Windows 7 wrote something to my harddisk1\partition0 destroying truecrypt volume header and ntfs filesystem RRS feed

  • Question

  • I managed to restore the volume header and mount the disk. Now I have a RAW filesytem and I need to get my data back.

    How can do that? I'm trying now to use TestDisk but "quick scan" is scanning now for 10h and it's at 44%
    Friday, May 8, 2009 9:38 AM

All replies

  • Bump
    Friday, May 8, 2009 6:54 PM
  • I've the same problem without solution - cause I'm using a very old TC version - if you use TC 6.0 and higher you can restore the header due a backup header - check out truecrypt.org/forum for a howto

    but I dont understand why windows 7 reinitialize all attached disks and overwrites the headers without warning or doing a backup?!

    Wednesday, May 12, 2010 10:13 PM
  • Did you ever recover the data?  I'm currently in the same mess (slightly better, as the data on that drive isn't irreplaceable and I have partial backups anyways and I'm at 28% search mft after about an hour).

    I'm following the instructions given in a TrueCrypt forum post:   Filesystem not recognized - how to recover a damaged volume.   But any tips would be nice.  I'll post back with my results for the benefit of future users who fall into this trap.  Still quite annoyed that it was deemed OK to have the Windows 7 installer mess with other partitions without user confirmation.

    Tuesday, February 8, 2011 11:37 PM
  • I was ultimately unable to recover any data through TestDisk.  But I did manage to recover most of the data.  Tips for future unfortunate victims:

    • follow the instructions given at the post I linked to earlier.  You should at least get to the point where you can mount the volume.  But if TestDisk doesn't work do not despair.
    • mount the container and try the free (trial) version of FileScavenger on the mounted partition to see if it'll work.  consider paying for the full version.
    • Ask for help at the TrueCrypt forums.  They're good, and might be able to help.
    • If all else fails, resolve to make this the last time you loose data.  Backups!!
    • Get a big black marker and write on every Windows install disc "unplug all other drives before installing" so that you don't forget. 

    I was actually surprised that something like FileScavenger worked so well.  Most non-free data recovery programs have better free alternatives.  This time, I couldn't find anything free that worked.  And FileScavenger worked very nicely.  Its method of recovery is file based.  Meaning you'll have to have enough space to copy the recovered files to.  The number of files you can recover undamaged will depend on how fragmented the filesystem was.  I lost a few hundred files (out of a few hundred thousand).  The scan worked faster than TestDisk, and the results could be saved for later and/or exported as a CSV etc.  Even though I had partial backups, I found this program well worth the money.




    • Proposed as answer by kijoshua Sunday, February 20, 2011 10:26 PM
    Sunday, February 20, 2011 10:26 PM
  • This thread is old, but I stumbled on it when searching for anything that would help after I accidentally did a quick format on my external hard drive encrypted by Truecrypt. Hopefully, this will be of use to someone. NB: I did not have any backups of the volume header, and Truecrypt could NOT mount the volume NOR recover the embedded backup header.

    Here is what happened and what I did to recover my data:

    1. First the mistake: I tried to create a bootable USB stick with HP USB Disk Storage Format Tool. The tool automatically selected my USB hard drive, and not the USB stick. I quick formatted the encrypted hard drive.

    2. The hard drives only existing partition (which filled the whole drive) had been encrypted by Truecrypt 7.0. The quick format did not go through correctly, Windows still showed the partition as unformatted. It did mess up the Truecrypt volume, and the volume could not be mounted any more ("Wrong password or not a TrueCrypt Volume".) I did not have any backups of the volume header, and truecrypt failed to find the embedded backup volume header on the hard drive when trying to mount the partition with the relevant mount option.

    3. I then deleted the partition by using the disk management tool in Windows 7 64 bit (Control Panel -> System and Security -> Administrative Tools -> Computer Management/Storage/Disk Management). The I recreated the partition by using the default values offered by Windows - apparantly, these were the same values that the partition had been created with before it was encrypted with Truecrypt. I did not format the drive when asked by the Disk Management Tool!!!

    4. Now I could mount the partition in Truecrypt by using the "Mount volume using embedded backup header" mount option. All my data was intact.

    • Proposed as answer by kijoshua Saturday, March 31, 2012 10:22 PM
    • Edited by NexNoct Sunday, April 1, 2012 5:07 AM Minor clarification
    Saturday, March 31, 2012 10:06 PM
  • Wow, that's a great sounding solution!  Have you mentioned this to the TrueCrypt devs?  If the embedded backup volume header can be either repaired or uncovered by whatever it is took place in step 3, it should definitely be included in the TrueCrypt recovery options.

    To those who stumble upon this thread later, I'd recommend trying his solution before mine.  If you can't recover the partition via nondestructive techniques, go ahead and recreate the partition without formatting.  Even if it doesn't work, I think that the changes should be very minor and have little effect on the recovery technique I gave.  If you have another drive handy that you can use to make a backup copy of the messed up drive, then that's even better.
    Saturday, March 31, 2012 10:22 PM
  • Have you mentioned this to the TrueCrypt devs?  If the embedded backup volume header can be either repaired or uncovered by whatever it is took place in step 3, it should definitely be included in the TrueCrypt recovery options.

    I found the relevant info in the Truecrypt Forums / Problems section (registration required) - the particular situation discussed was somewhat different, but this was said:

    "If you still think that is the header from the old full disk encryption, your only options are to recreate the partitions on the drive exactly as they were before but without reformatting...and hope that you get them created at the exact same size as before. Recreating the partitions, without reformatting, should not hurt the embedded backup header at the end of the partition. Once the partitions are recreated exactly as before you should be able to select the correct partition in TrueCrypt and mount it using the embedded backup header."

    Mine was a special case of the above, as the size of the partition was not uncertain since it fills the whole disk (and I had, luckily, used the default parameters when creating the partition). I cannot help to think that in addition to backing up the volume header, should it be recommended to also backup information on the exact size and location of the encrypted partitions as well, so that these may be recreated in an emergeny?

    As the Truecrypt forums requires validated / non-free email adresses to post, I decided put info on my experience here first.

    • Edited by NexNoct Sunday, April 1, 2012 4:39 AM Minor clarifications
    Saturday, March 31, 2012 11:42 PM