Recover Truecrypt partition manually on two identical drives
Posted: 14 Oct 2014, 10:05
I have 2 identical hdds (same size, same vendor, same model) in a usb case (no raid, they appear as two seperate independent discs) both had lost their partitions. Both have a partition that is encrypted with truecrypt.
On the first disc I successfully recovered the lost partition with a testdisk run.
On the second disc testdisk has nothing found.
I've done a hexdump from the second hdd:
From 0x0000 to 0xfff0 are filled with 0x00
From 0x1000 it is filled with scrambled data, I think this is where the tc-encrypted partition starts.
How can I manually recover the lost partition? TC stores in the partition the password hash and maybe some other stuff.
I dont know what I had to enter when I manually create a new part where it begins and ends without corrupting the tc-password area.
First I thought I can copy the partition table form the first disc to the second because the hdds are identical and probably the partiton geometry is identical too. When I browse the first disc where I recovered the partition it has from the beginning
of 0x1000 scrambeld data too, that means they have the same beginning address, right?
Here is the output of fdisk -l from the recovered hdd:
Disc /dev/sdc: 2000.4 GB, 2000398934016 bytes
255 Heads, 63 Sectors/Track, 243201 Cylinder, total 3907029168 Sectors
Unit = Sectors from 1 × 512 = 512 Bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
HDD-ID: 0x00000000
Device boot. Begin End Blocks Id System
/dev/sdc1 * 2048 3907028991 1953513472 83 Linux
Here is the output from the unrecovered HDD:
sudo fdisk -l /dev/sdd
Disc /dev/sdd: 2000.4 GB, 2000398934016 bytes
255 Heads, 63 Sektoren/Spur, 243201 Cylinder, total 3907029168 Sectors
Units = Sectors from 1 × 512 = 512 Bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
HDD-ID: 0x00000000
HDD /dev/sdd contains no partition table
PS: I translated the output of fdisk to english. So its not exact the same output you get word by word on an english system environment.
What do you think about copying the part table from the first disc to the second? Good or bad idea?
On the first disc I successfully recovered the lost partition with a testdisk run.
On the second disc testdisk has nothing found.
I've done a hexdump from the second hdd:
From 0x0000 to 0xfff0 are filled with 0x00
From 0x1000 it is filled with scrambled data, I think this is where the tc-encrypted partition starts.
How can I manually recover the lost partition? TC stores in the partition the password hash and maybe some other stuff.
I dont know what I had to enter when I manually create a new part where it begins and ends without corrupting the tc-password area.
First I thought I can copy the partition table form the first disc to the second because the hdds are identical and probably the partiton geometry is identical too. When I browse the first disc where I recovered the partition it has from the beginning
of 0x1000 scrambeld data too, that means they have the same beginning address, right?
Here is the output of fdisk -l from the recovered hdd:
Disc /dev/sdc: 2000.4 GB, 2000398934016 bytes
255 Heads, 63 Sectors/Track, 243201 Cylinder, total 3907029168 Sectors
Unit = Sectors from 1 × 512 = 512 Bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
HDD-ID: 0x00000000
Device boot. Begin End Blocks Id System
/dev/sdc1 * 2048 3907028991 1953513472 83 Linux
Here is the output from the unrecovered HDD:
sudo fdisk -l /dev/sdd
Disc /dev/sdd: 2000.4 GB, 2000398934016 bytes
255 Heads, 63 Sektoren/Spur, 243201 Cylinder, total 3907029168 Sectors
Units = Sectors from 1 × 512 = 512 Bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
HDD-ID: 0x00000000
HDD /dev/sdd contains no partition table
PS: I translated the output of fdisk to english. So its not exact the same output you get word by word on an english system environment.
What do you think about copying the part table from the first disc to the second? Good or bad idea?