Recalling from memory since I used to mount
it frequently, I can remember the digits 9.7 GB and I’m completely 100%
accurate sure that the file system was FAT32.
After I used testdisk to recover a previously deleted partition on the same
drive which was what caused it to be corrupt, now the truecrypt partition is
having the following visual characteristics Partition 1 being it.
On winhex it shows
|
Hard disk1 |
|||||||
|
Partitioning style: MBR |
0+0+6 files. 4 partitions |
||||||
|
Name |
Ext. |
Size |
Created |
Modified |
Record changed |
Attr._ |
1st sector^ |
|
Start sectors |
|
31.5 KB |
|
|
|
|
0 |
|
Partition 1 |
NTFS |
9.1GB |
|
|
|
|
63 |
|
Unpartitioned space |
|
7.7 GB |
|
|
|
|
19.020.960 |
|
Partition 2 |
Ext3 |
3.1 GB |
|
|
|
|
35.104.768 |
|
Unpartitioned space |
|
4.0 GB |
|
|
|
|
41.658.368 |
|
Partition 3 |
Ext3 |
3.6 GB |
|
|
|
|
50.132.992 |
|
Partition gap |
|
1.0 MB |
|
|
|
|
57.784.320 |
|
Partition 4 |
Ext4 |
1.2GB |
|
|
|
|
57.786.368 |
|
Unpartitioned space |
|
8.5 GB |
|
|
|
|
60.243.968 |
In Windows 7 disk management it shows the following the partition being ‘9.07 GB RAW Healthy (Active, Primary’:
|
Volume |
Layout |
Type |
File System |
Status |
Capacity |
Free Space |
% Free |
Fault Tolerance |
Overhead |
|
|
Simple |
Basic |
|
Healthy (Primary Partition) |
3.13 GB |
3.13 GB |
100% |
No |
0% |
|
|
Simple |
Basic |
|
Healthy (Primary Partition) |
3.65 GB |
3.65 GB |
100% |
No |
0% |
|
|
Simple |
Basic |
|
Healthy (Primary Partition) |
1.17 GB |
1.17 GB |
100% |
No |
0% |
|
|
Simple |
Basic |
RAW |
Healthy (Primary Partition) |
9.07 GB |
9.07 GB |
100% |
No |
0% |
|
|
|
|
|
|
|
|
|
|
|
|
Disk 1 Basic 37.27GB Online |
9.07 GB RAW Healthy (Active, Primary |
7.67 GB Unallocated |
3.13 GB Healthy (Primary Part |
4.04 GB Unallocated |
3.65 GB Healthy (Primary Parti |
1.17 GB Healthy (Primary Parti |
8.54 GB Free space |
|
|
|
|
|
|
|
|
|
|
|
|
|
Open winhex(run as administrator).
1. In the WinHex directory browser, I clicked once on "Unpartitionable Space" and it placed my cursor right after the (assumed) end of the lost partition.
2. Navigation, Go to offset, 20000 Bytes hexadecimal (had to toggle the hexadecimal mode by clicking on the offset column), current position (back from), OK.
3. Step 1 placed my cursor just below the lost partition's endpoint therefore Step 2 moved my cursor to the location where TrueCrypt's embedded backup header begins.
4. Looked around the area carefully. Going up a few screens, then going down a few more screens (Pressing PgUp or PgDn to move one screen at a time.) and saw completely random looking data.
5. Adapt the method described in /PROCESS/How to recover deleted Truecrypt Partition.odt to define the block and save it as a file:
a. Click once in the Offsets column to switch to Decimal mode
b.
Edit; Define Block; Beginning = 09738600448
[Beginning of block]; End = 9738800448 [End of block]; OK.
Got the number to increase by which is 200000, by subtracting 1048576(end of
block) from 1248576(beginning of block) which some from How to recover deleted Truecrypt Partition. Saved file as 09738600448.tc
Volume didn’t mount. Truecrypt dialogue box says ‘Incorrect password or not a TrueCrypt volume’.
How InterestedParty got the number for his partition offset is unknown. Possibly he just clicked on the ‘Unpartitioned space’ following the ‘Start sectors’ in the winhex’s directory browser, thus, the cursor getting placed in the point where that partition begins and then he got the row’s number in decimal on the offset column.
Part 1 - Creating the test file:
1) If any TrueCrypt volumes are currently mounted, dismount them. I only have two veracrypt volumes mounted so we’re good.
2) Open WinHex.
3) To reduce the chances of screwing up the drive I clicked Options: Edit Mode and ensured that I am in Read-Only mode
4) Clicked Tools: Open Disk and selected the correct disk under Physical Media
5) The Offsets column was in Decimal mode so we’re good.
6) Edit; Define Block; Beginning = 32256 [Beginning of block]; End = 232256 [End of block]; OK. Here what I did is click on the partition in order to get its offset which was 32256 and added 200000 to that number for a 200kb data from it which should contain the header. Also because I’m using evaluation version of Winhex which doesn’t allow more than 200kb of data copied.
7) Edit; Copy Block; Into New File. At this point, I saved the file with filename "32256.tc", then clicked Save. (The .tc extension is merely for convenience in mounting the volume.)
8. Noticed that the newly created file appeared in a new tab or window in WinHex. Right clicked on the tab and selected Close, then exited WinHex.
Part 2 - Testing the file to see if the header is present, intact and accepts my password:
1) Opened TrueCrypt; clicked on a free drive letter; Selected File; specify the file "32256.tc”, clicked on Mount; entered the password for the lost partition; and clicked OK.
Volume didn’t mount. Truecrypt dialogue box says ‘Incorrect password or not a TrueCrypt volume’.
