5

(I'm asking this for a friend of mine as I'm trying to help him with this problem over remote desktop, so if any details are needed, just ask and I will get them). Two entire hard disks were encrypted with TrueCrypt, and then decrypted with a recovery CD created on a different computer, but with the same password. Windows then detected the disks as "RAW", instead of the filesystem it was supposed to be (FAT or NTFS, not sure). fdisk on an Ubuntu virtual machine shows one FAT16 partition spanning one entire drive. Various partition recovery programs such as TestDisk were run on the drives with no success. I think the file data itself is still there, but the partition or filetables are corrupt or missing. We've tried altering the partition tables on the drives with no success. Any help would be very, very greatly appreciated.

Currently, we are running TestDisk on one mounted virtual drive in Windows. The other hard disk will not mount, but this one does. The hard disk seems to still be encrypted, and TestDisk found a few NTFS partitions, and is still scanning currently. I'll update this as the situation changes.

Kale Muscarella
  • 153
  • 1
  • 1
  • 5
  • Wow, sucks to be your friend. I don't have much hope, but hopefully skeined out there knows TrueCrypt well enough toanswer intelligently. – Scott Pack Jul 13 '12 at 14:05
  • "then decrypted with a recovery CD created on a different computer, but with the same password" Highly surprised that the recovery disk even accepted your HDD. AFAIK recovery disks aren't bound the the password, but the the master key of the volume. – CodesInChaos Jul 13 '12 at 14:10

1 Answers1

13

First a bit of background; Truecrypt uses a classic 2-stage approach:

So your task right now is to recover or re-create the original volume header, with the original master encryption key used to create the volume.

I hope your recovery CD is a Truecrypt Rescue Disk, as described here. If it's a recovery CD from Microsoft Windows or partition tool (like Norton Ghost), then you are probably out of luck. These will very likely not contain a copy of the original Truecrypt volume header, or contain a damaged header, and thus be of no use.

If your recovery CD is made on another computer, for another Truecrypt volume, then it is of no use. It contains a copy of a volume header with a master encryption key -- but the master encryption key is for the other computer's volume, not for your friend's volume.

Assuming that you're not stuck due to the above problems, then here is what I would do to recover data:

  1. Make a bit-by-bit copy of the harddisks to empty harddisks of the same or larger size. You could do this using fx Norton Ghost, Acronis Trueimage, or Linux tools like G4L or Clonezilla Live. Then put the original disks away. (The purpose of this step is to keep the original disks safe, in case I accidentally make an irreversible mistake while working with the volumes.)
  2. Put the volume copies into a known good computer.
  3. And now it should (hopefully) be a case of booting from the Truecrypt Rescue Disk (CD), and follow Truecrypt's instructions.
  • 1
    An informative and concise answer. Thank you! Unfortunately for my friend, he never actually made a TrueCrypt Rescue Disk, and the volume does not have an embedded backup header since it is a system volume. However, now I understand exactly what the problem was and why we couldn't mount the drive. Thanks! – Kale Muscarella Jul 22 '12 at 00:07