Page 1 of 1

Help recovering data from TrueCrypt volume

Posted: 19 Feb 2014, 06:45
by Loke
Hi

Hoping that someone in here can understand my less-than-professional lengthy confused explanation - and my poor English - and perhaps lend me a very much appreciated hand:

I've got two WD 3TB hdd from which I've lost a lot of data. I bought them to backup data (near 2TB each) from several smaller drives. The disks was initialized (GPT) but not partitioned, and both (2.7TB raw) disks TC-encrypted with NTFS hidden container (for maximum deniability). The smaller drives has unfortunately been reused and overwritten, as the ~2TB backups was done, checked and verified seemingly successfully. After a while I mounted the disks for another batch to be backed up (~271GB on one and most important disk). Those backups also went seemingly fine (all checked and verified). After a while I wanted to retrieve some data, and tried to again mount the drives. Suddenly the volumes had problems mounting. One disk wouldn't mount manually, though still able to mount if using Mount favorite (favorite volumes.xml). The other (most important) disk reported "not a truecrypt disk", yet I could mount it using the backup header. In Disk-management (Win7 64-bit) the drives were now being reported as 746GB, so did TC (which I didn't notice). The file-system still reported 2.7TB with 788GB free prior the second backup. After this second backup I tried to update the drive in CD Catalog Export, but the program froze the PC and I had to reboot. After reboot, and remount, all data from the previous (first) backup have disappeared.

I then ran chkdsk, which found and "corrected" some errors. After chkdsk and another reboot then the disk was shown to be the correct size in Disk-management and TC, but now being "Unitialized" yet still mountable in TC using the backup header.

Some (271GB) of the new backup-batch are intact, and some (386GB) of the older batch now being incomplete and in found.000 (a few of the files corrupted). Guess, that Win7 must have temporarily (when I made the last backup) have seen the disks as being MBR (& LBA) and thus only did recognize 746GB (- yet TC mounted them anyways?).

Tried to follow all the instructions here on CGSec, and ran TestDisk, but haven't been able to recover anything at all.

TestDisk reports "can't read backup BS", and "Dump" shows the backup BS being empty (only 0's). I then created an dd-image (TD reported some read errors, but also success), and have been working on the image.dd only.

TD reported BOTH BS being bad (on image, not disk), and therefore no "Org.BS" option. I then tried "Rebuild BS", but no with changes in data. With BS and Backup BS now identical, then I tried to "Repair MFT", yet still no changes. The Backup BS being written at the end of the disk, and I thought that to be the reason for the backup BS being bad (due to the different disk-sizes in the first and second backup). The lost ~2TB data must still be on the disk (perhaps partly overwritten), and I hoped some tool could find the old MFT and/or carve the files. My first choice was carving data with PhotoRec, but PR must have a limited stack (the lost files being 57489 Files in 5508 Folders, some with 255+ chars filenames) and after some 8h reported "integer overflow" and exited. I've tried GDBNTFS, Recuva, Restorer Ultimate, OnTrack Easy Recovery, Zero Assumption with no success.

TD (or PhotoRec) reported something about LBA, and TD notes, that the disk geometry needs to be correct for a successful recovery. Then I read somewhere, that MBR uses 4kb sector LBA, and TD shows the sector-size to be 512kb. I feel I might be on to something here?!?

Fact:
I'm a computer-mechanic albeit retired in '98 and VERY rusty (impaired memory partly reason for early retirement)
Hindsight is always 20-20.

I have the drive-details (all the lost data) in a .zdc (CD Catalog Expert database) able to dump to .xml, and thus have the exact name, size etc. on every single dir/file missing. The disk (TC volume) was of a total capacity of 2,780GB, 1,991,31GB used and 788,70GB free space (before the 271GB new and damaging backup batch was written to the Win7/TC mismatch sized drive).

I'm ready to pay for data-recovery - if not being able to do it myself.

Questions:

1. Can I trust the TD image, even though it reported read errors, and both BS reported bad (on disk only original bad)?

2. How and to what CHS do I change the disk geometry in TD, and would it accomplish anything?

3. Any suggestions (perhaps detailed step-by-step) on how to proceed without further damaging the drives?

4. Any recommendations on any professional and affordable recovery service company (preferable with estimate on success-rate)

Regards,

Loke