Veracrypt RAID 0 recovery

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
Zero1Zero
Posts: 4
Joined: 04 May 2019, 12:34

Veracrypt RAID 0 recovery

#1 Post by Zero1Zero »

This might be the trickiest recovery yet lads.. :shock:

2 x 4TB SATA drives in RAID 0
Full drive encryption via Veracrypt (with hidden partition)
Password is known
Encryption (AES)
hash ( SHA-512)

Two bits of BAD luck happened
1. motherboard DIED randomly
2. When reinstalling win7 to an NVMe drive, FRACKING windows setup deiced to put an mbr partition on one of my RAID 0 drives (obviously broke the raid array)
I tried to rebuild the raid with my NEW motherboard, but veracypt couldn't decrypt. Also tried "resotore volume header from drive" also didnt work.
I Figured i need to use the SAME type of motherboard RAID 0 was created on, So purchased a second hand PC with same brand motherboard & chipset to rebuild the RAID 0 with.
Unfortunately Still CANT decrypt drive or resotre header.
So i guess both the header & backup header got deleted :oops:

i know when you create a RAID drive it says "all data will be lost", but as we all know the data is still there, so i figure the header can be recovered? perhaps most likely from the location where the backup header is suppose to be (i think veracrypt put it at the end of the drive).
PLUS i came across your acticle that suggests;
the hidden volume file system may be partially overwritten. TestDisk Advanced menu can be used to rebuild the missing FAT or NTFS boot sector.
https://www.cgsecurity.org/wiki/Recover ... ypt_Volume
Trouble is it doesnt really specify HOW to do this, and im a complete n00b when it comes to data recovery.
How can i use Testdisk to repair the overridden header so i can decrypt the drive?
Right now i have testdisk "analyzing", so far scanned 12% (going to take a while...)

Thanks.

PS: I have tried rebuilding the RAID 0 array changing the drive order (in case i connected them in the opposite order to original array), but also didnt help

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Veracrypt RAID 0 recovery

#2 Post by cgrenier »


recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Veracrypt RAID 0 recovery

#3 Post by recuperation »

Zero1Zero wrote: 04 May 2019, 13:05 I tried to rebuild the raid with my NEW motherboard, but veracypt couldn't decrypt. Also tried "resotore volume header from drive" also didnt work.
Works as intended - not joking. This proves that you did not even bother to read the Veracrypt manual.
i know when you create a RAID drive it says "all data will be lost", but as we all know the data is still there, so i figure the header can be recovered? perhaps most likely from the location where the backup header is suppose to be (i think veracrypt put it at the end of the drive).
Read the Veracrypt manual!

PLUS i came across your acticle that suggests;
the hidden volume file system may be partially overwritten. TestDisk Advanced menu can be used to rebuild the missing FAT or NTFS boot sector.
https://www.cgsecurity.org/wiki/Recover ... ypt_Volume
Trouble is it doesnt really specify HOW to do this, and im a complete n00b when it comes to data recovery.
The testdisk manual gives you all the necessary hints what to look for.
Hint: Truecrypt/Veracrypt is a third party application.

How can i use Testdisk to repair the overridden header so i can decrypt the drive?
You can't, because it's encrypted. You can only run Testdisk/Photorec on an unencrypted device.
Right now i have testdisk "analyzing", so far scanned 12% (going to take a while...)
Analyzing an encrypted device with testdisk is simply useless.

Zero1Zero
Posts: 4
Joined: 04 May 2019, 12:34

Re: Veracrypt RAID 0 recovery

#4 Post by Zero1Zero »

cgrenier wrote: 05 May 2019, 08:55 Do you tried http://testcrypt.sourceforge.net/ ?
Hey thanks for the suggestion,
i actually found that tool today when searching for solutions,
in the thread i found about it i learned testcypt apparently was built for Truecrypt, & needs be modified to be compatible with veracrypt.
Someone in that thread posted a tool they wrote,
HERE https://sourceforge.net/p/veracrypt/dis ... it=25#391e
but again, its beyond my tech level, couldnt figgure out how to configure the config file :oops:
Perhaps you could take a look?
recuperation wrote: 05 May 2019, 09:27 Read the Veracrypt manual!
Do you often expect users to have read entire manuals cover-to-cover?
You do realize forums like this exist for people to share their knowledge & experience?
I can assure you i've been googling and reading as much as i can, and testing multiple recovery programs.
Its just not reasonable to expect people to become experts in every program they use...
and data recovery seems to be a very complicated specialized field.
recuperation wrote: 05 May 2019, 09:27 Works as intended,
you seem to be suggesting veracrypt intentionally destroys its keys if someone is trying to rebuild an aray it was on?
I cant find that in the manual?
I understand the FIRST volume header would be nuked by my actions, but WHY the one at the end of the drive (the backup)?

And even if it is nuked,
we are constantly told "data can never really be deleted" by security experts,
so it stands to reason, if we can identify the HDD sector of the backup header, it could be undeleted/restored?
At no point have a done a full format.
I think @cgrenier's suggestion of testcrypt maybe could be the right tool,
if we can get it working i think it could help MANY people in the future.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Veracrypt RAID 0 recovery

#5 Post by recuperation »

Zero1Zero wrote: 05 May 2019, 14:28
cgrenier wrote: 05 May 2019, 08:55 Do you tried http://testcrypt.sourceforge.net/ ?
Hey thanks for the suggestion,
i actually found that tool today when searching for solutions,
in the thread i found about it i learned testcypt apparently was built for Truecrypt, & needs be modified to be compatible with veracrypt.
Someone in that thread posted a tool they wrote,
HERE https://sourceforge.net/p/veracrypt/dis ... it=25#391e
but again, its beyond my tech level, couldnt figgure out how to configure the config file :oops:
Perhaps you could take a look?
No. Wrong tool, wrong strategy.
recuperation wrote: 05 May 2019, 09:27 Read the Veracrypt manual!
Do you often expect users to have read entire manuals cover-to-cover?
No. I wonder how you read a dictionnary though: cover-to-cover?
You do realize forums like this exist for people to share their knowledge & experience?
I can assure you i've been googling and reading as much as i can, and testing multiple recovery programs.
reading what?
Its just not reasonable to expect people to become experts in every program they use...
That is not necessary at all.
and data recovery seems to be a very complicated specialized field.
recuperation wrote: 05 May 2019, 09:27 Works as intended,
you seem to be suggesting veracrypt intentionally destroys its keys if someone is trying to rebuild an aray it was on?
No, not at all. Veracrypt cannot restore something that is not available.
I cant find that in the manual?
Of course.
I understand the FIRST volume header would be nuked by my actions, but WHY the one at the end of the drive (the backup)?#
Because it has never been created - in your case!
And even if it is nuked,
we are constantly told "data can never really be deleted" by security experts,
so it stands to reason, if we can identify the HDD sector of the backup header, it could be undeleted/restored?
By the way, recovery experts say that an overwritten sector of a modern hard drive can not be restored - let's assume it's not a pending one that doesn't get overwritten anyway but replaced.
But again: There has never been a backup header in your case.
At no point have a done a full format.
I think @cgrenier's suggestion of testcrypt maybe could be the right tool,
I bet that he is wrong in this particular case only.
if we can get it working i think it could help MANY people in the future.
I can't get that working even if I want to. Even the NSA would fail.
Reading the obvious is the way to go, not clicking on tools.

Zero1Zero
Posts: 4
Joined: 04 May 2019, 12:34

Re: Veracrypt RAID 0 recovery

#6 Post by Zero1Zero »

recuperation wrote: 05 May 2019, 18:46 But again: There has never been a backup header in your case.
Ok this is a surprise to me
from the veracrypt manual
each volume created by VeraCrypt (except system partitions) contains an embedded backup header, located at the end of the volume.
https://www.veracrypt.fr/en/Program%20Menu.html
By "Full drive encryption", i didnt mean it was running my OS, it was purely storage (non-system petition drive).
My OS was/is installed on an SSD.

So that means there's hope right?

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Veracrypt RAID 0 recovery

#7 Post by recuperation »

Zero1Zero wrote: 06 May 2019, 02:34
recuperation wrote: 05 May 2019, 18:46 But again: There has never been a backup header in your case.
Ok this is a surprise to me
from the veracrypt manual
each volume created by VeraCrypt (except system partitions) contains an embedded backup header, located at the end of the volume.
https://www.veracrypt.fr/en/Program%20Menu.html
I'm glad you found the relevant entry in the manual I was referrring to.
By "Full drive encryption", i didnt mean it was running my OS, it was purely storage (non-system petition drive).
I assumed you encrypted your Raid0-Array as a boot device!
Now my claim that Christopher Grenier is wrong in this particular case only has no basis anymore.

My OS was/is installed on an SSD.

So that means there's hope right?
No. If your array had been your boot device you simply would have used your rescue disc. At least Truecrypt enforces its creation and I guess Veracrypt does that as well.
Zero1Zero wrote: 04 May 2019, 13:05 Full drive encryption via Veracrypt (with hidden partition)
To prevent any misunderstanding you could state in detail what you did when encrypting.
Zero1Zero wrote: 04 May 2019, 13:05 2. When reinstalling win7 to an NVMe drive, FRACKING windows setup deiced to put an mbr partition on one of my RAID 0 drives (obviously broke the raid array)
How would you know that being a self-proclaimed n00b?
Zero1Zero wrote: 04 May 2019, 13:05 I Figured i need to use the SAME type of motherboard RAID 0 was created on, So purchased a second hand PC with same brand motherboard & chipset to rebuild the RAID 0 with.
Unfortunately Still CANT decrypt drive or resotre header.
How do you want to rebuild a RAID 0 which does not include parity information?
Has your RAID system been a hardware or software raid?
How did you configure it?

Locked