Help needed. On the last leg of deleted partition table recovery but too much of a noob to finish.

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
roraparooza
Posts: 3
Joined: 17 Jan 2020, 09:41

Help needed. On the last leg of deleted partition table recovery but too much of a noob to finish.

#1 Post by roraparooza »

TLDR; i have to use the original partitioning tool (minitool) to recreate the lost partitions on the disk to recover but minitool forces you to create a 128MB partition when initializing to GPT. Can i do the same with testdisk instead?

Full version:

1. The GPT disk to recover contained 5 veracrypt encrypted data partitions. the partitions were created with minitool partition wizard and later formatted/encrypted using veracrypt. partitions had the following sizes:

Code: Select all

sdd1: 700GB
sdd2: 700GB
sdd3: 1900GB
sdd4: 350GB
sdd5: 76.02GB
2. clonezilla script (accidentally) tried to restore a different mbr disk's image to the above disk. it errored before any actual data was overwritten but filesystem header and partition table were deleted. Here is a pseudo clonezilla log created after the fact but under similar conditions:

Code: Select all

Clean filesystem header in device /dev/sdd1...
Clean filesystem header in device /dev/sdd2...
Clean filesystem header in device /dev/sdd3...
Clean filesystem header in device /dev/sdd4...
/dev/sdd4: 4 bytes were erased at offset 0x000001c6 (atari): b9 d3 d8 fa
Clean filesystem header in device /dev/sdd5...
Trying to clean the MBR and GPT partition table on the destination disk first: /dev/sdd
Informing the OS of partition table changes... done !
Non-grub bootloader found on /tmp/sdc-rolling-backup-tmp-cnvted/sdd-mbr...
The CHS value of hard drive from EDD will be used for sfdisk.
Sfdisk >= 2.26 does not support C/H/S option. Skip using C/H/S option.
Error: /dev/sdd: unrecognised disk label
**************************
Tue Jan 7 14:36:24 UTC 2020
Writing the partition table...
No partition table exists in target disk /dev/sdd, try to initialize one so that we can get the disk
 size by parted... Running: parted -s /dev/sdd mklabel msdos
done !
Warning!! Destination disk (/dev/sdd) size is 4.00TB, which is larger than the MBR partition table
 entry maximum 2 TiB (~2.2 TB). You have to use GUID partition table format (GPT).
Press "Enter" to continue......
[Panic rebooted here]
3. the partitions and the encrypted volumes therein were luckily created with poor security practices ie:

Code: Select all

a. full format brand new disk
b. create 5 partitions with minitool partition wizard (quick formatted if at all)
c. veracrypt volumes created with quick format
d. mount volume and copy data
4. probably due to (3) there are large portions of hex 00's occupying the free space of the encrypted volumes. by using dmde's hex view i was able to find large swathes of these zeroes followed by data followed by zeroes and so on. the start to end sector ranges of these portions match the disk sizes listed in (1). screenshot of sdd5 for example. probable start sectors of partitions (ie first non 00 hex after lots of 00's):

Code: Select all

sdd1: 4096
sdd2: 1468008448
sdd3: 2936014848
sdd4: 6920603648
sdd5: 7654606848
5. this is where i'm stuck. i see from several sources (example here) that by simply creating the partitions of the same sizes using the same partitioning tool (in my case minitool), i should be able to mount the veracrypt volumes again. BUT:
  • the disk is currently in MBR mode. If i try to initialize to GPT, minitool forces me to create a 128MB partition. this partition did not exist on sdd as it was promptly deleted after creation (when originally setting up the partitions on the disk).
  • minitool does not allow specifying start and end sectors.

I'm positive i can do this with testdisk but don't know how. Can someone help me finish? Also note that i'm working on a cloned copy of the disk to recover created with ddrescue/knoppix.
Top
User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:
Contact cgrenier

Re: Help needed. On the last leg of deleted partition table recovery but too much of a noob to finish.

#2 Post by cgrenier »

If you don't want a 128MB (32 MB for smaller disk) Microsoft Reserved Partition (MSR), TestDisk will not force you to have one.

Run TestDisk, select the disk, EFI GPT, Quick Search, use 'a' to manually add each partition.
Once it's ok, go on next screen, choose Write, confirm, Quit and restart your computer
Good luck
Top
roraparooza
Posts: 3
Joined: 17 Jan 2020, 09:41

Re: Help needed. On the last leg of deleted partition table recovery but too much of a noob to finish.

#3 Post by roraparooza »

cgrenier wrote: 17 Jan 2020, 20:54 If you don't want a 128MB (32 MB for smaller disk) Microsoft Reserved Partition (MSR), TestDisk will not force you to have one.

Run TestDisk, select the disk, EFI GPT, Quick Search, use 'a' to manually add each partition.
Once it's ok, go on next screen, choose Write, confirm, Quit and restart your computer
Good luck
which partition type do i select (for a GPT disk / primary partition): EFI, MBR, MSData?

The partitions were created as NTFS in mpw before veracrypt format. a working encrypted partition on a different disk created around the same time (and therefore likely to have been set up similarly although it is a logical partition on an MBR disk) shows up as:
  • hpfs / ntfs in testdisk,
  • partition type id 0x7, filesystem "Other" in mpw
  • RAW in windows disk management.
Top
Locked

Return to “Partition Recovery”