Is this the case?
Can you confirm it (or describe what happens)?
yes, its a second hard disk with 160GB, when TrueCrypt was working the mounted volume had near 87.9GB, but im not sure if i had a clear partition using the rest of the space..
the D\ drive seems to be all RAW encrypted and decrypted (after mount on TrueCrypt too)..
Is this the case?
Can you confirm it (or describe what happens)?yes, its a second hard disk with 160GB, when TrueCrypt was working the mounted volume had near 87.9GB, but im not sure if i had a clear partition using the rest of the space..
the D\ drive seems to be all RAW encrypted and decrypted (after mount on TrueCrypt too)..
Well, you are still failing to describe properly the setup, I do understand that 4 years or so have passed since you put it up, of course, but you seem like confused about the "principles".
What the DMDE screenshot shows is a SINGLE partition spanning all the disk size (around 160 Gb).
If - as you stated - it was a "container", it was a file inside that partition, and there is/was no "rest of space".
The D\ drive is a partition, which filesystem currently is corrupted (i.e. RAW).
INSIDE the D\ there was the TrueCrypt container (which - when decrypted and mounted - had ANOTHER drive letter assigned to it, let's say as you stated earlier, the O\ ).
The issue right now, unlike what you stated initially, seems like having nothing to do with Truecrypt, what is corrupted right now is the partition on disk (the thing that gets the drive letter D\).
From what I can understand you had inside the D\ volume a LARGE file around 87.9 Gb in size (possibly a file <somename>.tc ) that was the Truecrypt container and that, once unencrypted and mounted in Truecrypt became O\, can you remember this or not?
jaclaz
If - as you stated - it was a "container", it was a file inside that partition, and there is/was no "rest of space".
i never stated it was a container, i think on TrueCrypt i choose the option
"Encrypt a non-system partition/drive(Encrypts a non-system partition on any internal or external drive(eg. a flash drive). Optionally, creates a hidden volume.."
i dont know if Volume type was Normal or Hidden..
anyway, on winhex if i choose FAT32 as filesystem i don't get any error msg's and i get normal values on Used Space, im not sure about how can this indicate if it can be a FAT partition..
If - as you stated - it was a "container", it was a file inside that partition, and there is/was no "rest of space".
i never stated it was a container, i think on TrueCrypt i choose the option
"Encrypt a non-system partition/drive(Encrypts a non-system partition on any internal or external drive(eg. a flash drive). Optionally, creates a hidden volume.."
i dont know if Volume type was Normal or Hidden..
anyway, on winhex if i choose FAT32 as filesystem i don't get any error msg's and i get normal values on Used Space, im not sure about how can this indicate if it can be a FAT partition..
Sure ) , I stated it was a "container".
You stated that it was NOT a partition (like NOT in the MBR), and if this is the case, then it is a container.
On the other hand, on a 160 Gb disk you wouldn't normally have an 87.9GB (unless there was another partition or you decide to only use around half the capacity of the disk).
The only data that you provided (that I can "trust" - not because I don't believe you, only because you made some contrasting statements) is the single DMDE screenshot you posted on the other board
http//
And that shows traces of a NTFS volume, there is no way on earth (unless at the time you used a "special" utility) that you created a 87.9 Gb FAT32 volume, because no built-in MS tool in XP and later will allow you to create a FAT32 partition larger than 32 Gb.
It is possible that the Truecrypt volume was a partition in the space between 2048 and 61432560 LBA, then it would have been around 30 Gb (compatible with "default" FAT32 filesystem size) but nowhere near the 87.9 Gb you remember.
Or it is possible that the partition that is now found is/was actually the Truecrypted volume spanning from 2048 to 312496127 LBA, but then again it woud be around 160 Gb and not around 87.9.
jaclaz
jaclaz,
i decided to do a clean install and format system drive to see if the problem was related to OS malware or some malfunction on the OS..
now while trying to open mounted volume O\ on winhex i get the following msg
Error #5 Cannot write to "C\Users\user\AppData\Local\Temp\Drive 34C1C37C Clusters.dir". This operation is aborted.
jaclaz,
i decided to do a clean install and format system drive to see if the problem was related to OS malware or some malfunction on the OS..
now while trying to open mounted volume O\ on winhex i get the following msgError #5 Cannot write to "C\Users\user\AppData\Local\Temp\Drive 34C1C37C Clusters.dir". This operation is aborted.
…and? ?
"C\Users\user\AppData\Local\Temp\Drive 34C1C37C Clusters.dir" should be on your (newly formatted installed) System drive.
Maybe a permissions issue?
Anyway your next step is voodoo (it has the same effectiveness and connection to the issue as reinstalling the OS).
Seriously, really, if you provide some valid data, maybe I can assist you, though I doubt it will be possible to recover the volume this way.
Till now I was not able to understand how EXACTLY was the situation before the issue occurred and you provided only partial and contrasting reports of what you recall and very little "objective data".
Can you (for the moment) forget about Winhex?
Just try accessing the Physicaldrive/Physical Device "as is" in DMDE (and post a screenshot).
Then check if a drive letter is assigned to the volume(s) inside that disk in Explorer.
Then try running Truecrypt and check that a new letter has been added in Explorer (should be the O\ you are talking about).
Finally open that drive letter in DMDE (LogicalDrive/Logical Disk) and post a screenshot.
Maybe with these two screenshots I can understand the setup.
jaclaz
jaclaz
,
you told to forget about winhex but somehow i manage to open hard disk and manage to get >Tools - Disk tools -> Scan for lost partitions -> FAT, NTFS, it does find 1 partition.. but i dont know what do now.. im just trying to follow the instructions of Джамаль on ixbt forum..
i can post DMDE screens here, but i want to ask, is it possible for you to make remote assistance to me via Teamviewer for eg.?
jaclaz,
here you go the screens you asked for
as you see the size of volume/partition was 87.9 and on this screen it shows 94.4GB as size..
The 87.9 vs 94.4 is Ok, there are (second screenshot)
184,313,169-0+1=184,313,170 sectors in the Logical drive found.
184,313,170x512=94,368,343,040 bytes.
They will be 94.4 (roughly) Gb (using 1000) or
94,368,343,040/1,024/1,024/1,024=87,9 Gib (using 1024).
You are using a very old version of DMDE (why?) yours=2.4.6 current=3.0.6, current Beta=3.1.0.67x
Get latest beta, more than a few betterings were made since 2.4.6.
Now the problem(s) is /are the following.
1) the disk (physical drive) contains seemingly NOT a valid partition/filesystem, it does have a partition (in the MBR) but to it it corresponds a volume with just the "E" flag valid (i.e. no filesystem).
A "good" volume/filesystem would normally have the EBCF flags green.
2) since seemingly the "O\" drive is mounted nonetheless by Truecrypt, it means that the data about the extents of this volume are stored *somewhere else* or in a hardcoded sector (since there is no valid volume/filesystem on the disk) but again there is no indicator in DMDE of anything valid in the O\ volume in this view also a good volume would normally have the BCF flags green.. You can however try selecting the O\ Logical Drive n DMDE and press the "NTFS search" button (but I doubt that anything good may come out of it).
So seemingly there are two levels of issues, the first one is the "outer volume" and the second is the "inner container".
Now please follow me
1) You have a 160 Gb hard disk
2) on this hard disk there are traces (in the MBR) of a single partition spanning the whole device, i.e. roughly 160 Gb in size
3) once you have run Truecrypt (and as you remember) there is *somewhere* on that disk a Truecrypt container/volume sized roughly 94.4 Gb, right now that volume seems like having not any valid filesystem structure.
Can you remember HOW the rest of the space on that disk was used?
Was there a large (160 Gb) volume?
The point here is that - maybe - there is a corruption of the "outer" NTFS volume that prevents Truecrypt to access (and thus decrypt) the crypted container/volume.
jaclaz
jaclaz,
i've decided to try TestCrypt, it detects 2 Volume Sizes with 94,37GB and it does found 2 volume headers, after i right-click on them
(one has option to mount as Normal Header(n/a) other has option to mount as Backup Header and it's the Embedded Backup Header)
after tried to mount both a new drive appears in "my computer" but it's impossible to browse it,i've tried to see if files where properly decrypted using WinHex and DMDE but nothing seems to appear..
TrueCrypt does also mount a header and it says the Volume Size it's 87.9GB..
so,what i think its that TestCrypt or TrueCrypt fail to decrypt even after the correct password inserted, is it possible that i had exceed the limit size of the encrypted volume/partition by placing some file there before it stop working? im saying this because TestCrypt found Volume Size with 94,37 and TrueCrypt found Volume Size 87.9..
can i delete something inside the volume and try to mount? maybe it will decrypt successfully??