Truecrypt drive: boot sector damaged?

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
Gibson
Posts: 2
Joined: 03 Oct 2018, 17:49

Truecrypt drive: boot sector damaged?

#1 Post by Gibson »

Hello, it appears my encrypted external USB-drive with 1TB of data has suddenly become inaccessible. I got a message that said, the volume header has become corrupted and it will use the backup header stored in the volume, but it didn't mount. I was eventually able to mount the volume by restoring the header from an external backup file, but i still can't access the files, it says it needs to be formatted.

When it was still working fine, there was always an inaccessible drive E:\ under "My Computer" and the Truecrypt volume remained hidden until mounted. When the header got corrupted, drive E:\ showed up as an empty, formatted hard drive. After restoring the backup header, drive E: is now entirely gone and the Truecrypt volume shows up as uninitialized with unallocated space in Disk Management.

A scan with Testcrypt shows a few results but it can't mount any of them:
Image

Contrary to Windows Disk Management, i can see two entries for the external drive in TestDisk: one with the correct name and the mounted drive (X:)
Image

Selecting the mounted Disk "X:" and "None" for the partition type, i get this:
Image

It looks like the boot sector and the backup are bad, therefore no access to the file system. So far, i haven't tried to rebuild the BS, because i am not entirely sure if i am doing the right thing (or if it will even work, since the backup is bad, too). I just want to avoid making things worse and causing further damage. If i choose "Intel", it says "The partition sector doesn't have the endmark 0xAA55". Is it safe to rebuild the boot sector or do i need to to something else?

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Truecrypt drive: boot sector damaged?

#2 Post by cgrenier »

Run TestDisk, X: (choose the unlocked truecrypt volume), None, Advanced, Boot, RebuildBS, List.
If you can see your files, chose Write, confirm, Quit.
If it doesn't work, use PhotoRec instead. If PhotoRec recovers only junk, it's because a wrong truecrypt header has been used (wrong encryption key).

Gibson
Posts: 2
Joined: 03 Oct 2018, 17:49

Re: Truecrypt drive: boot sector damaged?

#3 Post by Gibson »

I tried to rebuild the Boot Sector, but it didn't work. "Search mft" takes 5 hours but it does nothing. It simply returns to the screen, where it says "Boot sector bad", no write option or anything. I selected the mounted volume, Partition type "None" and then i can choose between "Type", "Image Creation" or "Quit" (i assume this is the Advanced menu). I have set it to NTFS and then "Boot", like this:

Image

If i select "List" instead of "Boot" it says: "Can't open filesystem. Filesystem seems damaged."
Also tried Photorec, but it recovers nonsensical data like 3 Gigabyte swf-files, but i am very sure i used the correct backup header, because Truecrypt shouldn't have accepted the password if it was wrong.

Rocky111
Posts: 1
Joined: 09 Oct 2018, 20:50

Re: Truecrypt drive: boot sector damaged?

#4 Post by Rocky111 »

Looking for the same solution but not sure how initiate the process. Would it be possible for someone to make a video tutorial on it for newbies?

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Truecrypt drive: boot sector damaged?

#5 Post by cgrenier »

If TestDisk failed to rebuild the boot sector, you should try PhotoRec. If PhotoRec recovers only broken files, it mean the truecrypt volume has been unlocked with a wrong key.

Locked