Recover Veracrypt partition

[kaledev]

I'm wondering if you guys think I'm out of luck or if there is hope. A new partition table was accidentally written to a Veracrypt encrypted disk and it was too late when I saw it had just happened. I haven't written any data to the disk since the partition table was written. I tried running Testdisk in multiple modes to no avail, tried Testcrypt and it didn't help either. Here's a log of some of the things I've tried:

Mon Apr 22 12:07:42 2019
Command line: TestDisk

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 4.15.0-47-generic (#50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019) x86_64
Compiler: GCC 7.2
ext2fs lib: 1.44.1, ntfs lib: libntfs-3g, reiserfs lib: none, ewf lib: none, curses lib: ncurses 6.0
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 3907029168 sectors
/dev/sda: user_max 3907029168 sectors
/dev/sda: native_max 3907029168 sectors
/dev/sdb: LBA, HPA, LBA48, DCO support
/dev/sdb: size 1953525168 sectors
/dev/sdb: user_max 1953525168 sectors
/dev/sdb: native_max 1953525168 sectors
/dev/sdc: LBA, HPA, LBA48, DCO support
/dev/sdc: size 500118192 sectors
/dev/sdc: user_max 500118192 sectors
/dev/sdc: native_max 500118192 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - 0 sectors, sector size=512
Hard disk list
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63, sector size=512 - WDC WD20EARS-00MVWB0, S/N:WD-WMAZA0846310, FW:51.0AB51
Disk /dev/sdb - 1000 GB / 931 GiB - CHS 121601 255 63, sector size=512 - ST31000340AS, S/N:5QJ11K3C, FW:SD15
Disk /dev/sdc - 256 GB / 238 GiB - CHS 31130 255 63, sector size=512 - Crucial_CT256MX100SSD1, S/N:14340D03A239, FW:MU01
Disk /dev/sde - 7948 MB / 7580 MiB - CHS 1021 245 62, sector size=512 - Kingston FCR-HS219/1, FW:9738
Disk /dev/mapper/cryptswap1 - 17 GB / 15 GiB - 33446912 sectors, sector size=512
Disk /dev/mapper/mint--vg-root - 238 GB / 222 GiB - 465567744 sectors, sector size=512
Disk /dev/mapper/mint--vg-swap_1 - 17 GB / 15 GiB - 33447936 sectors, sector size=512
Disk /dev/mapper/sda5_crypt - 255 GB / 237 GiB - 499111936 sectors, sector size=512
Disk /dev/dm-0 - 255 GB / 237 GiB - 499111936 sectors, sector size=512
Disk /dev/dm-1 - 238 GB / 222 GiB - 465567744 sectors, sector size=512
Disk /dev/dm-2 - 17 GB / 15 GiB - 33447936 sectors, sector size=512
Disk /dev/dm-3 - 17 GB / 15 GiB - 33446912 sectors, sector size=512

Partition table type default to Intel
Disk /dev/sda - 2000 GB / 1863 GiB - WDC WD20EARS-00MVWB0
Partition table type: Intel

Analyse Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Current partition structure:
No partition is bootable

search_part()
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
BAD_RS LBA=2420537790 9043211
check_part_i386 failed for partition type 0E
FAT16 LBA 150671 129 49 292286 43 63 2275039572
This partition ends after the disk limits. (start=2420537790, size=2275039572, end=4695577361, disk end=3907029168)
BAD_RS LBA=4105213019 12957845
check_FAT: can't read FAT boot sector
check_part_i386 failed for partition type 06
FAT16 >32M 255537 176 27 351615 45 33 1543484824
This partition ends after the disk limits. (start=4105213019, size=1543484824, end=5648697842, disk end=3907029168)
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Check the harddisk size: HD jumpers settings, BIOS detection...
The harddisk (2000 GB / 1863 GiB) seems too small! (< 2892 GB / 2693 GiB)
The following partitions can't be recovered:
FAT16 LBA 150671 129 49 292286 43 63 2275039572
FAT16 >32M 255537 176 27 351615 45 33 1543484824

Results

interface_write()

No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

Interface Advanced

Analyse Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Current partition structure:
No partition is bootable

search_part()
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Search for partition aborted

Results

interface_write()

No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

Interface Advanced

Interface Advanced

Analyse Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Current partition structure:
No partition is bootable

search_part()
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Search for partition aborted

Results

interface_write()

No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
Partition table type default to Intel
Disk /dev/sda - 2000 GB / 1863 GiB - WDC WD20EARS-00MVWB0
Partition table type: None

Interface Advanced
P Unknown 0 0 1 243201 80 63 3907029168

Interface Advanced
P Unknown 0 0 1 243201 80 63 3907029168

Analyse Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Current partition structure:
P Unknown 0 0 1 243201 80 63 3907029168

search_part()
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Sys=0C 14510 148 23 231450 194 5 3485143981
FATX, 1784 GB / 1661 GiB

WBFS 243041 186 6 1423735424 62 42 91867054735360
WBFS, 47035 TB / 42778 TiB
This partition ends after the disk limits. (start=3904465388, size=91867054735360, end=91870959200747, disk end=3907029168)
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Check the harddisk size: HD jumpers settings, BIOS detection...
The harddisk (2000 GB / 1863 GiB) seems too small! (< 47037 TB / 42780 TiB)
The following partition can't be recovered:
WBFS 243041 186 6 1423735424 62 42 91867054735360
WBFS, 47035 TB / 42778 TiB

Results
P Sys=0C 14510 148 23 231450 194 5 3485143981
FATX, 1784 GB / 1661 GiB

Hint for advanced users. dmsetup may be used if you prefer to avoid to rewrite the partition table for the moment:
echo "0 3485143981 linear /dev/sda 233112496" | dmsetup create test0

interface_write()
P Sys=0C 14510 148 23 231450 194 5 3485143981

Write isn't available because the partition table type "None" has been selected.

Interface Advanced
P Unknown 0 0 1 243201 80 63 3907029168
SIGINT detected! TestDisk has been killed.


Mon Apr 22 19:33:59 2019
Command line: TestDisk

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 4.15.0-47-generic (#50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019) x86_64
Compiler: GCC 7.2
ext2fs lib: 1.44.1, ntfs lib: libntfs-3g, reiserfs lib: none, ewf lib: none, curses lib: ncurses 6.0
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 3907029168 sectors
/dev/sda: user_max 3907029168 sectors
/dev/sda: native_max 3907029168 sectors
/dev/sdb: LBA, HPA, LBA48, DCO support
/dev/sdb: size 1953525168 sectors
/dev/sdb: user_max 1953525168 sectors
/dev/sdb: native_max 1953525168 sectors
/dev/sdc: LBA, HPA, LBA48, DCO support
/dev/sdc: size 500118192 sectors
/dev/sdc: user_max 500118192 sectors
/dev/sdc: native_max 500118192 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - 0 sectors, sector size=512
Hard disk list
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63, sector size=512 - WDC WD20EARS-00MVWB0, S/N:WD-WMAZA0846310, FW:51.0AB51
Disk /dev/sdb - 1000 GB / 931 GiB - CHS 121601 255 63, sector size=512 - ST31000340AS, S/N:5QJ11K3C, FW:SD15
Disk /dev/sdc - 256 GB / 238 GiB - CHS 31130 255 63, sector size=512 - Crucial_CT256MX100SSD1, S/N:14340D03A239, FW:MU01
Disk /dev/sdf - 7948 MB / 7580 MiB - CHS 1021 245 62, sector size=512 - Kingston FCR-HS219/1, FW:9738
Disk /dev/mapper/cryptswap1 - 17 GB / 15 GiB - 33446912 sectors, sector size=512
Disk /dev/mapper/mint--vg-root - 238 GB / 222 GiB - 465567744 sectors, sector size=512
Disk /dev/mapper/mint--vg-swap_1 - 17 GB / 15 GiB - 33447936 sectors, sector size=512
Disk /dev/mapper/sda5_crypt - 255 GB / 237 GiB - 499111936 sectors, sector size=512
Disk /dev/dm-0 - 255 GB / 237 GiB - 499111936 sectors, sector size=512
Disk /dev/dm-1 - 238 GB / 222 GiB - 465567744 sectors, sector size=512
Disk /dev/dm-2 - 17 GB / 15 GiB - 33447936 sectors, sector size=512
Disk /dev/dm-3 - 17 GB / 15 GiB - 33446912 sectors, sector size=512

Partition table type default to Intel
Disk /dev/sda - 2000 GB / 1863 GiB - WDC WD20EARS-00MVWB0
Partition table type: Intel

Interface Advanced

Analyse Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Current partition structure:
No partition is bootable

search_part()
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Search for partition aborted

Results

interface_write()

No partition found or selected for recovery

search_part()
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
BAD_RS LBA=2420537790 9043211
check_part_i386 failed for partition type 0E
FAT16 LBA 150671 129 49 292286 43 63 2275039572
This partition ends after the disk limits. (start=2420537790, size=2275039572, end=4695577361, disk end=3907029168)
BAD_RS LBA=4105213019 12957845
check_FAT: can't read FAT boot sector
check_part_i386 failed for partition type 06
FAT16 >32M 255537 176 27 351615 45 33 1543484824
This partition ends after the disk limits. (start=4105213019, size=1543484824, end=5648697842, disk end=3907029168)
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Check the harddisk size: HD jumpers settings, BIOS detection...
The harddisk (2000 GB / 1863 GiB) seems too small! (< 2892 GB / 2693 GiB)
The following partitions can't be recovered:
FAT16 LBA 150671 129 49 292286 43 63 2275039572
FAT16 >32M 255537 176 27 351615 45 33 1543484824

Results

interface_write()

No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
Partition table type default to Intel
Disk /dev/sda - 2000 GB / 1863 GiB - WDC WD20EARS-00MVWB0
Partition table type: EFI GPT

Analyse Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Bad GPT partition, invalid signature.
Trying alternate GPT
Bad GPT partition, invalid signature.
Current partition structure:
Bad GPT partition, invalid signature.
Trying alternate GPT
Bad GPT partition, invalid signature.

search_part()
Disk /dev/sda - 2000 GB / 1863 GiB - CHS 243201 255 63
Unknown 233112496 3718256476 3485143981
FATX, 1784 GB / 1661 GiB
Partition not added.

SYSV4 Marker at 65985/28/49

recover_sysv4
Unknown 1060050837 1060050836 0 [\86\C8(0]
SysV4, 0 B
Partition not added.
check_FAT: Bad jump in FAT partition

LVM magic value at 123322/72/58
Unknown 2116058981 4158404486 2042345506
FATX, 1045 GB / 973 GiB
Partition not added.
Unknown 2181944625 6197502878 4015558254
FATX, 2055 GB / 1914 GiB
Partition not added.
check_FAT: Bad number of sectors per cluster
Unknown 3352893032 4550634698 1197741667
FATX, 613 GB / 571 GiB
Partition not added.

Unknown 3904465388 91870959200747 91867054735360
WBFS, 47035 TB / 42778 TiB
Partition not added.

Results

interface_write()

No partition found or selected for recovery
simulate write!

Interface Advanced
Bad GPT partition, invalid signature.
Trying alternate GPT
Bad GPT partition, invalid signature.

TestDisk exited normally.

[cgrenier]

If testcrypt doesn't work, it probably means that the veracrypt encrypted header has been overwritten.
I don't know to deal with such problem, sorry.

[recuperation]

Testdisk and photorec only work on unencrypted structures.
You have to mount the encrypted drive/the encrypted partition/ the encrypted file and have testdisk or photorec run on the unencrypted data.

If mounting fails you can you try to restore your Truecrypt/Veracrypt header that you should have backed up upon creation of your encrypted drive/partition/file.

[Zero1Zero]

I too am trying to recover my Veracrypt partition.
Windows 7 setup wrote an mbr partition to one of my RAID 0 drives instead of my SSD (yes i should have disconnected them )
Have rebuilt the array
But still cant decrypt drive
Have tried to use "restore volume header"

People ALWAYS SAY "nothing is really deleted" (thus the need for encryption)
So shouldnt the "backup header" still technically be there?
What tool can i use to recover it?

Thanks

[recuperation]

People ALWAYS SAY "nothing is really deleted" (thus the need for encryption)
So shouldnt the "backup header" still technically be there?
What tool can i use to recover it?

The tool is called "Veracrypt User's Guide".