Recover Truecrypt partition manually on two identical drives

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
partitionloser
Posts: 2
Joined: 14 Oct 2014, 09:19

Recover Truecrypt partition manually on two identical drives

#1 Post by partitionloser »

I have 2 identical hdds (same size, same vendor, same model) in a usb case (no raid, they appear as two seperate independent discs) both had lost their partitions. Both have a partition that is encrypted with truecrypt.

On the first disc I successfully recovered the lost partition with a testdisk run.
On the second disc testdisk has nothing found.

I've done a hexdump from the second hdd:
From 0x0000 to 0xfff0 are filled with 0x00
From 0x1000 it is filled with scrambled data, I think this is where the tc-encrypted partition starts.

How can I manually recover the lost partition? TC stores in the partition the password hash and maybe some other stuff.
I dont know what I had to enter when I manually create a new part where it begins and ends without corrupting the tc-password area.

First I thought I can copy the partition table form the first disc to the second because the hdds are identical and probably the partiton geometry is identical too. When I browse the first disc where I recovered the partition it has from the beginning
of 0x1000 scrambeld data too, that means they have the same beginning address, right?

Here is the output of fdisk -l from the recovered hdd:
Disc /dev/sdc: 2000.4 GB, 2000398934016 bytes
255 Heads, 63 Sectors/Track, 243201 Cylinder, total 3907029168 Sectors
Unit = Sectors from 1 × 512 = 512 Bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
HDD-ID: 0x00000000

Device boot. Begin End Blocks Id System
/dev/sdc1 * 2048 3907028991 1953513472 83 Linux

Here is the output from the unrecovered HDD:
sudo fdisk -l /dev/sdd

Disc /dev/sdd: 2000.4 GB, 2000398934016 bytes
255 Heads, 63 Sektoren/Spur, 243201 Cylinder, total 3907029168 Sectors
Units = Sectors from 1 × 512 = 512 Bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
HDD-ID: 0x00000000

HDD /dev/sdd contains no partition table

PS: I translated the output of fdisk to english. So its not exact the same output you get word by word on an english system environment.

What do you think about copying the part table from the first disc to the second? Good or bad idea?

partitionloser
Posts: 2
Joined: 14 Oct 2014, 09:19

Re: Recover Truecrypt partition manually on two identical dr

#2 Post by partitionloser »

First I made a backup of the first 20 MB of the disc and tried the above -> no success.

Then I replayed the backup and created a new partition with fdisk with the default values which I probably have used when I created the lost partiton -> no success.

After each step above I always tried in truecrypt to restore the volume header from the backup inside the partition (its in the end of each container or tc-partition, found via google a document that describes the structure of a tc-container/partition) -> no success.

After that I remembered that one of the discs when it was partitioned the first time I used parted and chose a GPT-Partition, probably it was this disc.

Replayed backup again, tried a last scan with testdisk in gpt mode -> found nothing.

I gave up and repartitioned the disk (mbr-type, no gpt) with NO encryption AND made a backup of the mbr.

Case closed.

Locked