HELP - URGENT: I Cannot Mount My Encrypted Drive !!!

Topics: Technical Issues, Users Discussion
Jan 19, 2016 at 12:06 AM
I have had the longest night trying to recover my encrypted drive, with the only set of my most important documents. I'm inbetween a rock and a hard place, not being able to work, or take care of extremely critical tasks. I know - was going to run a new backup in just 2 days from now...

Here's what happened:
  1. I could not load Windows 10 and tried to run Startup Recovery, which stalled and rebooted
  2. Used Paragon Recovery Tools and unfortunately chose REBUILD MBR FOR ALL DRIVES !!!
  3. Having corrupted the encrypted drived by creating an MBR on it I deleted the partition
  4. As I could still not mount the encrypted drive I ran DISKPART and CLEAN on it
I check "Use backup header embedded in volume, if availble", but it fails to mount.

I would be most grateful for any advice on what to do, as I'm a newbie to encryption.

Kindly,
Kaliya
Jan 21, 2016 at 12:30 PM
You had whole system encrypted, or just a partition? Have you used clean all, or clean? Clean all overwites the disk = data are gone.

I accidently deleted mbr too, had my second partition encrypted and I had no idea where it began. All you need is to create exactly the same partitions with exact sizes. If you have installed windows yourself, you are probably lucky and you can try to repeat the instalation on another drive of the same size and then copy the mbr. This is what saved my ass.
Jan 21, 2016 at 5:02 PM
Hi Testoslav!

Thanks a lot for helping me out :)

I only did a simple clean - not clean all. I have encrypted a whole drive/device in one partition on a drive with no OS - only documents (but EXTREMELY important ones).

Please, can you tell me exactly how you did the export/import of the MBR?

Kindly,
Kaliya
Jan 22, 2016 at 9:24 PM
I booted live linux flash and used dd under linux where sda is first drive (with correct mbr) and sdb is the dead one
dd if=/dev/sda of=/dev/sdb bs=512 count=1

But google found even some user-friendly tools: https://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/

This will work only if the disks are exactly the same size, otherwise VC won't find the backup header, which is located at the end at the adress PARTITION_SIZE-HEADER_SIZE.

If there have been only one partition and the above won't work, you can still create the same partition (on the drive without mbr), but use RAW - don't format it, which should give you your data back too, at least with backup header.

Good luck!
Jan 23, 2016 at 12:17 AM
Edited Jan 23, 2016 at 12:21 AM
Hi Testolav,

I greatly appreciate your kind help, but I'm not expert - please would you tell me step by step how to do it in Windows 7?

Kindly,
Kaliya
Jan 25, 2016 at 8:13 PM
kaliya wrote:
I have encrypted a whole drive/device in one partition on a drive with no OS - only documents (but EXTREMELY important ones).
It is not completly clear if you 1. had encrypted the whole device (without partitions), or 2. you had drive with one big partition and that encrypted? That's different.

In case 1.
you don't need to rebuild MBR - in password prompt press mount options and check use backup header, then type your password (and PIM, if you had it)

In case 2.
If you had only one partition covering all the disk space, just run diskmgmt.msc and create the new simple volume same as you did when you had the drive new, but do not assign letter and do not format the volume. How to: http://www.intowindows.com/how-to-createdelete-a-partition-in-windows-7/
Now as in the first case - in password prompt press mount options and check use backup header, then type your password (and PIM, if you had it)
The key to success is to create the same partition of the same size and then use the backup header in mount options. The first header is gone 100% sure, but backup header is at the end (of partition or device) and it should still be there.
Jan 26, 2016 at 1:12 PM
Hi testoslav,

Thanks for all your kind help and patience :)

I tried both your options, but unfortunately they both failed, showing the usual VC error dialog. Is there anything else I can do to recover my files, I'm totally lost without this data.... :(

Kindly,
Kaliya
Coordinator
Jan 27, 2016 at 12:36 PM
Hi Kaliya,

As testoslav explained, in situations like yours, partitioning the disk to have the exact same layout as before will solve the issue since you will end up with the same location as with the original partition and since the embedded backup header is located at the end of the partition you should be able to mount it using VeraCrypt if you check the mount option "Use backup header embedded in volume".

To be sure, I reproduced your situation in my side:
  • I started with a disk containing only one partition and which is encrypted with VeraCrypt.
  • Using DISKPART, I perform a CLEAN command on the disk: no more partitions on the disk
  • I used Windows Disk Management MMC to create a new partition on this and I choose not to format it (The disk was originally portioned using Windows Disk Management, that's why I choose it in order to have an identical layout).
  • I used VeraCrypt to mount the partition without the option "Use backup header embedded in volume": mount failed.
  • I then checked the option "Use backup header embedded in volume": mount succeeded!!
If you did this and it fails, this would mean that either the embedded header was erased somehow during your unfortunate manipulations or that you don't have the same partitions layout as before.

So the question is what tool was used to partition the disk originally?
Probably it was not done using Windows Disk Management and that's why you are not able to have the same layout as before. If you don't know, you could try to use a Linux Live CD to recreate a partition maybe you'll have more luck.


At this stage, nothing more can be done.

There was a tool for TrueCrypt called TestCrypt that tries to locate lost header in situations like yours but the project seems abandoned and no one has done a VeraCrypt adaptation of this tool. If such tool existed, you could have used it to scan your entire disk for the lost header (although such scan would take several hours if not days).
Personally I don't have time to work on such tool but hopefully someone can do so in the near future.