Restore Partition Table from MyBook 3TB (encrypted TC) Topic is solved

How to use TestDisk to recover lost partition
Locked
Message
Author
freyer
Posts: 3
Joined: 06 Apr 2014, 07:51

Restore Partition Table from MyBook 3TB (encrypted TC)  Topic is solved

#1 Post by freyer » 06 Apr 2014, 10:23

Hi dear community,

i would please like to request help from an expert. I hope you can understand my english(im no native speaker). I used TestDisk and it is a very nice tool, but it cant find any old partition table from my HDD even with deep search.

I have an external WD MyBook 3 TB HDD(WDBACW0030HBK-04). As far as I investigated it WD uses advanced formating (MBR instead of GPT and 4k sector size as factory setting).I used the NTFS Partition from created with the factory setting and ecrypted the whole partition with True Crypt NTFS. I guess somehow Windows didnt recognize the partition and I mounted Device\Harddisk\Partition 0 instead of Device\Harddisk\Partition 1 (maybe Partition 1 wasnt even there at this point of time). Then there was a popup after my password wasnt accepted i should restore the header with the backup header. Thats what i did. It accepted my password again but the Filesystem was RAW instead of NTFS(or is the encrypted Partition raw and only the decrypted NTFS. I dont know what true crypt do when encrypting a NTFS partition with TC set to NTFS). I think the backup header has destroyed the partition table, because TC wrote it at the beginning of the physical drive and not the logical partition. So I tested with winhex if my TC Partition is still there (copy from offset 1048576 till 2Mb and tried to mount it). It accepted my password without restoring the header. Then i tried to recreate the partition with windows Disk Management. It asked me to initilize the disk I did, first as MBR (cause wd uses this), but it splitted the disk in 2TB and 750GB part. Than i switched to GPT (I thought maybe after all my HDD was GPT) and it was one part again. But Test Disk listed tow partitions now. An MRS 128MB Partition (Microsoft reserved Space). Im certain this wasnt there before. I Test Disk should select the partitiontable type Intel and not EFI GPT automaticly. This should result from chaging it from mbr to gpt with diskmanager. But I didnt want to change it back again and make it even worse.

I think I know what i need to do, but not how. Is there some way to create a volume with 4096kb sector size in RAW format? I dont know how to do this with test disk and which values (start end, header size usw.) I need.

Here some Info from 3TB disk

Code: Select all

Sat Apr 05 16:29:42 2014
Command line: TestDisk

TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Windows 7 (7601) SP1
Compiler: GCC 4.7, MinGW 3.11
Compilation date: Jul 30 2013 14:09:04
ext2fs lib: none, ntfs lib: 10:0:0, reiserfs lib: none, ewf lib: 20120504
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=640145817600
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=3000558944256
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=640038207488
filewin32_getfilesize(\\.\D:) GetFileSize err Incorrect function.


filewin32_setfilepointer(\\.\D:) SetFilePointer err Incorrect function.


Warning: can't get size for \\.\D:
Hard disk list
Disk \\.\PhysicalDrive0 - 640 GB / 596 GiB - CHS 77826 255 63, sector size=512
Disk \\.\PhysicalDrive1 - 3000 GB / 2794 GiB - CHS 45599 255 63, sector size=4096
Drive C: - 640 GB / 596 GiB - CHS 77813 255 63, sector size=512

Partition table type (auto): EFI GPT
Disk \\.\PhysicalDrive1 - 3000 GB / 2794 GiB
Partition table type: EFI GPT

Analyse Disk \\.\PhysicalDrive1 - 3000 GB / 2794 GiB - CHS 45599 255 63
hdr_size=92
hdr_lba_self=1
hdr_lba_alt=732558335 (expected 732558335)
hdr_lba_start=6
hdr_lba_end=732558330
hdr_lba_table=2
hdr_entries=128
hdr_entsz=128
check_part_gpt failed for partition
 1 P MS Reserved                    6      32773      32768 [Microsoft reserved partition]
check_part_gpt failed for partition
 2 P MS Data                    33024  732558079  732525056 [Basic data partition]
Current partition structure:
No FAT, NTFS, ext2, JFS, Reiser, cramfs or XFS marker
 1 P MS Reserved                    6      32773      32768 [Microsoft reserved partition]
 1 P MS Reserved                    6      32773      32768 [Microsoft reserved partition]
No FAT, NTFS, ext2, JFS, Reiser, cramfs or XFS marker
 2 P MS Data                    33024  732558079  732525056 [Basic data partition]
 2 P MS Data                    33024  732558079  732525056 [Basic data partition]
Here is some Information on an WD Mybook 2TB with the same setup, maybe it helps:

Code: Select all

Sun Apr 06 09:03:36 2014
Command line: TestDisk

TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Windows 7 (7601) SP1
Compiler: GCC 4.7, MinGW 3.11
Compilation date: Jul 30 2013 14:09:04
ext2fs lib: none, ntfs lib: 10:0:0, reiserfs lib: none, ewf lib: 20120504
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=640145817600
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=2000365289472
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=640038207488
filewin32_getfilesize(\\.\D:) GetFileSize err Incorrect function.


filewin32_setfilepointer(\\.\D:) SetFilePointer err Incorrect function.


Warning: can't get size for \\.\D:
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\G:)=2000364240896
Hard disk list
Disk \\.\PhysicalDrive0 - 640 GB / 596 GiB - CHS 77826 255 63, sector size=512
Disk \\.\PhysicalDrive1 - 2000 GB / 1862 GiB - CHS 243197 255 63, sector size=512
Drive C: - 640 GB / 596 GiB - CHS 77813 255 63, sector size=512
Drive G: - 2000 GB / 1862 GiB - CHS 243197 255 63, sector size=512

Partition table type default to Intel
Drive G: - 2000 GB / 1862 GiB
Partition table type: Intel

Analyse Drive G: - 2000 GB / 1862 GiB - CHS 243197 255 63
Current partition structure:

Partition sector doesn't have the endmark 0xAA55
I'll get the deepsearch results logs tomorrow or the day after, because i tested it on another PC I dont have access right now.

Sponsored links

User avatar
cgrenier
Site Admin
Posts: 3571
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Restore Partition Table from MyBook 3TB (encrypted TC)

#2 Post by cgrenier » 15 Apr 2014, 18:43

For partition recovery, it's better to use PhysicalDisk instead of drive letter.
Windows creates partition on 1-MB boundary.
If the sector size is 512 bytes, the first partition usually begins at sector 2048 and all partitions will begin at a multiple of 2048.
If the sector size is 4096 bytes, the first partition usually begins at sector 256 and all partitions will begin at a multiple of 256 (ie. 33024 is a multiple of 256).
To manually add a partition, after Quick Search, use the 'a' key.

Hope this help. Recovering TrueCrypt partition is always hard.

freyer
Posts: 3
Joined: 06 Apr 2014, 07:51

Re: Restore Partition Table from MyBook 3TB (encrypted TC)

#3 Post by freyer » 17 Apr 2014, 20:44

Hello cgrenier,

thank you for replying. I needed about two weeks to finaly get it back to work with many days scanning and reading through the Internet. But hey, it was worth it. Here what I did (more detailed description than my first post):
(But you need to invest some Money for this!)

Extract the Header and a bit of data with Winhex (bought it to copy more than 200KB) - Block 1048576 to 3145727 and saved it as .tc file. I tried to mount it to see if the header still works (password accepted). Now you need to check if the decryption is working properly. I opened the extracted and mounted File/Partition with WinHex and look with "Text only" for real words (no random Data). There was the word "File", so it worked too.
If you want the complete version: http://www.wilderssecurity.com/threads/ ... le.336671/ all credits to dantz for this manual

Now followed the most complicated part for me. I tried to add a partition manually with Test Disk, but couldn't find the right values. As you could see(first post) the Microsoft Disc Manager used a multiple of 256. But the Microsoft Reserved Partition shouldnt be there. I dont know all the sizes, but normaly I think it goes like: Sector 0-x1 NTFS Partitiontable than (x1+1)-x2 TC Header and after x2 all the encrypted Data. After a lot of attempts i capitulated and returned to google.
This is no advertisement, but I sadly couldnt get it to work with Test Disk :oops: , also its a great tool
There I found the hint, that WD Quick format Tool is based on Acronis engine. I bought Acronis Disk Director Home and created a primary partition without formating it. And booom it was all ok again :D. And the partition type was intel again (viz. MBR >2TB).

Here is the working Partition table:

Code: Select all

Analyse Disk \\.\PhysicalDrive1 - 3000 GB / 2794 GiB - CHS 45599 255 63
Geometry from i386 MBR: head=255 sector=63
check_part_i386 failed for partition type 07
Current partition structure:
Invalid NTFS or EXFAT boot
1 * HPFS - NTFS              0   8  9 45599 161  2  732557568
1 * HPFS - NTFS              0   8  9 45599 161  2  732557568

@cgrenier: But this isnt a multiple of 256? Is there a way to get this start value manual without trail and error or buying software? Is there some logic to follow?

User avatar
cgrenier
Site Admin
Posts: 3571
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Restore Partition Table from MyBook 3TB (encrypted TC)

#4 Post by cgrenier » 19 Apr 2014, 07:56

CHS=0,8,9, disk geometry 255 sectors per head => LBA=8*255+9-1=2048 sectors => 1 MB (sector size is 512)

To help with such recovery, I will probably need to add to TestDisk an interface to switch the information between CHS, LBA and size in MB.

freyer
Posts: 3
Joined: 06 Apr 2014, 07:51

Re: Restore Partition Table from MyBook 3TB (encrypted TC)

#5 Post by freyer » 20 Apr 2014, 11:29

:idea: Thank you for showing the math, but why isnt it 4096? Is it due to the use of 512 emulation of the physical 4096 sectors through the WD Enclosure. I thought they use a 4k LBA for MBR partitioned HDDs > 2TB...all this theorie behind HDD's makes my head spin :? . What does this 1MB value state? And yes as far as I remember there is a options in acronis where i could set the value to 1MB (it was the default value, so I left it alone). If this interface makes it easier to recover advanced formatted HDDs it would be great if you do it :D .

Locked

Who is online

Users browsing this forum: No registered users and 0 guests