Notifications
Clear all

USB drive shows RAW

thidisbogus
(@thidisbogus)
New Member

I can mount my encrypted USB, but the logical drive when clicked when unencrypted shows RAW. Any suggestions to get this fixed? Is there a way to copy the RAW logical decrypted logical drive data to a physical USB drive so I can run data recovery software on that physical drive because it will be unencrypted? I am using Veracrypt.

The headers are ok.  The data shows RAW.  I am thinking if I can find a software that will recognize the logical drive and I can copy the data from the logical drive that is unencrypted, to a physical drive then I can run a variety of recovery software on it.  The problem I am running into is that recovery software does not recognize logical drives, only physical.

What partition recovery software will see the unencrypted logical drive?  My experience thus far is that they only see physical drives.

Anyone else have an issue with Partition software not seeing the unencrypted logical drive like I am saying?  If not please let me know which software you use

Quote
Topic starter Posted : 01/07/2021 10:16 pm
cpt.hookdangles
(@cpt-hookdangles)
New Member

i have had similar issues with veracrypt myself apologies for all the follow up questions.

Is it raw when you look at it in disk management?

did you veracrypt the drive yourself? if so, did you try and veracrypt it while there was any sort of hardware/software write blocking tools on? I have had issues where a write blocker was on in the background while using veracrypt creator and it will mess up the drive cause it will only partially complete and leaves part of the drive in RAW

have you tried accessing this drive on a different computer?

ReplyQuote
Posted : 08/07/2021 3:20 pm
thidisbogus
(@thidisbogus)
New Member

@cpt-hookdangles 

Is it raw when you look at it in disk management?  -----Yes

did you veracrypt the drive yourself?----Yes if so, did you try and veracrypt it while there was any sort of hardware/software write blocking tools on?-----No

I have had issues where a write blocker was on in the background while using veracrypt creator and it will mess up the drive cause it will only partially complete and leaves part of the drive in RAW

have you tried accessing this drive on a different computer-----Yes

 

The drive acted normal in every way for months.

ReplyQuote
Topic starter Posted : 16/08/2021 4:24 pm
thidisbogus
(@thidisbogus)
New Member

I utilized DMDE.  Here is the log I got back:

This is from the DMDE log file:
[devscan]
scan_dev=1\\?\Volume{fb1072c4-ee21-11e9-9b34-94de80c37fa4}
scan_range="0x0-0xf3d39c000"
scan_ltrack=1.11.10x4be2b572d1000
scan_ltrackorg=1.10x400000
scan_lbps=512
scan_state_sec="block0x0"
scan_modules=0x3
module_flags="9;0x7,0x7,0x7,0x7,0x7,0x7,0x7,0x7,0x7,"
module_states="9;0x10,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,"
expgrp="9;0x2,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,"
modselected=0
volselected=-2
volsortcol=3
extarr="144;xml,html,htm,reg,png,pdf,exe,exe,msi,chm,jpeg,jpg,jpe,jfif,jif,jfi,wav,\
gif,rtf,doc,html,htm,7z,vdi,vmdk,mp3,avi,cr2,nef,nrw,dng,tiff,tif,dng,ps,eps,doc,\
xls,ppt,msi,msp,wmv,wma,asf,psd,aiff,aifc,aif,iff,snd,flac,midi,mid,arc,bz2,tbz2,\
tar,ogg,oga,ogv,cab,rar,iso,doc,docx,xlsx,pptx,xls,ppt,ott,odt,otg,odg,otp,odp,ots,\
ods,otc,odc,oti,odi,otf,odf,oth,odm,apk,jar,apk,zip,zipx,jar,mkv,flv,mov,mov,mp4,\
mp4,dll,mui,vhd,vhd,vhdx,vmdk,pst,ost,pab,bmp,m2ts,mts,djvu,djv,doc,docx,pptx,ppt,\
xlsx,xls,doc,xls,ppt,msi,msp,mpeg,mpg,mpe,mpeg,mpg,mpe,mpeg,mpg,mpe,mov,crw,srw,\
raf,orf,jpeg,jpg,jpe,jfif,jif,jfi,mp3,cr3"

[rawscan]
scan_vorg=1.3
scan_modltrack=1.01.30x80b1e214fb000
scan_modltrackorg=1.30x0
ft_opmask=0x3ff
ft_op[gif.]=0x8
ft_op[jpg.]=0x88
ft_op[png.]=0x8
ft_op[pdf.]=0x8
ft_op[zip.]=0x8
ft_op[mpeg.]=0x8
ft_op[.]=0x0
ft_op[xml]=0x0
ft_op[reg]=0x0
ft_op[png]=0x2
ft_op[pdf]=0x0
ft_op[exe-DOS]=0x1
ft_op[exe-Win]=0x0
ft_op[chm]=0x0
ft_op[jpeg]=0x0
ft_op[wav]=0x0
ft_op[gif]=0x2
ft_op[rtf]=0x0
ft_op

HTML:
=0x0
ft_op[7z]=0x2
ft_op[vdi]=0x4
ft_op[vmdk]=0x4
ft_op[mp3]=0x1
ft_op[avi]=0x0
ft_op[cr2]=0x0
ft_op[nef]=0x0
ft_op[tiff]=0x0
ft_op[ps]=0x0
ft_op[doc-]=0x200
ft_op[wmv]=0x0
ft_op[psd]=0x0
ft_op[aiff]=0x0
ft_op[flac]=0x0
ft_op[midi]=0x0
ft_op[arc]=0x0
ft_op[bz2]=0x0
ft_op[tar]=0x224
ft_op[ogg]=0x0
ft_op[cab]=0x3
ft_op[gz]=0x13
ft_op[rar]=0x102
ft_op[iso]=0x204
ft_op_scmxofs[iso]=10240
ft_op[docx-]=0x2
ft_op[ott]=0x2
ft_op[odt]=0x2
ft_op[otg]=0x2
ft_op[odg]=0x2
ft_op[otp]=0x2
ft_op[odp]=0x2
ft_op[ots]=0x2
ft_op[ods]=0x2
ft_op[otc]=0x2
ft_op[odc]=0x2
ft_op[oti]=0x2
ft_op[odi]=0x2
ft_op[otf]=0x2
ft_op[odf]=0x2
ft_op[oth]=0x2
ft_op[odm]=0x2
ft_op[apk]=0x2
ft_op[jar]=0x2
ft_op[zip]=0x2
ft_op[zip-null]=0x11
ft_op[mkv]=0x0
ft_op[flv]=0x0
ft_op[mov]=0x0
ft_op[mp4-mov]=0x0
ft_op[mp4]=0x0
ft_op[elf]=0x8
ft_op[dll]=0x0
ft_op[WinPE]=0x10
ft_op[vhd.]=0x8
ft_op[vhd]=0x4
ft_op[vhdx]=0x4
ft_op[vmdk-desc]=0x0
ft_op[pst]=0x0
ft_op[bmp]=0x0
ft_op[mts]=0x200
ft_op[mts-B]=0x210
ft_op[djvu]=0x0
ft_op[docx]=0x2
ft_op[pptx]=0x2
ft_op[xlsx]=0x2
ft_op[doc]=0x200
ft_op[xls]=0x200
ft_op[ppt]=0x200
ft_op[msi]=0x204
ft_op[opt]=0x208
ft_op[thumbs.db]=0x208
ft_op[cdoc-r]=0x9
ft_op[mpeg-A]=0x300
ft_op[mpeg-B]=0x300
ft_op[mpeg-C]=0x300
ft_op[mov-B]=0x0
ft_op[crw]=0x0
ft_op[srw]=0x0
ft_op[raf]=0x0
ft_op[orf]=0x0
ft_op[jpeg-B]=0x0
ft_op[mp3-B]=0x261
ft_op[cr3]=0x0
ft_op[Archives]=0x10
ft_op[Documents]=0x10
ft_op[Graphics]=0x10
ft_op[Media]=0x10
ft_op[Text]=0x10
ft_op[DiskImages]=0x10
ft_op[Executable]=0x10
ft_op[Other]=0x10
ft_op[Removed]=0x10
ft_op[Spec.]=0x10
ft_sort="101;Archives,7z,arc,bz2,cab,gz,rar,tar,zip,zip-null,Documents,chm,djvu,\
doc,doc-,docx,docx-,odc,odf,odg,odi,odm,odp,ods,odt,opt,otc,otf,otg,oth,oti,otp,\
ots,ott,pdf,ppt,pptx,ps,pst,rtf,xls,xlsx,Graphics,bmp,cr2,cr3,crw,gif,jpeg,jpeg-B,\
nef,orf,png,psd,raf,srw,tiff,Media,aiff,avi,flac,flv,midi,mkv,mov,mov-B,mp3,mp3-B,\
mp4,mp4-mov,mpeg-A,mpeg-B,mpeg-C,mts,mts-B,ogg,wav,wmv,Text,html,reg,xml,DiskImages,\
iso,vdi,vhd,vhd.,vhdx,vmdk,vmdk-desc,Executable,apk,dll,elf,exe-DOS,exe-Win,jar,\
msi,WinPE,Other,thumbs.db,"
ft[gif.]=!"2;419ab800:0Q9ca4f}."
ft[jpg.]=!"24;4033d600:0K1686f}.Lc51f6Nb1e56Oc188bH8c7473Hac5294He1db7aI034e1cKcfdc4{\
I883a25}Ibd25b6Idc49f2J709784J906b01Jd6f50eJf61c06Lc14292Ldd1794Lf57d6dM16079fU6a30d5ff|\
N562717}N9e2a94"
ft[.]=!"856;2ab99fe:2R64dffe.H6539bfeh5306}I5c2cffeh063bh9703h6fd5J3a05dfeJd8f77fe\
haa65h41e4K78c1bfeKbc869feh794bLe2a0bfel5f6M5a297feM9ffb5feh9e72q6cbsfcch8f25N7fc0ffe\
ic49{O02bd9feO82fcbfeOd1c15fehe403}Pb85d3ferb78h20b3Q5a957feQa52c5feR2867dfehdd30\
hdd4dhe57ata9fSf1675fev316h0bfbTcc565feve10h333ckddcU7a7e1fet0bdUd601bfele1eh6428\
h2d39h6a31sa44s535Ve2427feh474dhef04H0c7145feH14e5cbfeH1b3c11fehfcc5h7121ff|~hj06f801-\
H28c4bffe=ha499}.H3607a3feH3aab01feH410391fesd6fn8faH4cb4dffehb292h5692h9855q9a3\
h2c32H60c2f3fev4fdH66d603fehdd1dH6f57bffeH73b983feH780b25feq685h8e03H80a0dbfeh1ab5\
r255H88fa87feH93637ffeH99f385feH9e3c5bfev872Ha52781fer685jc60{Hb0b8c5fehcd5c}Hbb974dfe\
s7f0hfb07Hc9a159feh32c5Hd48817fd~hi074201|-he71b}=hb052.He5cbf1feq63fh5c4cHf0cd8ffe\
Hf5b159feHfabbd3fehbe99I06534dfeI0c3d4bfeI15ceb3feu94dI1c2429feh4bc7I22e6d7fehe990\
haf03I2ee21bfeI34f4d5feif98{I4396fdfeh3ebf}hca35I51595dfetbe7hd567I5b92b5feI607bfffe\
hd3c4I6ef51bfep88bh2e53h795ah4e6dI8096cbfeI88ddabfem444u609hdaf9h68deI9cb831feh8291\
Ia6a32bfeIad5521feh380aIb8cf1dfehdae3Ic7cb41feIcd0f03feId421a5feIe09ad5feh301bIe994c1fe\
Iefe2abfeh493ah9eafIf9db1dfeIff0ab3feh137aJ0ed6e5feo6b6i506{J17c977feufb7}J1e0cb7fe\
hc028r511J279725feq4dbJ2ddfd9feJ34905bfeJ3a7d69fehc5d4J4230c7feh3f1{J47af7bfeJ5424c1fe\
h59ee}J5b40f7feqe57J60f60ffej698{J6bbd13feh8cfJ7388fffeJ7a9907fep281}ra1bh5f93hf519\
h2369J8c407ffeJ95cafffeha22aJa196e9feJaa82c9feJb15e69feJbc8413feh6446Jc7b3e5feh3957\
Jcfce1dfeo370h8619h794eJdd878ffehd474h0324Je82fa1feh3125v75bh9cffJf3d771fd~hJf91ba9fe-\
Jfd32c5fe=K05d721fe.K0a58f3feha727hff56K15f175feK1dcbc7feqc1cK266d13fehf6eaK3079fdfe\
t2b7K37bca9feu488uad9rf29h5f55h48d2hb36aK4a56c1fehb686h2882h9952tfd2h48a0hdf0fhf8f1\
K666ebbfeK6c787bfeh277eK74672dfeh5bf2m74ehb568h77f6K877277feK8d725bfeK9225c7feK99049ffe\
s36bj9a0{Ka2d929feKac2ae5feKb15d69fehcc0d}v0ffKc0beeffeKc6defbfej8e7{Kd2250ffeKd7b6bffe\
h9c1a}Kdf8f6ffeKe3d459feh26abh6bf9h599aub4eKf34381feKf885bbfehb08fL002161feub7chbec9\
h28b{L10800bfeL1e1761feL2bdf9ffeie49qcbf}L35fb03feL3e2ba3feL44ad59fep9e3nb67L4c9eaffe\
L51cedbfeh632cL5ab143feL5f6363feh0b99q744te09h4464L6bbda1feL725c07fehd84dL7a241dfe\
ub23L84d391felf02od6dL8cb541feh2370h964dL9918effeL9f5b97feLa553adfd~hhb52801|-q49d}=\
Lae6c27fe.Lb7d0e5feh097fLc07cc5feLc58a49feie61{Lce78bbfej75fLd81b01fehb12c}Le3b3bffe\
Le8c4cffeqbb6q1c1Lf2e809feLfcae85feh10fdM07ef01feh9976M17c7c9feq09dh4669M21cf93fe\
M25df69feM2a7df5feM2fbcd7feM36167bfej2ec{M4239effehf04e}hba06M542627fehe735i472{\
M63402dfes1e5}M68d6e7feM6ea195feM7b69fffehf39ah1863M86de6ffeM905929feh106dM978e97fe\
M9ef835feqf30hc9cfj817{Mb059f1fehd3ed}s14cMba5767feMc16f1ffer950vd93h7692Mcc95b7fe\
hd70fu9aeMd96f41feMdd7511fehc583Mec9319feMf45a5dfeMf89e0dfeMfdbe11feN02acd1feN08b467fe\
h39c6pe40hc024h41bdh1209N18efc7feh7e62hd735ff|~hN228245fe-jd77{=N2cc6e3fe.N35dc79fe\
N41e9bbfejd07N4ba38ffeh7444}r766h2068h59bbN59d5d7feN654f85feh858dh87b5N78aaebfeu43e\
h4508h3a04h2df3N872c3bfen543N90807ffeh1a8fr9a4N9d3c13feNa14c51feh25b6p0edNa91f4bfe\
Nad95cffer18ahba47Nb7775bfeNbc827dfeh237chc335oa6fNca5b11feNcf1c81feNd3e995feh1a7c\
Ndb2b2bfeNe632affeia11{i4ceNef4695feNf43403feNf87609feh3149}O02d29bfeh5548t5fdvcfa\
O0e713dfeh2573O1903ebfeO1d6205feO226581feha865O2b8915feO2ffe01feO3772b3feO3dfc63fe\
O44dfa7feh9a45O5031f5feO5604f5feh6295O5e8547feO6ac8a7feO6f14affeO768bc1feh05b6O7dfcabfe\
haa55O8b3483feO9316affeh9e33h55bdh2544h29f1q557hd1c{Oa601e7feOaa60fbfet81f}Ob1466bfe\
h5db4h9648u28aOc266d9feOc90935feOcef285feOda1bd9fd~hjd03601|-Oe2a83ffe=Oec8d89fe.\
u9a4}Of51055fet3b4t291Ofc709ffeP0173bbferafeh28f6P0d5dabfem3b8hed87h1c7{P1efc95fe\
h112d}P2ca659fehc1bfP428301feub24P4c9409fehf371h90feP58c8e9feq15bP639b2ffeP705421fe\
P779cddfeP85d26bfeh4a3aP8e7503feP92d807feP9747d9feh5f89P9ed8f7fePa587fbfePadd63dfe\
he59fhfbf{redPb9505ffehaa75}h7ad7Pce324bfeh33a1he396Pda16d7feh8aeePe21a45fePe958c9fe\
h8d4{Pf1f6b1feo747}hc473Pfcc83bfeh7535p4b2h0139s26fle9bt30ah2c3dQ0e3aa5fevf28u5ce\
s341Q19683ffeQ1d6d5bfehda1bQ263955fehacc6o640nf04hdfdch2ea3h2644Q3895b5feQ3d07c1fe\
rfe5Q443f71feh87e1hc23eQ4f9313feh171dub79hcb86v299h2922hdaf5o357h0844Q68cce7feQ702d6ffe\
Q7a325bfev7c2i869{Q851d97feh6072}h90b3n6e2Q9172a7feh6e03Q987f83feQ9d11d7feQa3dd91fe\
h7d53Qac7d93feQb4b13dfemdd7h1da3h5a54Qc26449feQcbea1dfeQd2d179feh1f3dh9e2bQddff41fe\
Qe573f9fehd137hbad9Qf157e9ferad7Qf6f863feQfe14bffeh6eb1hb5d2R09469dfeh4629R12c0a5fe\
R189447feR1e3bf3feR22d1bffeR2780dffeh78fchbb0eR32be09feh7c35h6f74h47bbR42cc61feR4a4af1fe\
h59c9q040h8e5av7d4h70b5o69fhd897R640569feh627ahb3ceh2017hfcaet52bR79cb8ffembd3R83fdbdfe\
hc454R8f08b7feqff3R989f41feq8f1h520dv29ch406at6aaRa711f9fes6f9Rae944dfehd958qc52\
h7962r52eRbda9c9fet3b6haa0fRccdaf1fehf70cud0fhc366Rdf5817fehd7e4Re8b449feRef5631fe\
jd3f{Rf756c1feRfc53e5feoe71}hfb4{S09bb73feh0adS12b331feS1a7d3bfeS229b83feS3182d3fe\
ia38S382845feS3ea487feS499c61feS4e31a5feS57d837feS60274bfeh6527}hd2dfS78311dfehb355\
h5603m8eas07fS87a4a3fehabdcS8f3393feS95086dfeS9b5587feSa2a82dfeSa7ebc7fete7bv5f6\
Sb052edfeSb72203feh384eSbebae3feh8a4aSc62117fenda4Scb8693feSd38c67fehedc4h1ecbSed25f9fe\
Sf2c35ffeh946etd32Sfc1f95feT03f319feq29fq12ehf7e{T0fc6abfeh7093}h4dafT1b75a1feT2040b7fe\
h5e52saceh84bbT2ba7b1feh429bh2f70h8cfbvf1aT3ceeaffehe5beT4884e1feT50171bfeT542ec5fe\
T590f51fehdbbeT6975fdfeh2ecfT71ee39feh8bd2h44adT7c90e1feha085h6713q6feT890aa3fehd9ba\
hb828h2004T976c11feT9c01c3feTa05025feha097o42fTacb007fehf197o425Tb6f885feTc51ddbfe\
h95f6Tce44abfeTd678e1feud18h742fh798cTe2ff83feu8b3t97dTf2ee1bfeTfba367feU0085d1fe\
U071d29feh6dbbh2f16u345u5e9U1569f3feU1e8dd5feU244739feh3698h61e7U35f9b9feh11a1U426d4ffe\
U47adfffeU4f16affeqc7fh5a63he663h64c4h9b7ehfe5eU6508f5fev551U6b73a1feU7296f9feU770961fe\
U7c2ec3feU841463fevb8ehd5f9U95e3a3fep4a5h3611ib52{Ua2aaf9feUaa33a7feUae3ebdfeUb3fbddfe\
t974}h5144v374Uc123e5feUc57407fehe436rb12Ucf3b97feUd94ecdfeUe88e6ffet12chce13Uf29da1fe\
Uf82fa9fehda58o582h4931o3adV06440dfeV0a547dfeV0ea133feV175c9ffehf47bh64deh48d3V24cfc1fe\
sb65V30eeaffeV386c49feo76chdd55"
ft[exe-DOS]=!"14;a169a00:b96b3000Ibe70e}GT6ce8c+Ia221a2Lbcbda}J4b6e39GJb1daf4.K3f4d7c\
Kc46056~L3f48aPb0a9c{GL1031a9}+Le14e5fO0dba{tba{L48e9e}N01c044GN2c878cK9bfad"
ft[jpeg-B]=!"12;4381ca00:0Lc70d3}.H8cbba7Jc75b3{I68ea0e}Ibded7cJ71268cJd6f82cLc24f66~Hac82e}\
Ldd4673H836faLf64acdGN364739."

[ntfsscan3.1]
scan_dev=1"\\?\Volume{fb1072c4-ee21-11e9-9b34-94de80c37fa4}"
scan_vorg=3.4
scan_range="0x0-0xf3d39c000"
scan_state_sec="block0x0"
scan_flags=0x7
mftsortcol=0
mftsortrev=0
mftcheckmask=0x22c
mftfiltminlen=0
mftfiltmaxlen=0
mftfiltofs=0x0-0x0
mftfiltnum=0-0
MFTRuns="0;"
INDX_recs_times=0
INDX_ofs="0;"
volstartstotnum=0
volstarts="3;0x7e000x2,"
volstartsother=0
maxmftnumallow=2147483647
maxvolsize=0xf3d39c000
volumes="0;"
scan_vorg=3.4
scan_modltrack=0.03.40x3304fd2403000
scan_modltrackorg=3.40x0

 

ReplyQuote
Topic starter Posted : 16/08/2021 4:28 pm
AmNe5iA
(@amne5ia)
Active Member

You need a forensic tool that can see the logical volume.  I don't think there is a way around that.

If you have access to Linux you may have additional options.  On Linux, if you mount the partition using slot 1 as an example, then the decrypted volume can be found at /dev/mapper/veracrypt1.  It will mount that volume at /media/veracrypt1.

If you use slot 2 then it will decrypt and mount at the locations /dev/mapper/veracrypt2 and /media/veracrypt2 respectively.

 

ReplyQuote
Posted : 17/08/2021 11:31 am
thidisbogus
(@thidisbogus)
New Member

Do I source a laptop or other computing device and load a copy of Linux on it?  Are you saying the utilizing the OS of Linux will afford more flexibility in seeing files?  Or are you saying there are better forensic tools available that will run on the Linux OS?  I have used Unix and Wind River OS before so I believe I can navigate around Linux if I sourced it.

ReplyQuote
Topic starter Posted : 17/08/2021 8:27 pm
AmNe5iA
(@amne5ia)
Active Member

So I've never used DMDE before.  I just downloaded and tested 3.8.0 on a Veracrypt volume.  DMDE is totally able to open logical volumes (2nd down on the list on the left hand side).  I was able to open and scan the unlocked veracrypt logical volume using it.

ReplyQuote
Posted : 18/08/2021 3:15 pm
thidisbogus
(@thidisbogus)
New Member

@amne5ia really appreciate your contribution.  I did utilize DMDE and posted the scan results prior in the thread.  Do the scan results tell you anything that helps?

ReplyQuote
Topic starter Posted : 18/08/2021 8:19 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @thidisbogus

@amne5ia really appreciate your contribution.  I did utilize DMDE and posted the scan results prior in the thread.  Do the scan results tell you anything that helps?

With all due respect, NO.

You fired up DMDE, issued a number of commands/made a number of choices (that you did not report) and obtained a log (that is completely unuseful).

No offence intended, but I read your post very *like* "I utilized Excel and got 42 in cell B158".

DMDE is an interactive tool, you try *something* in it and - depending on the result of that choice - you do *something else*.

You need to select the logical drive, and see if a volume is found on it, which "main" parts of it (if any) are found/recognized (BCF), if they are not all green you need to fix them, then you check if the $MFT (if NTFS) is found, etc.

DMDE can also find the extents for the logical drive and copy them (dd-like) to a file or device, if that is what you want/need.

It seems like you ran a full scan then saved the log (which is intended as a way to resume an interrupted full scan and/or reload results to avoid to restart form scratch to access found results).

jaclaz

 

 

ReplyQuote
Posted : 19/08/2021 9:30 am
Share:
Share to...