Corrupted (?) file container - Need suggestions on how to recover
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hello,
I am unable to access 300GB encrypted file container on a 500GB USB HDD (MBR and single NTFS partition). The container most likely is also NTFS. It was created with VeraCrypt version 1.17 and always worked flawlessly. I am sure of the password. Later I also started trying accessing it with VC version 1.19. The container is standard (not hidden), has no PIM, no keyfiles and I do not have backup header extracted. I tried various ways and combinations of mounting it - as read-only, as removable medium and using backup embedded header. No luck. Later I tried running chkdsk /r /f /x and HD Tune 2.55 (slow) Error Scan on the drive, but no issues were found. The error I am getting is:
Operation failed due to one or more of the following:
Incorrect password.
Incorrect Volume PIM number.
Incorrect PRF (hash).
Not a valid volume.
Source: MountVolume:7763
What are my other options to try getting into that thing?
What happened? File corruption without any traces?
I don't think I even have to say that I am really determined to get to my files.
Thanks and best regards,
Adam
Last edit: AdamKoziol 2017-02-14
Keys are in first 128K and backup in last 128K of the container.
Select "Use backup header" tries last 128K.
If header is damaged - it is not possible to decrypt without rescue. If you have old version(copy) of the file container might be possible to restore header from it. Keys are the same.
This is the only copy of the container unfortunately.
Is there a way to get let's say first half of the backup header and copy it onto the fist half of the front header? Would that work? Of course that would include getting backups of the headers beforehand and trying combining different parts of headers hoping that the corruption was not in the same place on both.
No. To protect keys password, pim and salt are used.
primary and backup salt are different.
Alright. Goodbye to my files then :/
Thanks a lot for your help Alex! I really appreciate it.
if you send me headers I can try to decrypt it under debugger to verify CRC and authorization data.
There is small chance if header keys are not damaged.
details via email.
Need:
headers, some data to verify, password, pim, hash, crypt algorithm.
Last edit: Alex 2017-02-15
I am in a similar situation. The disk lost its partition table and the filesystem can only see the RAW device. I cannot mount the container yet I extracted all the files into a directory, can I do something with it?