How to use TestDisk to recover lost partition
Post Reply
Posts: 4
Joined: 28 Jun 2013, 00:53


#1 Post by greenelephant » 28 Jun 2013, 01:11


I am in a very bad situation and I realise I may be clutching straws here but I have a 1TB (931GB to be more precise) HDD encrypted with truecrypt by two volumes (one outer and one hidden). They are encrypted via password. I was attempting to encrypt a different hard drive with truecrypt and went through the set-up to do so and clicked ahead to encrypt the hard drive. I however to my horror realised that I had selected my already truecrpypt encrypted hard drive as the target drive instead of my unencrypted drive. I would say about 5-6 seconds passed before i pulled the power supply to my already encrypted hard drive. :(
On this hard drive is very important data!

I have read your article on this URL ... ume_header and i understand the standard volume header would have disappeared asit is the first 512 bytes of the volume.

My data however is on the hiiden volume and not the outer volume. As stated it is 1536 from the host volume. I originally set the HDD (931GB capacity) using truecrypt a hidden volume 927GB large using ES encryption and RIPEMD-160 Hash Algorithm.

Is there still a chance to salvage any data?

Sponsored links

User avatar
Site Admin
Posts: 3553
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France

Re: HELP!!!!!!!

#2 Post by cgrenier » 05 Jul 2013, 06:54

You need to restore the outer volume header first, the only possibility is with a backup.
Good luck

Posts: 4
Joined: 28 Jun 2013, 00:53

Re: HELP!!!!!!!

#3 Post by greenelephant » 06 Jul 2013, 13:50

Thanks for your post cgrenier

However with reference to theses URL's below

1. ... pt-volumes
2. ... ypt_Volume

It is to my understanding that truecrypt creates a backup copy of the volume headers at the end of the volume of each partition it creates.

As explained before I have a 931GB Hard drive that I created both an outer and hidden volume for my Hard drive. Nothing of any value was on the outer volume and the data I wish to recover is inside the hidden volume.
I used AES encryption and RIPEMD-160 Hash Algorithm when encrypting my hard drive when I originally created the truecrypt volumes.

As stated in URL 1 under Use backup header embedded in volume if available truecrypt creates a backup copy of the volume headers at the end of the volume. considering that my hdd is 931Gb in capacity and had the erroneous event of second encryption lasting for less than 10 seconds Iam reasonably safe enough to declare that truecrypt didnt erase the backup volume header originally on there. (Unless anyone can prove otherwise)
This is also supported by URL 2 create by CGSecurity itself stating that the hidden volume header is located 1536 bytes from the end of the volume.

I understand the header for the outer volume header is at the very beginning of the volume and it is most likely that I have lost access to it forever. But access to the outer volume isnt the issue. What I need is access to the hidden volume that evidence I have seen on truecrypt and cgsecurity documentation suggests that I may not be completely clutching at straws (futile effort) in my goal of accessing the hidden volume data once more. Any help I can be given I shall be thankful for.

Happy days :)

Posts: 7
Joined: 27 Apr 2012, 19:34

Re: HELP!!!!!!!

#4 Post by Simpson474 » 20 Jul 2013, 23:13

If TrueCrypt would not have a bug on volume creation, there would be no chance at all as all headers should be immediately overwritten on encrypting an already encrypted volume: however there is a bug in TrueCrypt which causes no backup header to be written if formatting is cancelled (either using the cancel option on the dialog or by disconnecting the HDD).

The information from your second link is outdated if the volume has been encrypted using TrueCrypt 6 or newer. Starting from version 6 a header (both normal and hidden) is 64 KB in size (only the first 512 bytes are used though) and the headers are written to the following locations: normal header (offset 0KB), hidden header (offset 64KB), normal backup header (offset -128KB) and hidden backup header (offset -64KB). Due to the mentioned bug, the backup headers should not have been overwritten - unless you triggered the bug on the initial encryption of the volume and no backup header has been written at all.

First you should try to set the option "Use backup header embedded in volume if available" and check whether you can mount the volume - if the size of the hidden volume was at least 1 GB smaller than the outer volume, even the filesystem could be intact (6 seconds * 120 MB/s = 720 MB overwritten). If mounting the volume fails, a dump of the last 128 KB of the volume (can be created for example with HxD) would be interesting. If mounting succeeds but you cannot access the filesystem you might want to try GetDataBack on the logical volume mounted in TrueCrypt.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest