Notifications
Clear all

winhex problem

21 Posts
3 Users
0 Likes
3,463 Views
 ipwn
(@ipwn)
Posts: 11
Active Member
Topic starter
 

hi,
i had a problem on my TrueCrypt volume/partition which became RAW, now im trying to use the option >Tools - Disk tools -> Scan for lost partitions -> FAT, NTFS, but its not working - dont know why, winhex say Used space is 3791507 TB, which is not..

i get the following msg also

Warning Unsupported FILE record size! Drive O Cannot open "$MFT". Unexpected data at offset 45BE7A04153FC00 and offset 52B3AE542400, Res=1, Res2=1 Drive O Cannot open "$MFT". Unexpected data at offset 45BE7A04153FC00 and offset 52B3AE542400, Res=1, Res2=1

how do i fix this in order to Scan for lost partitions -> FAT, NTFS??
im trying to find the first MFT sector number in the VBR, in order to copy it to first sector and re-mount partition..

 
Posted : 21/06/2016 5:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Were the volume/partition VBR ($boot) and $MFT (and $MFT mirr and $Bootmirr) encrypted or "plain"? ?

Wouldn't it be queer if Truecrypt did not encrypt them? ?

jaclaz

 
Posted : 21/06/2016 7:26 pm
 ipwn
(@ipwn)
Posts: 11
Active Member
Topic starter
 

Were the volume/partition VBR ($boot) and $MFT (and $MFT mirr and $Bootmirr) encrypted or "plain"? ?

Wouldn't it be queer if Truecrypt did not encrypt them? ?

jaclaz

im not sure if TC is decrypting properly.. but if i do a search on mounted partition/volume for 55AAh and NTFS i do find results, is this a good sign? how do i check if contains file inside it? the problem appeared after i perform an update from TC 7.1a to 7.2, now i tried to downgrade and use 7.1a and VeraCrypt, they seem to work mounting the volume/partition but im still unable to browse files on explorer because by what it seems the volume/partition became RAW..
why im not able to use >Tools - Disk tools -> Scan for lost partitions -> FAT, NTFS on the mounted volume/partition??

 
Posted : 21/06/2016 8:28 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Data would be need to be examined to understand what happened.

Some of what you found with 0x55AA could be first sector of the original $Boot (or VBR, possibly corrupted) or the $BootMirr (possibly non corrupted) but the creation of the $Bootmirr might (or might not) have happened.

Is it a "container" or a truecrypt "partition"?
Do you have the EXACT size of it?
Do you know how EXACTLY was the filesystem applied to it (formatted) i.e. which tool, under which OS?
Do you know which EXACT version of Truecrypt was used to create the "target"?

Explanation
Formatting utilities behave the same on a same OS on a same size "target".
I.e. the $MFT and other "variable location" filesystem objects are placed at the same offset on a same size "target", hence to find their location you can create a new container (or partition) the same size using exactly the same tools and get the locations from this newly created object.

Have you tried recovering it with testdisk?
http//www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume

Or manually checked the Standard Volume Header against the "hidden" one?

Independently from the $boot, the $MFT (if the data is unencrypted) and the $MFTMirr can be found by carving for "FILE0" (or "FILE*" (it depends on the NTFS version) at the beginning of sectors, and then looking for "$MFT"(Unicode, i.e. "24 00 4D 00 46 00 54 00 ")

jaclaz

 
Posted : 22/06/2016 3:39 pm
 ipwn
(@ipwn)
Posts: 11
Active Member
Topic starter
 

Is it a "container" or a truecrypt "partition"?

its a TrueCrypt volume/partition created in a hard disk with 160GB.

Do you have the EXACT size of it?

yes, i do believe the TrueCrypt volume/partition had 87.9GB before it stopped working, maybe this value changed before it stop working..

Do you know how EXACTLY was the filesystem applied to it (formatted) i.e. which tool, under which OS?

im not 100% sure, but i do believe it was NTFS filesystem.. about OS, its win7..

Do you know which EXACT version of Truecrypt was used to create the "target"?

i do believe it was 7.1a but i don't have 100% sure..

Have you tried recovering it with testdisk?

yes, i have tried testdisk, it failed .. (along with many data recovery software to recover the data..)

Or manually checked the Standard Volume Header against the "hidden" one?

im not sure what you mean, but i used embedded backup header on TrueCrypt and seems it work, the volume/partition was not hidden neither was on boot or was OS-system encryption..

do you know why >Tools - Disk tools -> Scan for lost partitions -> FAT, NTFS option on winhex don't work?? why winhex display Used space as 3791507 TB?? is it possible to repair?
i get some initial help here maybe you want to read..

 
Posted : 22/06/2016 6:43 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

do you know why >Tools - Disk tools -> Scan for lost partitions -> FAT, NTFS option on winhex don't work?? why winhex display Used space as 3791507 TB?? is it possible to repair?
i get some initial help here maybe you want to read..

Well, Winhex reads some data, that data is not accurate and then it "bombs out" it is not like it is not working it is working but assumes that some data is accurate, while it isn't.
It is not possible to use "automated tools" to recover something "unusual".

Again was it a partition (did it have an entry in the MBR or not)?

The DMDE screenshot on the thread you gave a link to shows NO trace of such a partition, it shows a 160 Gb hard disk with a CORRUPTED NTFS volume (a Primary partition) also roughly 160 Gb in size, i.e. spanning the whole available space, in it.

Since the NTFS volume (according to that screenshot) is corrupted whatever Winhex finds will be incorrect.

Please try again, describing in your words and with the MOST details possible how that thing was setup originally, right now you have posted conflicting info and seemingly you are in a xyz problem.

Forget (temporarily) about Winhex and what it does.

Try describing HOW you created the Truecrypt *whatever*, how you accessed it, how it showed in (say) Disk Manager and in Explorer.

jaclaz

 
Posted : 22/06/2016 8:27 pm
 ipwn
(@ipwn)
Posts: 11
Active Member
Topic starter
 

Again was it a partition (did it have an entry in the MBR or not)?

it was a volume/partition – no MBR

i don't remember well how i created and i forget logical drive name, i think i start to use TC while i was working on win7 and i remember i was mounting the drive O\ on TC with option 'Mount all devices-hosted TrueCrypt volumes' ..
do you know if TrueCrypt makes decryption "on-fly"??

 
Posted : 23/06/2016 1:47 am
citizen
(@citizen)
Posts: 38
Eminent Member
 

Again was it a partition (did it have an entry in the MBR or not)?

it was a volume/partition – no MBR

i don't remember well how i created and i forget logical drive name, i think i start to use TC while i was working on win7 and i remember i was mounting the drive O\ on TC with option 'Mount all devices-hosted TrueCrypt volumes' ..
do you know if TrueCrypt makes decryption "on-fly"??

What file system is the hosting file that is your crypto container?

How long has it been since you created the crypto container? Is this on a windows based OS or Linux based OS?

 
Posted : 23/06/2016 2:13 am
 ipwn
(@ipwn)
Posts: 11
Active Member
Topic starter
 

What file system is the hosting file that is your crypto container?

i believe it was NTFS

How long has it been since you created the crypto container? Is this on a windows based OS or Linux based OS?

i created it maybe 4 years ago, it's windows based OS..

 
Posted : 23/06/2016 4:20 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

OK.
To clear terminology, it was a Truecrypt "container" and inside it there was a volume AND NOT a partition.

Back to here

The DMDE screenshot on the thread you gave a link to shows NO trace of such a partition, it shows a 160 Gb hard disk with a CORRUPTED NTFS volume (a Primary partition) also roughly 160 Gb in size, i.e. spanning the whole available space, in it.

Since the drive letter assigned by the OS to it is D, it should be a second hard disk.

The DMDE screenshot shows the partition in it as corrupted, so right now you should be in the situation (before and outside Truecrypt) in which if you open Disk Management the D\ drive is NOT seen as "NTFS, healthy" (but as RAW) and if you double click on the D\ in Explorer you are prompted to format the volume (DO NOT do it).
When the disk was working properly, it contained *some other files* and the TrueCrypt container sized about half the size fo the whole partition.

Is this the case?
Can you confirm it (or describe what happens)?

Right now it seems like what is RAW is the partition/volume on the hard disk i.e. the filesystem that hosts the Truecrypt container.

jaclaz

 
Posted : 23/06/2016 12:16 pm
Page 1 / 3
Share: