Formatted non-system HDD when installing Win 11
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
t's a 12TB and it was full
I'd be willing to donate $100 to whoever can help, or $50 to Veracrypt and $50 to whoever, whatever.
Some things I know:
I don't think I have a backup of the header
I have something called a Veracrypt rescue disk
This was not the Windows partition, just a storage drive, pretty sure NTFS.
I have the password.
Things I don't know
a lot about VC
How to exercise caution at the disk formatting screen :(
What encryption scheme etc I used.
I got this going years ago and would just click on D: and click "auto mount drives" punch in the 100 character PW and wait a bit(like 45 seconds on a Ryzen 5600x) and it would show up as D: with a phantom drive like Z or something.
Does anyone know how much one of those professional data recovery places would charge for something like this? Is it like $400 or like $4,000?
I'm willing to buy another HDD if I know I can fix the issue.
I've tried using those data recovery tools (Hetman and minitool) with no luck which makes sense but I was willing to try.
The VeraCrypt Rescue Disk is only for the system encryption.
Do not attempt using data recovery tools on an unmounted VeraCrypt volume since the tools do not realize that this is encrypted data and will attempt to fix what the tool thinks is clear text data.
Likely the Windows installation/upgrade performed quick format the partition since a VeraCrypt partition/drive appears as RAW format to Windows.
During installation/upgrade, Windows sometimes will initialize a drive that is not usable to Windows in order for you to use the unformatted drive.
Try mounting the partition using the optional embedded backup header.
In the password dialog box, click the Mount Options button and enable the use embedded backup header.
Last edit: Enigma2Illusion 2021-11-08
Has the drive "only" been formatted, or did you actually write anything to it? If it's the latter, options will be limited, depending on how much of the drive has been overwritten.
Greets
It has "only" been formatted <3 I haven't done anything since then. When I try to mount with the backup header I get errors.
If I leave the "mount device" blank, click on D:, select auto mount, and click advanced and check the box for "use embedded headers if available" it just fails with the same errors.
If I select mount device and click on the physical hard drive, still the same. :(
Appreciate the help though, like, you have no idea.
Last edit: Rich Thompson 2021-11-08
What was the layout of the drive until it was formatted? Was the whole drive encrypted, or was there one partition which was encrypted?
Can you post a screenshot of the VeraCrypt select device screen?
Another concern is Windows format will sometimes create a hidden small partition for GPT formatted drives. This hidden partition will show-up in the VeraCrypt Select Device screen.
The entire drive was encrypted with a password, I didn't have Windows on it or a keyfile, and there was only one partition.
Here's a screenshot. Thanks so much!
Harddisk0 is usually the OS drive.
Could you post the screenshot of when you click on the Select Device button and a new screen pops-up showing the disk devices and their partitions?
My theory that a Windows update performed a quick format does not match what you are showing in the current screenshots.
It is important to know what the current disk partitions, including any hidden partitions, look like on your system.
Here's the other screenshot.
To be honest, I do not know what happen to your VeraCrypt disk since the incidents I have seen reported in the past on the forum is that the Windows installer would sometimes perform a quick format to make the disk usable to Windows OS and that process should have created partition1 on your Harddisk0.
Maybe a new behavior of Windows 11.
At the moment, I do not have any suggestions to resolve this problem.
Okay, thanks. Interestingly, in one of the programs I paid for, I do see a 16MB unallocated space on the 12TB drive, having said that, even if I had a partition 1, what would I do with it?
Let me sum it up until now to see, if I get it right:
Is this true so far?
Greets
2 and 3 are unquestionably correct. 1 I am not sure because I know Veracrypt has some funky features which are very specific about this regarding disk vs partition
But the 12TB drive was a single NTFS partition and that entire partition was encrypted. If there is any distinction between "1 partition the size of the entire HDD" and "entire disk" I am not sure which I did, though I would imagine the latter. Hope that helps!
crosses fingers
What to do next depends very much on the layout of the drive before the accident. If you are not sure about that, we could at least try a few things:
Try to mount the whole disk (not the partition) with VeraCrypt by clicking "Select Device..." and choosing "Harddisk 0" (if it's still the device name like shown on the screenshot) using following mount options (click "Options>" Button): "Mount volume as read-only" (to prevent further damage by disallowing writing to the mounted volume), "Use backup header embedded in volume if available" (as the main header will very likely be overwritten) and "Do not mount". The last option is mandatory, as the file system will very likely be damaged and therefore unmountable, leading to VeraCrypt aborting the mount process with an error. Then enter your password and pray that it will mount. If it won't mount, try again without the backup header option. If it still won't mount, head to
Try to mount the raw partition on the disk, using the same mount options from above. If it won't mount, there would be one last thing to try - but for this we would have to alter the disk partition layout and therefore do write actions, possibly further damaging the data. So I highly recommend creating an image of the whole disk beforehand. In Linux, I would use dd for this - don't ask me for Windows tools, though.
Last chance: After creating an image of the entire disk, not only partition(s) (and therefore creating the possibility to go back to the current state), remove all partitions from the disk in question (watch out not to delete the wrong partitions of other disks) and create a new raw (no file system) partition with the same size of the original one. I assume it was maxed out... but assumptions won't help here anymore. At least the end sector of the partition on the disk MUST match the old VeraCrypt partition (to make the backup header accessible). If the correct layout is not known anymore, we're done here or have to make guesses, until we find the correct position of the partitions last sector.
After this, try to mount the partition again, using the above options (don't forget to try with and without backup header option, just to be safe). If it still won't mount by any means: RIP volume (anyone correct me if I'm wrong here). If nothing of the above helps, I don't think there is anything left to try except there magically pops out a backup of the volume header.
Anyway, if it mounts using any of the above methods, now use photorec (or any other data rescue software) to try to read as much still intact data from the (not mounted - remember the "Do not mount" option) partition (hopefully) found by the used software.
I don't know the mount point of the VC volume on Windows (Linux would be: /dev/mapper/veracrypt1) so you would have to look into this. I assume there would pop up some kind of "raw" file system partition in partition manager after mounting the VC volume with above methods.
That's it for now. Good luck!
Greets
Last edit: RealTehreal 2021-11-10
Okay, thanks for the thorough response.
When I click "select device" what it puts in the path is
\Device\Harddisk0\Partition0
I don't see a way to say something like "select partition" so I'm not sure if I'm actually doing 2 or 1. I tried manually deleting the Partition0 part and just clicking mount with it set as
\Device\Harddisk0\ but it errored out.
In any case ticking "only create virtual device without mounting on selected drive letter" and "mount volume as read-only" didn't work, whether or not I ticked "use backup header if available."
If that's that then I will try to clone/image the drive and go for step 3. Thanks so much for all this help
You should be able to mount the whole drive as a VC volume. What's the error message when you try to do so? Maybe have a look at the documentation about this. Maybe you have to delete the partition on the disk beforehand. But I would highly recommend to do the imaging step first.
Greets
If I modify the path by hand to say \Device\Harddisk0 I get handle invalid source: mount:5109
If I modify it and put a \ at the end \Device\Harddisk0\ I get a syntax error source:mount:5109
One thing I sort of forgot about, but when the drive was working I always saw a drive in file explorer that if I clicked on, I'd get an error. When I unlocked the actual drive that weird phantom drive would remain.
Last edit: Rich Thompson 2021-11-11
For testing purposes I encrypted a flash drive, there's a distinct difference between it and the 12TB drive right now. It defaults to say partition1 instead of 0. and in the select a partition it has an entry under the device. Selecting just the stick changes it to partition0 but that doesn't work with the password .I'm going to format it in the Win11 install screen and see what happens next.
I can in fact mount Partition0 of the flash drive if I tick "use embedded backup header if available"
Last edit: Rich Thompson 2021-11-11
I did some similar testing on my end. In Windows, it seems that selecting the whole disk for encryption / decryption results in the path "\Device\HarddiskX\Partition0" where Partition0 would be some kind of virtual partition - but that's ok, I guess.
I encrypted a flash drive ("Partition0") and afterwards created a partition with Windows' DiskManagement tool. Afterwards, the drive was only mountable via backup header, which is what I expected because the original header has been overwritten.
I think this would've been the encrypted partition, which is shown as "raw" by Windows. So it seems that you created a partition on the 12 TB drive which was encrypted by VeraCrypt.
Ergo you have to recreate the partition without formatting it and then try to mount it via VeraCrypt, backup header and without mounting the file system and, for safety reasons, read only. The only mandatory thing is: the last sector of the partition must be at the same position as the original partition (before it was formatted). Otherwise, access to the backup header would not be possible. This is what #3 of my post above was all about.
Greets.
Okay, so I did that, put in the password with read only, backup header, and only create virtual device with no drive letter
And Veracrypt accepted the password.
But now what? When I right click on the thing in VC and click open nothing happens.
Hope you accept Paypal or Venmo dude!
MOD NOTE: Removed swear words. Future thread posts with swear words will be deleted without warning.
Last edit: Enigma2Illusion 2021-11-12
That's great news! You should now have a new "raw" partition in Windows' DiskManagement — that's the former (now damaged) NTFS partition, which should contain your data. You would now take your preferred data rescue tool and target it on this partition, to extract as much data from it, as possible.
I would prefer you donate any amount measured by VC's worth to you to this project. This way, all of us VC users would profit from further development. :-)
If there's still something left, just reach out again. Otherwise, I was glad to be of help.
Greets.
Last edit: RealTehreal 2021-11-12
Unfortunately, I am still running in to some issues. Is there a tool out there that's regarded as reputable? I'm not in love with the ones I have tried, and the companies are the kinds that come up frequently when you google some Windows error and the "suggestions" are update the drivers, some other generic stuff, and if that doesn't work, buy our product!
They all keep spitting out huge files of formats I know I didn't have on the drive. 700mb .doc files, gz files, etc.
I'm not sure what to do from here, and the scans are taking very long, I gave up on one after 24 hours and it found a ton of 700mb+ .jpg files which, unsurprisingly, weren't anything of actual value.
First off, data rescue can be an overwhelmingly demanding task, depending on the media. In your case, we are talking about a huge 12 TB storage media. In case, the media could be read at 80 MB/s in average (which I do not believe, though) it would still take ~44 hours to read it completely. That's what data rescue software has to do, as the filesystem information has been destroyed, and it only tries to find known structures.
I, for my cases, always used testdisk and photorec for data rescue tasks. But these can be tricky to use. There is no "first do this, second do that" kind of instruction I could give to you for your special case. You will have to put time and effort into this task, to hopefully get some of your data back.
I'm sorry for you, because I know, that's not what you wanted to hear. Unfortunately, data rescue is nothing to do from afar.
Greets
Thanks. Does this mean this is truly no longer a VeraCrypt problem at all?
I still don't get why I'm seeing these random file formats with huge file sizes, do you think if I wait the full 48-72 hours or whatever it will "figure out" what the files really are?
This hasn't been a VeraCrypt issue to begin with, as you formatted the drive. VC is not designed for data rescue wrong a damaged volume.
The reason for those weird files would be, that your data rescue software finds wrong file structures. Maybe the search parameters should be altered.