Sunday, 13 November 2011

○ Recovering files from a Corrupted TrueCrypt Container with a corrupted filesystem in a Corrupted HDD with Broken or Bad Sectors

TrueCrypt is a great tool.
BTW, a suggestion to truecrypt programmers, to solve the "format it now" nagging screen when you plug in a TrueCrypt Disk. ( This is achievable if the partition RAW Type outside TrueCrypt Container is changed to Hidden NTFS )

 


 Onto the issue...You have a corrupted filesystem on a corrupted disk with a truecrypt volume in it but you can't read the contents anymore. 

I will solve the scenerio where you know the password to your truecrypt volume and the volume header for this truecrupt volume is not corrupted. So always have a copy of this volume header data ( little file of about 128 KB )

In these cases truecrypt mounts the volume fine ( if the volume header is corrupted you receive an Incorrect password or not a TrueCrypt Volume), not the case:

 

Mounting is successfull but if there are any errors on the first disk sectors, you would get this after a few seconds:

This error always suggests serious problems. When this occurs there are probably bad sectors at the beginning of the disk and you cannot even read the folder contents.

If you perform an HDD sector scan to find out sector reading/write errors, you can use HDD Tune and observe the results. I had an error right at the beginning blocks.

So how can you recover these sector without loosing the information in it?

IMPORTANT: Before giving any recovery methods a go, make a full RAW Image Backup of the entire disk, ignoring bad sectors. 
Or alternitavely, repair HDD Sectors (see below) and perform full RAW Backup then.
This way if any of your recovery methods failed you can always go to the point back and try another method.

There is a tool called SpinRite. But it looks that its main purpose is to save information on sectors that are best candidates for sector problems, by moving the information to healty sectors and marking these as BAD.

Probably not what you are looking for ( I did not use SpinRite long enough though )

However, HDD Regenerator is also around for quite a few time and says explicitly that it can recover information. So after unmounting the truecrypt volume and run the repair you will get something like this (this is a screenshot from another disk, i had Rs in the beginning):


 
The Beginning blocks on my corrupted disk were recovered. 

Can the disk be accessible now? 
Cross your fingers, remount the volume on truecrypt and in explorer:
It will still not be accessible.

CGSecurity.org as a wikipage about recovering a TrueCrypt Volume.
It sounded promising.

Trying TestDisk:

Followed the instructions:
Run TestDisk, select the drive letter corresponding to the damaged volume, choose None for partition type, Advanced.
I changed the type to NTFS, but already i was thinking that this would not work because the volume is encrypted. Anyway i tried a Boot Sector Recovery and the result was nothing.

I tried the option to analyse partition structure and search for lost partitions and the result ( after many hours) was nothing.
Changing strategy, there is a repair filesystem when right clicking the volume in truecrypt:


But this just uses windows check disk, when the disk can be accessed. Result is nothing:
Unable to determine volume version and state. CHKDSK aborted.

Well, TrueCrypt documentation says that after a successfull mount, the volume behaves as a regular Windows volume on its assigned letter. So why not using tools to recover lost files?

GetDataBack helped here, lets see what to do about it:


Any of the first 4 options, will look "above" your truecrypt volume. When K: is mounted you will want to recover deleted files.

G: (in red ) is your windows visible partition for the same disk
You will want to select K:

Then, go to Options and use as green checks:


Press OK, let it run

Step 2 Results:

Here are our files (in blue )

Select one found file system and press Next.

Let ir run (might take a few hours)
When Step 3 is finished you have your files. Recovery Succeeded:
Copy the files to another Disk
(GetData Back license required for this)

Life saver.

 
Thanks for reading.
--
Miguel Vaz


Taken from: http://bitboard.blogspot.com/