This project has moved. For the latest updates, please go here.

Can't access my encrypted external WD 1140 2TB hard drive after a Windows 8.1 factory reset.

Topics: Technical Issues, Users Discussion
Mar 25, 2016 at 12:45 PM
Edited Mar 25, 2016 at 1:06 PM
I've really messed up this time...

My mother's PC was very slow, so I decided to try and fix it for her. It worked, but I messed up big time with something else. I decided to run Windows Reset (Windows 8.1). I have this external My Book WD 1140 hard drive which I encrypted using VeraCrypt about 2-3 weeks ago. I know for certain the password to be correct. It is here I stored all of the family's photos. I do not have the keyfile for VeraCrypt. I desperately need to get these photos back. I have tried miscellaneous recovery software such as EaseUS, DriverToolKit, Remo Recover, etc (plan on trying Recuva).
I don't think Windows Time Machine/Restore will work, as I did not create a system restore point.
Is there any other way for me to restore my PC to an earlier date. This happened just two days ago.

I know my way around on a computer, but I am not too familiar with the terminology or any advanced stuff.
I am a complete moron for not backing up my data or creating a restore point, I know.

When I try to open my external hard drive through VeraCrypt, I just keep getting the same following message:

Auto-Mount failed due to one or more of the following:
  • Incorrect password.
  • Incorrect Volume PIM Number.
  • Incorrect PRF (hash).
  • No valid volume found.
This is a very urgent matter. I would rather "die" than admit I just permanently deleted all of our memories. I would greatly appreciate any help. Thank you very much!
Mar 25, 2016 at 4:42 PM
You WILL need your key file, where was it stored? On the refreshed machine or somewhere else?
Mar 25, 2016 at 5:19 PM
Edited Mar 25, 2016 at 10:25 PM
affinity wrote:
You WILL need your key file, where was it stored? On the refreshed machine or somewhere else?
On the same maching I installed VeraCrypt on and factory reset.
Mar 25, 2016 at 6:07 PM
Did you choose a random file to be the key file? Or did you let VC create one? If VC created one, then I think it will be 256 bytes in length....

I would save a forensic copy of the disk if you can, or at least a portion of the disk that may have the key file.

Then you can try [with great difficulty] to find those elusive 256 bytes from the forensic backup.

If you run "veracrypt /?" you can see that you can try to open the container with a key file and password as parameters. In order to get candidate key files to use, you could read the first 256 bytes of each sector; that would mean ignoring the data beyond 256 bytes up to the sector size ... and you will need to know the sector size too, which you can get with "chkdsk".

How large is the disk that the key file was stored upon?
Mar 25, 2016 at 10:19 PM
Edited Mar 25, 2016 at 10:19 PM
If you have used keyfile (not only a password), you will need to undelete your keyfile first, or your data are gone forever. Now DO NOT WRITE to the hard drive, where you had the keyfile, do not install anything and do not use it. Disconnect it, go and buy new hard drive, install fresh windows on it, install some recovery tools (like recuva etc), plug old drive as secondary and try to find the keyfile on it. Never recover the files on the same hardrive, you will need to recover files from old to the new.
Mar 25, 2016 at 10:25 PM
Edited Mar 25, 2016 at 10:27 PM
affinity wrote:
Did you choose a random file to be the key file? Or did you let VC create one? If VC created one, then I think it will be 256 bytes in length....

I would save a forensic copy of the disk if you can, or at least a portion of the disk that may have the key file.

Then you can try [with great difficulty] to find those elusive 256 bytes from the forensic backup.

If you run "veracrypt /?" you can see that you can try to open the container with a key file and password as parameters. In order to get candidate key files to use, you could read the first 256 bytes of each sector; that would mean ignoring the data beyond 256 bytes up to the sector size ... and you will need to know the sector size too, which you can get with "chkdsk".

How large is the disk that the key file was stored upon?
I generated a random keyfile myself. A very long one, moving the mouse about, until the entire bar filled green, and then some more. But I can't remember exacty where it is I saved it, but I am pretty sure it was on the (Windows C:). Is this what a "keyfile" is?

Please excuse my incompetence. I shouldn't have touched this software, because I obviously do not know what I am doing.

Thanks, again!
Mar 26, 2016 at 12:14 AM
You really should remove the drive that has the key; install Windows on a new drive (perhaps a brand new one).

Either way, you need to be able to forensically access the original drive and, provided it hasn't been fully written over with new crypted data, you might have a chance; even a small chance.

You may need to employ someone to try to do data recovery for you, it may not be possible without specialist skills and even with specialist skills it might still be impossible.

If you created a key file using VC and you did a little or a lot of mouse movements, you will likely have the same size key file; the more movements, the better the randomness of the data within that key file.

Depending on the size of the disk that the key file was stored upon [needle in a haystack] and what has been written to the disk since the "refresh", which might destroy that needle .... well, you can lessen the risk, if it isn't too late already, but protecting the original disk that had the key file as best you can. The longer you use that disk, the less chance you'll have of recovering the key file, ever; that is if you can still recover it now.
Mar 26, 2016 at 12:20 AM
@NoahAN93,

How did you mount the volume previously without knowing the location and file name of the keyfile in the past? Are you sure you used a keyfile?
Mar 26, 2016 at 12:50 PM
Enigma2Illusion wrote:
@NoahAN93,

How did you mount the volume previously without knowing the location and file name of the keyfile in the past? Are you sure you used a keyfile?
I auto-mounted it with my dauntingly long password, and that was all. I know for a fact that I randomly generated it.
Luckily for me they had just about every image stored on a separate hard drive and on another Laptop as well, but I still had all my stuff on that external hard drive.
I also sent an email to VeraCrypt explaining my situation.
Mar 26, 2016 at 12:53 PM
affinity wrote:
You really should remove the drive that has the key; install Windows on a new drive (perhaps a brand new one).

Either way, you need to be able to forensically access the original drive and, provided it hasn't been fully written over with new crypted data, you might have a chance; even a small chance.

You may need to employ someone to try to do data recovery for you, it may not be possible without specialist skills and even with specialist skills it might still be impossible.

If you created a key file using VC and you did a little or a lot of mouse movements, you will likely have the same size key file; the more movements, the better the randomness of the data within that key file.

Depending on the size of the disk that the key file was stored upon [needle in a haystack] and what has been written to the disk since the "refresh", which might destroy that needle .... well, you can lessen the risk, if it isn't too late already, but protecting the original disk that had the key file as best you can. The longer you use that disk, the less chance you'll have of recovering the key file, ever; that is if you can still recover it now.
Thanks for the help, I appreciate it! Yesterday I told my mother what had happened. She told me they had just about every photo stored on another PC and a separate hard drive, but I still have all my passwords, videos, documents, and so on, on that drive.

I also sent an email to Veracrypt explaining the situation. What a mess...
Mar 26, 2016 at 2:14 PM
So, you had a great password and you definitely used a key file too? If you did have a key file, then finding it on the re-used hard drive will be harder; have you done a forensic copy yet so you can perhaps find the key file without risk of losing it forever? Or have you already lost it, forever?
Mar 26, 2016 at 4:31 PM
affinity wrote:
So, you had a great password and you definitely used a key file too? If you did have a key file, then finding it on the re-used hard drive will be harder; have you done a forensic copy yet so you can perhaps find the key file without risk of losing it forever? Or have you already lost it, forever?
Yes, I have a strong password and made a keyfile. I haven't done a forensic copy yet. I will try and do i as fast as possible. I now know that we have backups of the photos, almost all of them.

Thank you for all your help!
Mar 26, 2016 at 5:04 PM
Without both the password and the keyfile(s), there is no way to mount the volume and there is nothing the developer can do to bypass mounting without the required keyfile(s).
Mar 26, 2016 at 5:28 PM
Edited Mar 26, 2016 at 5:44 PM
Enigma2Illusion wrote:
Without both the password and the keyfile(s), there is no way to mount the volume and there is nothing the developer can do to bypass mounting without the required keyfile(s).
I see. Oh well, time to say goodbye to all my stuff then, alas.
At least someone was smart enough to make backups of the photos (NOT me...)!
I have learned my lesson, to be sure.

Thank you all, for your time!
Mar 26, 2016 at 5:46 PM
If the key file is still on the original disk that has a new install of Windows, well, a forensic copy of that /may/ be able to be used to find that key file. So, unless that Windows installation has over written the area of the disk that the key file lived in, then it may still be possible to get your encrypted volume back. If it is over written, then there is virtually zero chance of getting back your volume.... that is why I'm saying, make a forensic copy of the disk if there is any chance you can recover that key file. Again, a forensic copy will be useless IF the area of the disk that contained the key file has been over written already.
Mar 26, 2016 at 11:49 PM
affinity wrote:
If the key file is still on the original disk that has a new install of Windows, well, a forensic copy of that /may/ be able to be used to find that key file. So, unless that Windows installation has over written the area of the disk that the key file lived in, then it may still be possible to get your encrypted volume back. If it is over written, then there is virtually zero chance of getting back your volume.... that is why I'm saying, make a forensic copy of the disk if there is any chance you can recover that key file. Again, a forensic copy will be useless IF the area of the disk that contained the key file has been over written already.
Got it. I will heed your advice. Thanks!