Data Recovery Digest

Do-It-Yourself Windows File Recovery Software: A Comparison

results »

Data Recovery from an Encrypted Volume (TrueCrypt)

In terms of protecting your privacy and the security of your data, encryption is a widely accepted best practice both at home and in the office. However, while disk encryption vastly strengthens your data security, it also complicates your ability to recover your data should your disk become corrupted. In this article, we’ll take a look at the challenge of data recovery from an encrypted volume using TrueCrypt as an example. While the details may vary for other methods of encryption, such as BitLocker, the overall concept is the same.
How Encrypted Volumes Work
There are two primary methods for encrypting data with TrueCrypt: (1) entire partition or storage device encryption and (2) virtual encrypted disk encryption. In the first case, the entire device, such as a USB flash drive or a hard disk drive where Windows installed can be encrypted. Encrypted volumes and removable devices must be mounted using TrueCrypt and a decryption key. Virtual encrypted disks are like file containers that can be mounted using TrueCrypt. With both methods, the contents of the containers or encrypted device cannot be read unless the volume has been mounted using TrueCrypt. For bootable devices, a special boot loader must be installed on the disk in order for the disk to be recognized.
How TrueCrypt Volumes Become Corrupted
Because TrueCrypt volumes can’t be mounted by normal operating systems, they are often mistaken for corrupted volumes or free space. If an operating system attempts to “repair” a TrueCrypt volume, it can partially overwrite or delete the standard volume header for the TrueCrypt container. This causes the master keys that are needed to decrypt the volume to be lost. Although the contents of the container may still be intact, the volume will no longer be mountable. Instead, attempting to decrypt the volume will result in “Incorrect password or not a TrueCrypt volume” error messages.
Another pitfall of encrypted volumes occurs when an encrypted partition is hidden. System operations, such as defragmenting or installation of a new operating system, can cause the hidden volume header to become partially overwritten.
Recovering a Corrupted TrueCrypt Volume
The best method to try first is to use a TrueCrypt Rescue Disk in an attempt to mount or repair the corrupted TrueCrypt volume. If you are successful, you can attempt to run data recovery operations on the mounted disk in order to salvage any remaining data.
If you are using TrueCrypt 6.0 or later, then you may be able to recover the header from the backup header. TrueCrypt 6.0 and later volumes have a backup header written at the end of the volume. To restore the backup header, use the Tools > Restore Volume Header option from TrueCrypt. Or, use a hex editor to repair the volume header (the first 512 bytes on the volume) using data from the backup header (the last 512 bytes on the volume).
Because a partition is encrypted, you won’t be able to recover data from it as you would an unencrypted disk or drive that has been corrupted or accidentally formatted. You must mount the volume using TrueCrypt in order to begin your data recovery efforts. Data recovery software may still be useful if the contents of the TrueCrypt volume have also become corrupted or have been accidentally deleted. But in terms of recovering data from a corrupted TrueCrypt volume, the first place you should start is getting the volume mounted again.


No comments yet. Sign in to add the first!