be "word" but "x5ersx" is what ....
0
 
LVL 47

Expert Comment

by:David
ID: 33543319
I will make it short and sweet.  Give up. There is no way to recover w/o the master key (or some quantum computers).
0
 
LVL 7

Expert Comment

by:justadad
ID: 33547851
If you want to try and recreate the partition table I suggest trying it on a clone of the drive.  Boot with a Linux rescue CD such as sysresccd.org and do a DD and copy 100% of the drive to another same size drive (or to a file) and then do the recovery test on the copy instead of the original.

I would even consider doing the DD across the network to a identically sized Virtual machine HDD (ie VHD) ...that way you can try your partition recreation after a snapshot is taken so that if it doesn't work you can undo the snapshot and try again....and again.

From a Linux virtual machine you should at least be able to see when it recognizes the Mac partion propertly then you could try connecting truecrypt.

But alas I don't give much hope, but it would be much faster to try iterations of changing the partition sizes than trying to crack the encyption which would never happen.

0
 
LVL 7

Expert Comment

by:justadad
ID: 33547872
Oops...I didn's see the response that the master key was in the partition table.  Yep no hope then.  Sorry.
0
 

Author Comment

by:gnos
ID: 33549057
Okay, thanks all.  I'm letting go of the data.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33549734
If you intend to use encrypted partitions again, please use the suggestions to backup the data and export the header from the truecrypt volume.

It happened to me too, that I did kill an encrypted partition, luckily I had a 2 months old backup. So the dataloss was acceptible.  

Tolomir
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We look at whether swapping a controller board on a failed hard drive is likely to solve the problem.
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question