Recovering a deleted TrueCrypt partition
In connection with the termination of the project, the topic is less relevant, but still
At one time, installing Windows, I decided not to touch the system partition, but to encrypt the data partition.
As a result, the HDD looked like this:
The last partition on 831.51 gigabytes is the volume encrypted using TrueCrypt.
Due to the annoying error, I deleted all partitions from my HDD.
There are many programs that recover deleted partitions (Paragon HDM helped me), but since the TrueCrypt volume cannot be distinguished from a random data set, no program could detect it.
Below you will learn how to recover a deleted TrueCrypt volume (with a password / key file)
First you need to find the beginning of the TrueCrypt partition.
I knew that my encrypted partition was located immediately after the first two, and went there:
WinHex, Tools -> Open Disk. Open your HDD. Having opened, we select the last existing section.
Section 2 begins in sector 206,848 and occupies 209,510,400 sectors.
Therefore, the next section should begin in sector 209 717 248.
We go there: Navigation -> Go to Sector
At the beginning of the encrypted section, the headers of the TrueCrypt partition are stored.
For verification, save the first 200kb to a file (this can be done even in the WinHex demo version):
Edit -> Define block
In Beginning Specify the offset, from which our proposed partition starts.
In End we specify it as + 204800 (WinHex worked for me correctly only if OffSet in Hex mode, you can switch the mode by clicking on the Offset column).
In my case, these were 1900100000 (h) and 1900132000 (h)
The selected block must be saved to a file:
Edit -> Copy Block -> Into New File -> header.tc
We mount the resulting file in a free letter using TrueCrypt:
If the file succeeded to mount - it means the title, indeed, was located here.
Let's open the properties of the volume and write down its size: 892 826 550 272 bytes
. Also, for verification, you can open the mounted partition using WinHex.
He, of course, will swear - but we can see the beginning of our decrypted partition:
Tools -> Open Disk -> select the letter where we mounted the file (I have Z:)
Ok, so far everything works out.
Unmount the Z: drive, proceed with the repair.
At this stage, it is better to make a sector-by-sector copy of the HDD in case something goes wrong!
The size of the TC partition, as we found out earlier, was 892,826,550,272 bytes (you will have a different one). To this number you need to add the standard size of the TrueCrypt header: 262144 bytes.
In total, the size of the created partition should be 892826812416 bytes. Divide
twice by 1024 - we get the size in megabytes. Now you can create a partition with the usual Windows disk manager (it allows you to specify the size in megabytes only).
When creating a section, DO NOT assign a letter to it and DO NOT FORMAT it:
During the creation of the section, its beginning was erased - but we have a copy.
Launch WinHex with administrator privileges and put it into edit mode:
Option -> Edit Mode -> Default Edit Mode
Open the beginning of the created section - there should be zeros:
Now open the saved copy of the section title, select and copy the missing blocks from there:
Edit -> Copy Block -> Normally
Go back to our section, click on its first block and paste in the data:
Edit -> Clipboard Data -> Write
File -> Save Sectors
Done, now the partition should be mounted using TrueCrypt
PS Once, the headers extracted to the file were mounted to me, but the partition was not mounted.
It helped to create a section a little smaller.