0
I had a 1TB hard drive that I created a 40GB TrueCrypt (non-hidden) volume (I did not back up the header but I still have the PASSWORD). The hard drive lost the partition and I have tried multiple recovery programs all of which failed to find the volume. The drive is currently un-formatted and I took its image but I was wondering how to go about locating the volume.
UsernamePassword
Posted 2012-06-30T01:32:33.910
Reputation: 85
1
Well, if your partition was lost, then perhaps your 40GB chunk of TrueCrypt data was also compromised on the same event...
A hand-made solution:
You could write a script that: mount your mirror image with an offset, as if it were a partition, then calls TrueCrypt with all the appropriate parameters and your password, then if TrueCrypt returns 0, stop and you are happy, otherwise try again with the next offset, until it has tried all the image.
Experiment:
If the above doesn't work, you should do the following test. Reproduce the same problem with a new hard disk (create an encrypted partition then delete MBR), and try the same approach there. If it works, then probably your chunk of data has been compromised, it it doesn't, then either my approach or your implementation has a flaw.
user39559
Posted 2012-06-30T01:32:33.910
Reputation: 1 783
0
One approach is to create identical partitioning on an identical drive (or on the same drive if you have it imaged), then backup the MBR, reimage the drive from the image you have, and finally put back the MBR. If partitioning is indeed identical and the header/backup header of the TC partition has not been overwritten, you should be able to mount the encrypted partition after the procedure.
Failing that, I'd start looking to adapt http://16s.us/TCHunt to locating raw disk data that may constitute a TC partition.
minya
Posted 2012-06-30T01:32:33.910
Reputation: 378
If he knew the partitioning that would mean he could regenerate the MBR on the same hard disk, no need for all that process. Also TCHunt is no use in this case. It only works for files, not for partitions. As I said, there's no way to distinguish random data from TC partitions. Read their FAQ.
– m0skit0 – 2012-07-06T08:16:50.657If it were random data. I believe, data in other partitions were not random at all. – minya – 2012-07-06T18:44:23.400
The OP didn't actually say that he doesn't know the original partitioning of the disk. If he can remember it, then (as @m0skit0 says) he could simply regenerate the MBR on the disk and access the TC partition. – Fran – 2012-07-06T18:57:08.470
@minya: see the comment on my answer. – m0skit0 – 2012-07-06T22:09:16.803
0
Unfortunately, a TrueCrypt partition looks like random data, and there's no way to tell if it's really a TrueCrypt partition. You cannot recover that TrueCrypt volume, because one of the features of TrueCrypt is to make partitions unrecognizable. So given any part of the hard disk, there's no way to tell if it's part of the TrueCrypt partition or not.
m0skit0
Posted 2012-06-30T01:32:33.910
Reputation: 1 317
Actually, there should be a way to do that by exclusion, since in this particular case the rest of the disk was not encrypted. Presumably, it contained non-encrypted partitions that might be used to determine the boundaries of the one encrypted partition. – minya – 2012-07-06T18:43:29.920
Nope because fist, depending on the filesystem, the data could be dispersed on the disk (non-contiguous),and second sectors never written or that contain old parts of deleted files are actually random. – m0skit0 – 2012-07-06T22:08:33.747
The OP says he had a "40GB TrueCrypt (non-hidden) volume", which I take to mean TrueCrypt had encrypted the entire partition not just one file. The sectors of that partition should be adjacent and all very random. A sector-by-sector randomness test should reveal a 40GB block of contiguous highly-random sectors. That is likely the partition the user lost. – Fran – 2012-07-14T17:45:06.480
Again, no: How would you even know where the partition starts? And again: the empty space in other partition will also look like random, so how do you know if that part is from the TC volume? So no way to recover that. It's also one of TC features btw. – m0skit0 – 2012-07-14T18:45:38.323
Plausible deniability says it's gone. – Fiasco Labs – 2013-09-07T05:10:29.073