Help recovering encrypted drive -- SOLVED

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Message
Author
rabbit
Posts: 8
Joined: 10 Dec 2017, 20:19

Help recovering encrypted drive -- SOLVED

#1 Post by rabbit »

I pledge something nice for whoever helps me to recover some important files from a hard disk that I have foolishly garbaged. I also pledge a matching reward to Christophe Grenier for his generosity in running this forum, and for being so helpful to us all! I won't say what the reward is, only that it has been sitting on this crashed disk for several years waiting to be recovered. And that I'm sure you will like it!

Sometime around 2011, I decided to make a FreeNAS backup system, and was using UNetbootin on my encrypted Ubuntu computer to burn a thumb drive. At this time UNetbootin would default to the system drive, and you can probably guess what happened! Instead of reformatting my USB drive, it began formatting my system drive instead. I stopped the program as soon as I realized what had happened, but my system HD was trashed -- my encrypted system drive. I believe it is LUKS.

I set the disk aside, and now I'd like to try to recover my files, if that is possible. I have a block copy of the disk to work with, and this is how it looks:

Hmmm. Can't upload a screenshot, so I'll transcribe. Sorry if any errors have crept in.
/dev/sda - GParted
unallocated 698.39 GiB unallocated 2.05 TiB

/dev/sda1 [Encrypted] 7.81 MiB 7.81 MiB 0.00 B boot
unallocated unallocated 698.39 GiB --- ---
/dev/sda2 extended 243.17 MiB --- --- lba
/dev/sda5 ext2 243.14 Mib 100.33 MiB 142.81 MiB
unallocated unallocated 2.05 TiB --- ---
-----

-----
File systems found on /dev/sda

#1: ext2/3/4, ReiserFs or XFS (243 Mib)
-----

-----
gparted-roview-AI9bMk/
/tmp/gparted-roview-Al9bMk/ - File Manager
Warning, you are using the root account, you may harm your system.

DEVICES grub initrd.img-2.6.28-14-generic vmcoreinfo-2.6.28-16-generic
File System abi-2.6.28-11-generic initrd.img-2.6.28-15-generic vmcoreinfo-2.6.28-17-generic
Filesystem root abi-2.6.28-13-generic initrd.img-2.6.28-16-generic vmlinuz-2.6.28-11-generic
abi-2.6.28-14-generic initrd.img-2.6.28-17-generic vmlinuz-2.6.28-13-generic
PLACES abi-2.6.28-15-generic memtest86_.bin vmlinuz-2.6.28-14-generic
root abi-2.6.28-16-generic System.map-2.6.28-11-generic vmlinuz-2.6.28-15-generic
abi-2.6.28-17-generic System.map-2.6.28-13-generic vmlinuz-2.6.28-16-generic
NETWORK config-2.6.28-11-generic System.map-2.6.28-14-generic vmlinuz-2.6.28-17-generic
Browse Network config-2.6.28-13-generic System.map-2.6.28-15-generic
config-2.6.28-14-generic System.map-2.6.28-16-generic
config-2.6.28-15-generic System.map-2.6.28-17-generic
config-2.6.28-16-generic vmcoreinfo-2.6.28-11-generic
config-2.6.28-17-generic vmcoreinfo-2.6.28-13-generic
initrd.img-2.6.28-11-generic vmcoreinfo-2.6.28-14-generic
initrd.img-2.6.28-13-generic vmcoreinfo-2.6.28-15-generic
The crashed disk DOES boot, and asks for the disk password, which I hope is encouraging:
-----
Boot from (hd0,4) ext2 75229f12-997f-426e-b320-d8c99b07c320

Starting up ...
Loading, please wait...
Command failed: no key available with this passphrase.

key slot 0 unlocked
Command successful.
File descriptor 3 left open
device-mapper: reload ioctl failed: Invalid argument
device-mapper: reload ioctl failed: Invalid argument
2 logical volume(s) in volume group "rabbit" now active
stdin: error 0
Gave up waiting for root device. Common problems:
-Boot args (cat /proc/cmdline)
-Check rootdelay= (did the system wait long enough?)
-Check root= (did the system wait for the right device?)
-Missing modules (cat /proc/modules; ls/dev)
ALERT! /dev/mapper/rabbit-root does not exist. Dropping to shell.

BusyBox V1.10.2 (Ubuntu1:1.10.2-2ubuntu7) built-in shell (ash)

Enter 'help' for a list of built-in commands.

(initramfs)
The File Manager under the crashed disk's system shows two unmounted devices, "255 MB Volume", and "8.2 MB Encrypted". I suspect the second is a fragment of my broken encrypted file system. Clicking on either one returns "No object for D-Bus interface".

Is there any hope of recovering this? If there's no nope, I'd appreciate someone telling me.

Thanks!
Last edited by rabbit on 23 Mar 2018, 18:06, edited 1 time in total.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Help recovering encrypted drive -- reward!

#2 Post by cgrenier »

Can you post the testdisk.log file generated by TestDIsk after searching for the partition ?

rabbit
Posts: 8
Joined: 10 Dec 2017, 20:19

Re: Help recovering encrypted drive -- reward!

#3 Post by rabbit »

Sure!

Code: Select all



Mon Dec 11 20:39:14 2017
Command line: TestDisk

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 4.4.103-1-MANJARO (#1 SMP PREEMPT Thu Nov 30 13:56:15 UTC 2017) x86_64
Compiler: GCC 6.3
Compilation date: 2017-03-29T18:57:40
ext2fs lib: 1.43.7, ntfs lib: libntfs-3g, reiserfs lib: 0.3.0.5, ewf lib: none, curses lib: ncurses 6.0
User is not root!
Hard disk list
Disk /dev/sda - 3000 GB / 2794 GiB - CHS 364801 255 63, sector size=512 - WDC WD30EZRZ-00GXCB0, S/N:WD-WCC7K3DDHE0R, FW:80.00A80
Disk /dev/sdb - 2000 GB / 1863 GiB - CHS 243201 255 63, sector size=512 - WDC WD20EARS-00MVWB0, S/N:WD-WMAZA3709172, FW:51.0AB51

Partition table type (auto): EFI GPT
Disk /dev/sda - 3000 GB / 2794 GiB - WDC WD30EZRZ-00GXCB0
Partition table type: EFI GPT

Analyse Disk /dev/sda - 3000 GB / 2794 GiB - CHS 364801 255 63
hdr_size=92
hdr_lba_self=5860533167
hdr_lba_alt=1 (expected 1)
hdr_lba_start=34
hdr_lba_end=5860533134
hdr_lba_table=5860533135
hdr_entries=128
hdr_entsz=128
Bad GPT partition, invalid signature.
Trying alternate GPT
 1 P Unknown                     2048 5860532223 5860530176 [zanzibar]
Current partition structure:
Bad GPT partition, invalid signature.
Trying alternate GPT
 1 P Unknown                     2048 5860532223 5860530176 [zanzibar]

I'm running the Deeper Search now, if that might be useful. I did discover three partitions with GParted (above), /dev/sda1, /dev/sda2, and /dev/sda5 that don't appear in this Quick Search with TestDisk.

Thanks for the help!

rabbit
Posts: 8
Joined: 10 Dec 2017, 20:19

Re: Help recovering encrypted drive -- reward!

#4 Post by rabbit »

The above testdisk.log is incorrect. I ran the wrong sectoring.

The correct testdisk.log:

Code: Select all

 

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 3000 GB / 2794 GiB - CHS 364801 255 63
     Partition               Start        End    Size in sectors
>D Linux                    0   1  1     0 254 63      16002
 D Linux                    0  32 33 364801  66  1 5860530176
 D Linux                91170   1  1 91200 254 63     497952









Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
Keys A: add partition, L: load backup, T: change type,
     Enter: to continue
LUKS 1 (Data size unknown), 8193 KB / 8001 KiB

Please pardon that above.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Help recovering encrypted drive -- reward!

#5 Post by cgrenier »

Please post the testdisk.log file content, not a copy/paste of a single screen.

rabbit
Posts: 8
Joined: 10 Dec 2017, 20:19

Re: Help recovering encrypted drive -- reward!

#6 Post by rabbit »

Thank you for your patience! I hope this will be what you are looking for:

Code: Select all


Fri Dec 15 19:00:39 2017
Command line: TestDisk

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 4.4.103-1-MANJARO (#1 SMP PREEMPT Thu Nov 30 13:56:15 UTC 2017) x86_64
Compiler: GCC 6.3
Compilation date: 2017-03-29T18:57:40
ext2fs lib: 1.43.7, ntfs lib: libntfs-3g, reiserfs lib: 0.3.0.5, ewf lib: none, curses lib: ncurses 6.0
User is not root!
Hard disk list
Disk /dev/sda - 3000 GB / 2794 GiB - CHS 364801 255 63, sector size=512 - WDC WD30EZRZ-00GXCB0, S/N:WD-WCC7K3DDHE0R, FW:80.00A80
Disk /dev/sdb - 2000 GB / 1863 GiB - CHS 243201 255 63, sector size=512 - WDC WD20EARS-00MVWB0, S/N:WD-WMAZA3709172, FW:51.0AB51

Partition table type (auto): EFI GPT
Disk /dev/sda - 3000 GB / 2794 GiB - WDC WD30EZRZ-00GXCB0
Partition table type: Intel

Analyse Disk /dev/sda - 3000 GB / 2794 GiB - CHS 364801 255 63
Geometry from i386 MBR: head=255 sector=63
get_geometry_from_list_part_aux head=255 nbr=6
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=6
Current partition structure:
 1 * Linux                    0   1  1     0 254 63      16002
 2 E extended LBA         91170   0  1 91200 254 63     498015
 5 L Linux                91170   1  1 91200 254 63     497952

search_part()
Disk /dev/sda - 3000 GB / 2794 GiB - CHS 364801 255 63

     Linux                    0   1  1     0  33 40       2056
     LUKS 1 (Data size unknown), 1052 KB / 1028 KiB

recover_EXT2: s_block_group_nr=0/30, s_mnt_count=18/30, s_blocks_per_group=8192, s_inodes_per_group=4016
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248976
recover_EXT2: part_size 497952
     Linux                91170   1  1 91200 254 63     497952
     ext2 blocksize=1024 Sparse_SB, 254 MB / 243 MiB

block_group_nr 6561

recover_EXT2: "e2fsck -b 214990848 -B 4096 device" may be needed
recover_EXT2: s_block_group_nr=6561/22356, s_mnt_count=0/4294967295, s_blocks_per_group=32768, s_inodes_per_group=8192
recover_EXT2: s_blocksize=4096
recover_EXT2: s_blocks_count 732566272
recover_EXT2: part_size 5860530176
     Linux                    0  32 33 364801  66  1 5860530176
     ext3 blocksize=4096 Large_file Sparse_SB Backup_SB, 3000 GB / 2794 GiB
get_geometry_from_list_part_aux head=255 nbr=3
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=3

Results
     Linux                    0   1  1     0 254 63      16002
     LUKS 1 (Data size unknown), 8193 KB / 8001 KiB
     Linux                    0  32 33 364801  66  1 5860530176
     ext3 blocksize=4096 Large_file Sparse_SB Backup_SB, 3000 GB / 2794 GiB
     Linux                91170   1  1 91200 254 63     497952
     ext2 blocksize=1024 Sparse_SB, 254 MB / 243 MiB

Hint for advanced users. dmsetup may be used if you prefer to avoid to rewrite the partition table for the moment:
echo "0 16002 linear /dev/sda 63" | dmsetup create test0
echo "0 5860530176 linear /dev/sda 2048" | dmsetup create test1
echo "0 497952 linear /dev/sda 1464646113" | dmsetup create test2

interface_write()
 
No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

TestDisk exited normally.
(END)


User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Help recovering encrypted drive -- reward!

#7 Post by cgrenier »

TestDisk has found a LUKS header at 0 1 1 and two other partitions.
Use EFI GPT for the partition table type.
If you had a single LUKS partition on the whole disk, use 'a' to manually add a partition starting at 0 1 1 and ending at the end of the disk, set the partition type to MSData.
On next screen, choose Write, confirm, Quit and restart your computer.

rabbit
Posts: 8
Joined: 10 Dec 2017, 20:19

Re: Help recovering encrypted drive -- reward!

#8 Post by rabbit »

Begging your understanding here, but I want to get this correct. The branches from [Analyse] [Advanced] [Geometry] and [Options] seem to use "243061471 1707156878 1464095408-type" entries, not " 0 1 1 ". Am I on the right page?

I'm using TestDisk 7.0.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Help recovering encrypted drive -- reward!

#9 Post by cgrenier »

Try "318" to the starting sector.

rabbit
Posts: 8
Joined: 10 Dec 2017, 20:19

Re: Help recovering encrypted drive -- reward!

#10 Post by rabbit »

Unfortunately, this didn't work. My notes:

Starting over, I click analyze and run that again. Terminal at that point is:

Code: Select all

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 3000 GB / 2794 GiB - CHS 364801 255 63
Current partition structure:
     Partition                  Start        End    Size in sectors

Bad GPT partition, invalid signature.
Trying alternate GPT
 1 P Unknown                     2048 5860532223 5860530176 [zanzibar]



                P=Primary  D=Deleted
>[Quick Search]  [ Backup ]
                            Try to locate partition
Choose [Quick search], producing this:

Code: Select all

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 3000 GB / 2794 GiB - CHS 364801 255 63
     Partition               Start        End    Size in sectors
>D MS Data                       63       2118       2056
 D MS Data                     2046 5860532221 5860530176
 D Solaris /home          243061471 1707156878 1464095408





Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
                P=Primary  D=Deleted
Keys A: add partition, L: load backup, T: change type,
     Enter: to continue
LUKS 1 (Data size unknown), 1052 KB / 1028 KiB

Enter 'a' as instructed, using "318" as starting sector, EFI System, Done:

Code: Select all

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 3000 GB / 2794 GiB - CHS 364801 255 63
     Partition               Start        End    Size in sectors
>D MS Data                       63       2118       2056
 P EFI System                   318 5860533167 5860532850
 D MS Data                     2046 5860532221 5860530176
 D Solaris /home          243061471 1707156878 1464095408
 
 
 
Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
                P=Primary  D=Deleted
Keys A: add partition, L: load backup, T: change type,
     Enter: to continue
LUKS 1 (Data size unknown), 1052 KB / 1028 KiB

My guess: the repair is adding a new "EFI System" partition, instead of repairing the existing one.

Restart, Boot:
(this is my transcription by hand. Hope I did it accurately!)

Code: Select all


Boot from (hd0,4) ext2 75229f12-997f-426e-b320-d8c99b07c320

Starting up ...
Loading, please wait...
key slot 0 unlocked.
Command successful.
File descriptor 3 left open
   device-mapper: reload wctl failed: Invalid
   device-mapper: reload wctl failed: Invalid
   2 logical volume(s) in volume group "rabbit" now active
   stdin: error 0
   Gave up waiting for root device. Common problems:
      --boot args (cat /proc/cmdline)
      --Check rootdelay= (did the system wait long enough?)
      --Check root= (did the system wait for the right device?)
   -- Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/mapper/rabbit root does not exist. Dropping to a shell!
BusyBox V1.100.2 (Ubuntu 1:1.10.2-2ubuntu7) built-in shell (ash)
Enter 'help' for a list of built-in commands.

(initramfs)
(initramfs) __


Locked