Decrypt damaged veracrypt-volume?
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
I have a non-system partition, that I encrypted with veracrypt. This partition is now not mountable anymore although I have the correct password. Even worse system management says the partiton is ntfs, which obviously means that it has been formatted.
Is there any way to decrypt the whole partition and try to restore what can be restored? Or do I need the header or at least the backup header? Really, ANY help or hint is appreciated.
What did I do?
Today I installed windows 10 (coming from windows 7) together with a couple of new components (mainboard, cpu, etc.), but I did for sure not touch the ssd, where the above mentioned vc-partition resides ("ssd2"). Because of that I felt sure that there is no need of a backup of this partition, which contains all my data. Yes, Iam the biggest idiot on earth, I know. I have no clue why I did not spend this few minutes, but fact is, I did not :-(
Anyway, I did not touch ssd2, but I tried to install on ssd1 and tried around with the order of the ssds even after windows 10 was installed, because I had some problems. I also tried to install windows 7 in combination with the asus driver dvd(for usb-suppot) before that, which was not very successful. Any one of these steps seem to have formatted the vc-partition on ssd2. I now made a byte-by-byte backup of ssd2 completely (2 partitions).
Worst case is that I will have to use my latest backup, which is a couple of weeks old...
Noone any idea, what I could do or try out?
Last edit: Zusan Dammhaus 2017-12-29
One guy asked me to help in the same situation. I did:
1. Mount the volume via backup header
2. Scan the volume mounted with recovery tools (e.g. r-studio)
https://sourceforge.net/p/veracrypt/discussion/technical/thread/bb573cc6/?limit=25&page=1
The partition/disk is formatted obviously. So you have to use an unformatting tool and then it might be possinle to unencrypt/mount. First of all you have to create a 1:1 backup/copy. Then you can test the whole recovery process on that image before applying to the original.
Andreas
@Andreas: An unformatting tool? To be honest I do not really know what kind of tool you mean? A normal recovery tool wont work here, as far as I think!?!
@Alex: Mounting with backup header did unfortunately not work. I already tried this.
I also realized that there is a small (2,7MB) unassigned part of ssd2 after my vc-partition, but I do not know if this part was there before the partition got formatted with ntfs. My next step after making a 1:1 copy would be to remove the partition and recreate a new one as a basic volume and then try to mount it with vc and once againg with the backup header, that hopefully is in the unassigned part...
Last edit: Zusan Dammhaus 2017-12-29
Important: scan volume mounted. (use letter assigned by veracrypt) In this case data will be decrypted on fly.
Is there any special byte sequence that I could search for on the disk to find if the backup header is maybe still there?
No signs. Backup header is at the end of the partition encrypted (minus 256 sectors) Just select the partition and select mount option "Use backup header"
If you mean "mount option"/"use backup header embedded in volume if available", thats what I did already a couple of times. Even with the copy and different partition-filesystems and -alignments.
From what I understood so far is, that the primary goal for me is to retrieve a header, right?
With this header I then could decrypt or mount the volume and use normal recovery tools.
Lets say I the backup header is still there, but not in the place, where veracrypt searches for it: Would it be reasonable to create files starting with a header I would like to try out? I would then just create a couple of test-files with sectors from the end of ssd2 to try them out with veracrypt.
How long is the header and where would I have to place it in a file in order to let veracrypt use this part as a header?
Last edit: Zusan Dammhaus 2017-12-29
header size is 512 bytes
header position:
(0) sector - main header
(128) sector - hidden volume header(if present)
(end of partition - 255) - main header backup
(end of partition - 127) - hidden volume header backup
To scan sectors range of any media I wrote tool DCSFV (DcsFV_03)
https://sourceforge.net/projects/dc5/files/beta/
Discussion was here:
https://sourceforge.net/p/veracrypt/discussion/technical/thread/7ca28314/?limit=25&page=1#b09f/fe08/b1f8/09de/cc47/64fe/1a0b/9e65/e785/8c77/2598/f5bd