Page 1 of 1

Bootable Truecrypt partition overwritten -- where to start?

Posted: 22 Apr 2012, 05:58
by Calidore
I apologize in advance if the process should be obvious, but I'm still rattled (and pissed) by what's happened.

Here's my scenario: I decided to finally upgrade to Windows 7 from XP (which was running on a bootable TrueCrypted system drive, C:), and bought a new hard drive (D:) while I was at it to do a clean install to. I ran setup off the Win 7 DVD and chose empty drive D: as the destination. That part worked fine, but at some point the Win 7 setup, for no good reason and without any indication or warning, wrote <>120 megs of something to the C: drive, which it apparently perceived as empty. This overwrote the boot sector and the partition information, making it unbootable, and the encryption makes it unreadable by Windows. Truecrypt will still mount it (after I used the rescue disk to fix the header) and recognizes the correct size and encryption type, but the mounted drive still shows as raw and unformatted within the encryption.

I do have the option of using the rescue disk to try decrypting the drive, but I wasn't sure that any kind of writing to the drive would be a good idea. I believe data recovery tools like TestDisk tend to be read-only on the damaged drive, writing to another one (correct me if I'm wrong). My inclination, therefore (and also here, please correct me if needed) is to try mounting the encrypted drive and seeing what can be recovered, then trying the decryption and a second recovery attempt afterward.

I've seen the highest recommendations for two recovery programs: TestDisk (free) and MiniTool ($60). The former being free and having a forum made it an easy first choice.

So all that said, I have no idea where to even start with the recovery. I think I need each of the three forums--partition, filesystem, and files--but the partition one seemed the most likely first choice.

I hereby prostrate myself and beg for any directions, advice, guidelines, etc. you all can offer as far as the best way to go about getting my files back. Pointers to appropriate TestDisk docs sections are fine; like I said, I'm a bit dazed and don't even know where to start.

Thanks a bunch in advance!

Re: Bootable Truecrypt partition overwritten -- where to sta

Posted: 26 Apr 2012, 00:07
by remy
I'm not a truecrypt user, so let me know if what I tell makes nonsense.

I guess that after using your recovery disk you are able to see your disk (even as raw) and it's physicaly accessible. Can you see it in testdisk ? If yes, work with it as if it were not encrypted. 120 MB is under the limit of the beginnig of the MFTs, so you should be able to recover your original partition and access data.

When scanning your disk, if you recover your patition, don't write : us "P" key to list your files, and copy the files from inside testdisk to another destination not encrypted. Then you'll be able to try decrytption with your disk.

By the way, please explain (Private message needed because it's offtopic) how you proceed to recover your MBR and how you worked with your rescue CD, because I'll probably have one day to deal with those cases.

Re: Bootable Truecrypt partition overwritten -- where to sta

Posted: 29 Apr 2012, 14:15
by Calidore
Thanks for the reply! Yes, the unmounted disk and the mounted virtual drive both show as raw now.

I hope you're right about the MFT; thanks for the bright spot. :-)

The new drive is roughly 50% bigger than the old one, so no problem copying everything over.

I'll PM you on the TrueCrypt stuff in a bit.