Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Truecrypt Header Backup


  • Please log in to reply
7 replies to this topic

#1 Jin0

Jin0

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 29 September 2016 - 11:47 AM

Hello,
I wanted to see how the backup and restore of the volume header work with my 3TB hard disk and I created three non-system standard encrypted partitions, each allocating around 931GB with a same password. I always create raw partitioins first and then encrypt them with truecrypt with quick format disabled. I backed up the volume header of each of the three partitions and saved them as three separate backup file. Next I deleted the first partition and recreated it over its unallocated space and repeated this for the second and the third partitions in an attempt to increase the possibility of recovering files in each partition. Finally I restored the volume headers using the backups created earlier.
The problem is only the first partition is mounted fine and the other two are mounted raw partitions that I can do nothing but format them. I repeated this whole process several times to make sure I did not make any mistake in the middle. I created different passwords for the three partitions but it did not make any difference. I also tried mounting the third partition first, but despite all these attempts, it was always the first partition that is mounted and works fine and the other two were always mounted as raw.
Please tell me what I am missing here?
Thank you in advance

Edited by Jin0, 29 September 2016 - 12:08 PM.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:57 PM

Posted 29 September 2016 - 12:19 PM

I don't understand what you try to achieve with this. Can you provide more details?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Jin0

Jin0
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 29 September 2016 - 12:48 PM

I am sorry I didin't make it clearer.

Well, I want my friend to keep 3TB HDD for me for some time. The HDD has three partitions encrypted as non-system standard partitions. But I want to make sure he doesn't notice the partitions are encrypted by truecrypt. So I am going to make header backups of these three partitions, delete the partitions and then create three raw partitions again, this time unencrypted, with the same partition spaces as the previous to increase the possibility of recovering them later on. I thought of just formatting the encrypted partitions so that they could appear as normal unencrypted partitions to my friend instead of deleting and recreating raw partitions, but the formatted partitions write around 200-300MB of files to the partitions in system volume information, which would corrupt some of the recovered files.

As I mentioned earlier, I have gone through this process several times, but only the first partition's backup header works so that it could be mouned and the files could be accessed. I restored the backup headers of the second and the third partitions but they were mounted as raw partitions that I cannot access my files.

Please tell me why only the first partition is restored using the backup header, not the other two.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:57 PM

Posted 29 September 2016 - 01:32 PM

I don't understand how your friend could find out that the partitions are encrypted with TrueCrypt.

With TrueCrypt, a container is completely encrypted. There is not a single byte sequence in the container file that indicates that it is a TrueCrypt container.

The only way to positively identify a file as a TrueCrypt container, is by having the password and decrypting it.

 

I know that you're not asking about containers, but partitions. But AFAIK, the same is true for partitions.

If you know of a way to identify a TrueCrypt partition, please let me know.

 

To solve your problem: I suggest you do exactly the same on the smallest USB stick you have. You make a full backup (for example with DD) before you remove the partitions, and then another full backup after you restored everything. Then do a binary compare of the 2 backups.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Jin0

Jin0
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 29 September 2016 - 01:43 PM

Thank you for your reply. But as I said before the probelm is my hdd is divided into three partitions. As I can see that only the first partition is resotred correctly with backup header, encrypting the whole hdd as one partition rather than three would work. But 3TB is too large to recover at once, so I wanted to divide it into 3 partitions for easier recovery. So there is no solution to restoring the three volume headers in one HDD?

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:57 PM

Posted 29 September 2016 - 01:50 PM

Yes, I read about your three partitions. And my suggestion is to do exactly the same on a smaller scale: so you create 3 partitions on the USB stick.

 

To find a solution you need to understand what is going wrong. You can do this by comparing a backup of the 3TB disk before with a backup after, but that's not realistic. That's too much data.

Therefor my suggestion to do it on a small USB stick: on a smaller scale. For example, if you have a 512MB stick, you can easily compare the 2 backups.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 MDD1963

MDD1963

  • Members
  • 688 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 11 October 2016 - 06:03 PM

I don't understand how your friend could find out that the partitions are encrypted with TrueCrypt.

With TrueCrypt, a container is completely encrypted. There is not a single byte sequence in the container file that indicates that it is a TrueCrypt container.

The only way to positively identify a file as a TrueCrypt container, is by having the password and decrypting it.

 

 

As with Veracrypt, the TrueCrypt user has the option of not only making the container hidden, but, not only requiring a password, one can also link a required keyfile location, without both of which results in.....no access.....


Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:57 PM

Posted 12 October 2016 - 04:08 AM

 

I don't understand how your friend could find out that the partitions are encrypted with TrueCrypt.

With TrueCrypt, a container is completely encrypted. There is not a single byte sequence in the container file that indicates that it is a TrueCrypt container.

The only way to positively identify a file as a TrueCrypt container, is by having the password and decrypting it.

 

 

As with Veracrypt, the TrueCrypt user has the option of not only making the container hidden, but, not only requiring a password, one can also link a required keyfile location, without both of which results in.....no access.....

 

 

The point is not accessing the TrueCrypt container, the point is identifying a TrueCrypt container without the decryption keys (whether it's encrypted with password or password+keyfile).


Edited by Didier Stevens, 12 October 2016 - 07:46 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users