Hi All,
I have a loose 3.5" hard drive.
I have loaded it into Encase and it shows the following header
ê·|·· TrueCrypt Boot Loader ·ú3ÀŽØŽÐ¼·|ûö
and ends with
Loader damaged! Use Rescue Disk Repair Options > Restore·································r.ƒ.·µ··‚†<·º €····cÿÿ?···95¨·················································Uª
Does this mean TrueCrypt failed to encrypt the volume?
It appears to be full disk encryption as there is no plain text anywhere on the volume apart from the above header.
There is no structure on the HDD Just Unallocated Clusters
Any advice on what I can do to view the contents (ie decrypt the volume)
Thanks in advance
That is the plain text strings from within the Truecrypt bootloader.
If there are certain errors when loading the bootloader then the string
"Loader damaged! Use Rescue Disk Repair Options > Restore" may be displayed on screen.
It's quite normal to find such strings within an executable like that.
If you know the password, just boot the image in a Virtual Machine (VM), enter the password and the disk should be decrypted within the VM.
If you don't know the password then you'll need to find that first.
Free option John the Ripper ( http//
First use truecrypt2john.exe on a dd file of only the 62nd sector. This generates a hash output for use in john.exe
Then use john.exe on the hash to try and brute force the password.
I believe a full disk encrypted Truecrypt disk has the following structure
Sectors 0-61 Unencrypted data (contains bootloader and potentially a backup copy of the bootloader too). This means that the partition table should be readable and correct.
Sector 62 contains the header which contains an encrypted copy of the masterkey and other information (the encryption key to decrypt the header is basically a hash of the password)
Sector 63 to end of the disk is all the encrypted data encrypted with the masterkey stored in the header.
Also, bare in mind that it is possible to have just the first (system/OS) partition decrypted by the bootloader. Later partitions can be encrypted separately. If this is the case then also bare in mind that the 2nd partition may have another hidden (system/OS) volume contained within it. You will need to dd out the first 256 sectors of the later partition to get the header info for use with john the ripper.
Naah, the "Loader damaged! Use Rescue Disk Repair Options " is just a message that is written to the sector, intended to be displayed ONLY if the booting fails.
That should be on the DISK first sector (the volume is another thing, there is a lot of confusion between disk, drive, partition and volume), i.e. the whole PhysicalDrive is encrypted.
Anyway, your problem is that you have a full disk encryption and you want to decrypt it without having the password, right?
It will take *forever*, you have to decide whether the data on it is actually worth the time and money.
Some related info
https://
If you know parts of the password and you can use a "dictionary" attack of some kind, then it may be feasible, but brute-forcing, even with some dedicated machines, is out of practical possibilities.
See here
https://
https://
for a nice tool capable of checking (known or presumed) passwords, if needed, but it may only work for a subset of versions/encryption methods.
jaclaz
@AmNe5iA
Sorry, we were cross-posting.
Does this mean TrueCrypt failed to encrypt the volume?
I have nothing to add to earlier comments – boot sectors typically do contain some form of error message if the boot process fail for any reason. It does not seem unlikely that what you see is such an error message.
However … without comparing your boot sector to a known Truesec boot sector, it's impossible to say for certain. Do you want to be certain?
This is a pretty good showcase of why collecting boot sectors from encryption programs, boot managers, and what have you, into a database for reference would be a useful research project. Something on the lines of what Starman did for PC BIOS boot sectors.
And I think it would be useful for just about any forensic disk analysis software to check boot sectors just to make sure they're the standard run-of-the-mill sectors, and to raise the one-in-a-thousand flag when it for reason isn't.
I have nothing to add to earlier comments – boot sectors typically do contain some form of error message if the boot process fail for any reason. It does not seem unlikely that what you see is such an error message.
To be picky (as I am wink ) that is NOT - strictly speaking - a bootsector, it is the Truecrypt MBR.
Even if the OP posted a text copy (as opposed to a hex view or dump) it is clear enough that it is a MBR, as the "€····cÿÿ?···95¨·················································Uª" is very likely the partition table (with one active partition, the € symbol is 0x80) followed by the "magic bytes" 55AA.
A few MBR's and VBR's (bootsectors) for encryption programs are here (though not the Truecrypt ones)
http//
However seemingly the good Truecrypt guys do call it (besides bootloader which is appropriate) bootsector, it seemingly comes from bootsector.asm
https://
disk_error_msg db 'Disk error', 13, 10, 7, 0
loader_damaged_msg db 7, 'Loader damaged! Use Rescue Disk Repair Options > Restore', 0
jaclaz