Assistance with recovery of Veracrypt (Truecrypt) encrypted drive

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
Doomy
Posts: 4
Joined: 09 Apr 2019, 11:39

Assistance with recovery of Veracrypt (Truecrypt) encrypted drive

#1 Post by Doomy »

I had a system running with two disk drives, a solid state primary drive containing Windows 10 and a 1TB spinning disk secondary drive for data storage. The secondary drive was encrypted using Veracrypt as a device-hosted non-system volume. The primary partition was encrypted using a different method (McAfee Endpoint Encryption).

The primary drive recently failed catastrophically beyond recovery. Since it was just used for OS and applications I was happy to accept the loss. I bought a new SSD to replace it. Before reinstalling Windows I disconnected the secondary drive, as I had heard reports that the Windows installer can make changes to attached disks.

Windows was reinstalled without a hitch, so I installed Vercrypt v1.23 and I reconnected the secondary drive. Now, when trying to mount the drive using Veracrypt I get an "Operation Failed (incorrect password, not a valid volume, etc.)". I was certain I was using the correct password, so I used 'Restore Volume Header' tool using a backup of the volume header I have. This process completed and now the drive is mounting using my password and is showing a drive letter in Windows Explorer. However, when I attempt to access the contents, I get the error "E:\ is not accessible / The parameter is incorrect".

I came across the Recover a TrueCrypt Volume on the cgsecurity.org website but I'm having trouble following some of the instructions. To quote the relevant section of the article:
Corrupted Standard Volume file system

Sometimes both Standard Volume header and filesystem boot sector are partially overwritten. After recovering the volume header using a backup, the volume can be accessed but the filesystem is still corrupted.

Recovery under Windows

Run TestDisk, select the drive letter corresponding to the damaged volume, choose `None` for partition type, Advanced. TestDisk can repair the FAT/NTFS boot sector, ext2/ext3 superblock.
It seems the instructions for the second paragraph above are incomplete. I tried following the instructions (selecting 'None' partition type) but after that I got lost. Any advice?

I managed to find the 'Analyse' option and I'm currently running this. I getting a few instances of the following warnings:

Code: Select all

Warning: number of sectors per track mismatches 2 (NTFS) != (HD)
Warning: number of heads/cylinder mismatches 16 (NTFS) != (HD)
Not sure if it's relevant or of any concern.

Thanks in advance!
Last edited by Doomy on 11 Apr 2019, 13:19, edited 1 time in total.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Assistance recovery Veracrypt (Truecrypt) encrypted drive

#2 Post by cgrenier »

When dealing with VeraCrypt, you need to choose the unlocked drive letter (ie D:), not a PhysicalDrive.
Go in the Advanced menu (not Analyze), force the type to FAT32 or NTFS, Boot, RebuildBS...

Doomy
Posts: 4
Joined: 09 Apr 2019, 11:39

Re: Assistance recovery Veracrypt (Truecrypt) encrypted drive

#3 Post by Doomy »

cgrenier wrote: 11 Apr 2019, 06:01 When dealing with VeraCrypt, you need to choose the unlocked drive letter (ie D:), not a PhysicalDrive.
Go in the Advanced menu (not Analyze), force the type to FAT32 or NTFS, Boot, RebuildBS...
Thanks for the hint. I've tried following the 'Rebuild BS' option but these appears to have failed. The full TestDisk log file contained a number entries like the following:

Code: Select all

mft at 77783230
read_mft_info failed
ntfs_find_mft: sectors_per_cluster invalid
ntfs_find_mft: mft_lcn             2058
ntfs_find_mft: mftmirr_lcn         5162
ntfs_find_mft: mft_record_size     1024
Before ending with:

Code: Select all

Potential partition:
   P NTFS                    77781172 2031300275 1953519104
   P NTFS                    84343168 2037862271 1953519104
   P NTFS                    92066768 2045585871 1953519104
   P NTFS                   111364584 2064883687 1953519104
   P NTFS                   122019376 2075538479 1953519104
Failed to rebuild NTFS boot sector.
Not sure what this means. Any suggestions?

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Assistance with recovery of Veracrypt (Truecrypt) encrypted drive

#4 Post by recuperation »

Testdisk found a couple of partitions. None of them contains the necessary data to rebuild the boot sector.

This is probably caused by the fact that you ignored the hint of cgrenier regarding decryption.

Doomy
Posts: 4
Joined: 09 Apr 2019, 11:39

Re: Assistance with recovery of Veracrypt (Truecrypt) encrypted drive

#5 Post by Doomy »

Thanks all for the suggestions so far.
recuperation wrote: 11 Apr 2019, 21:23 Testdisk found a couple of partitions. None of them contains the necessary data to rebuild the boot sector.

This is probably caused by the fact that you ignored the hint of cgrenier regarding decryption.
I definately selected the decompressed volume. I have ran Photorec on the volume, which recovered over 45,000 files so I'm certain the volume is decrypted.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Assistance with recovery of Veracrypt (Truecrypt) encrypted drive

#6 Post by recuperation »

Hello Doomy,

good to hear about your recovery success!

The reason I pretended that you ignored the hint of cgrenier is that you said:

"E:\ is not accessible / The parameter is incorrect".

The log that you linked showed that you searched on Drive E:.
But a drive can not simultaneously be the encrypted and the unencrypted drive. 8-)

Doomy
Posts: 4
Joined: 09 Apr 2019, 11:39

Re: Assistance with recovery of Veracrypt (Truecrypt) encrypted drive

#7 Post by Doomy »

recuperation wrote: 12 Apr 2019, 11:48 good to hear about your recovery success!
Sadly I wouldn't call it success - at least not the result I was hoping for. While Photorec recovered many files (proving that the drive is decrypting), it's not recovered everything. Ideally I'd like to recover the MBR and MFT so that I'm able to explore the disk and access all the data as I once could do before the my primary disk drive failed. I'm not sure why one disk drive failing would corrupt another drive, but this is either what happened, or in some way the Vercrypt volume was tightly coupled to original OS installation (I didn't think this was how Veracrypt device hosted volumes worked, though).

Locked