• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1695
  • Last Modified:

Recover quick format Truecrypt partition

Well,  I have accidently, not that I think anyone does it on purpose, have quick formatted my data drive which resides on a NTFS Truecrypt partition.

Now, I have'nt dismounted or did anything yet.  I need expert advise first.  There are a lot of tools available but what do I do First and which program do I use?
2 Solutions
EirmanChief Operations ManagerCommented:
One of the reasons I switched from truecrypt to bestcrypt (years before truecrypt support ceased)
was that it gave a warning if you were about format an apparently unformatted disk.

I've done a bit of reading on your dilemma and I have concluded that tools like Recuva & GetDataBack are no good.
You need an unformating tool. As it was a quick format, all the data should still be there.

The only tool that I know of is ....

If you don't get any advise to the contrary over the next few days, it's well worth a try.

I'll have a look for more tools

EDIT: You should run testdisk anyway. It's non-destructive when inspecting the disk.
It's only at the final point where you have to select [Y] to recover a partition that it actually changes anything

The more I read, the more hopeless your situation seems .... the next section is just a possibility
I came across this but EE does not allow me to give you a link

So first of all, you need an original "truecrypt header" so that you can decrypt the data correctly.
A quick format will wipe out the original but if you are lucky it will leave the backup, at the end of the file, alone.
Truecrypt will let you mount the container using the backup header in the mount options while entering in the password, but it will still not mount the container correctly for any recovery program to do its work.

1. Select device (or file).
2. Volume tools...
3. Restore volume header...
4a. Restore using internal backup... (if you were lucky enough that the format left it there, otherwise...)
4b. Restore using external backup file... (if you were lucky enough to have saved a back up of the header by now)

If both options give a "password wrong" error then all the data is lost because it is forever encrypted.

5. Mount the the container (like normal).
6a. Use a recovery tool like R-Studio to scan the mounted drive for existing filesystems.
6b. Use TestDisk to rebuild the filesystem.
7. Recover files to another disk

At this point, files will be recovered that were not hit by the format. In the case of a quick format, nearly all data should be left untouched.

8. Rebuild the truecrypt drive using the recovered files.

I used 4a and 6a and I was able to recover 100% of my data after my USB drive fully encrypted was quick formatted.
For future reference -- From truecrypt faq:

When I plug in my encrypted USB flash drive, Windows asks me if I want to format it.
Is there a way to prevent that?

Yes, but you will need to remove the drive letter assigned to the device. For information on how to do so,
see the question ....
'I encrypted a non-system partition, but its original drive letter is still visible in the 'My Computer' list.'

to free the drive letter follow these steps:
Right-click the 'Computer' (or 'My Computer') icon on your desktop or in the Start Menu and select Manage. The 'Computer Management' window should appear.

=} From the list on the left, select 'Disk Management' (within the Storage sub-tree).

=} Right-click the encrypted partition/device and select Change Drive Letter and Paths.

=} Click Remove.

=} If Windows prompts you to confirm the action, click Yes.
Recuva specifically mentions being able to recover data from Quick Formatted drives:
Similarly, when you format a drive (especially if you use the Quick Format option), Windows erases the hidden index but does not overwrite the existing files until you start saving new data to it. Recuva can still scan the drive's contents to find your files.

TestDisk is pretty non-destructive, since it only touches the partition data; it doesn't do any formatting of its own.

PhotoRec may be another option, since that ignores filesystems completely and just looks for files on the disk.

When running a recovery program like Recuva and PhotoRec, be sure to write the recovered files to somewhere other than the drive you're recovering from. In this case, that means recovering to somewhere other than the Truecrypt volume. Once you've recovered all the files, you can move them back onto the Truecrypt volume.
EirmanChief Operations ManagerCommented:
Unfortunately, Recuva, PhotoRec GetDataBack etc cannot possibly work as all data is encrypted.
The only thing that just might work is a partition repair tool.

Even more unfortunately, a quick format is quite destructive with a truecrypt volume as it deletes the header information which truecrypt need.
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

It depends on what was actually formatted. If the actual physical partition or drive is quick formatted, it may not be possible to recover the encrypted volume that was on it.

However, due to the OP's mention of not yet dismounting, it sounds more like the OP quick formatted the mounted volume. In that case, the underlying truecrypt partition is still fine, and it's already mounted and decrypted. It's just that the data inside the partition has been formatted. As long as the truecrypt partition is able to be decrypted and mounted, the data inside should be able to be recovered using standard data recovery tools.
Test disk could recover the partition, it does not matter if encrypted or not, he just wants the partition table entries, not the data. But, first thing's first: if the data is really important, there will be a backup...or...? If there's no backup but the data is important, you might prefer to work more securely on a clone of that drive. Clonezilla is a tool to do sector based 1:1 clones. So you could test the clone without fearing to do more harm than good.
KarmileAuthor Commented:
Well, after downloading about 10 different recovery software I found that Active@ Partition Recovery worked the best.  It was able to see the encrypted virtual disk and recovered the MFT with all the files.  Testdisk was not able to retrieve the MFT and a lot of the other software could not see the virtual encrypted disk.  The only other product worth mentioning is R-undelete.  I went with Active@ since it was cheaper than R-undelete and it also ran faster.

The key factor was that I never dismounted the Truecrypt drive, therefore the encryption header was never lost.  

I think if you dismount an encrypted Truecrypt virtual disk, then its all over.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now