Bruce,
When you created the TrueCrypt volume, you were presented with two options - using a container, which appears as a file on a volume readable by the host system, or using a partition, which only appears when you search the physical volume with the correct passphrase/key files.
From what you are saying, you chose the latter option - and at some point created a partition on that drive, thinking it was blank, and copied data onto that new partition, while the TC partition was mounted, and now you can mount the disk via TrueCrypt but either cannot read some or all files, or can read some but not all.
I am going to assume you're using Windows, and the mangled TC disk now has a MBR partition table with one NTFS partition created.
The data that is stored in sectors that previously were part of the Truecrypt volume image and are now overwritten with data that was written to the new NTFS partition is gone, and since you overwrote the TC-encrypted data, trying to decrypt those sectors will not work because the data was changed.
The reason you can see the TC volume when you mount it is because Truecrypt sees the header signature on the data region, you have provided the keys, so the filesystem driver decrypts the volume metadata and presents the volume to the storage driver, which reads the MFT for the volume and voila, you have file listings, but when it tries to read those sectors, the TC driver hangs (ergo CPU usage, wait time, hanging, etc) because it cannot return valid data, e.g., decrypt fails, spectacularly.
Aside from the fact that development for TrueCrypt was discontinued in 2014 amid much speculation and astonishment, if you don't have a reason to use software-based FDE, and especially software-based FDE that permits hidden and/or multiple-depth volumes with plausible deniability as a selling point, I strongly suggest not doing so. If you do, then I suggest being much more careful next time, and maintaining your source vs destination much more meticulously in the future.
... In re-reading, you mentioned that the keys were on the drive. Did you mean that the key data for decrypting the TC region image were stored on another partition on the disk? e.g., it was more like:
( [ partition1 ] [ tc region ] )
and is now:
( [ partition1 ] [ tc region ] { new partition } )
and the keys were on partition1 ?
If that is the case, then may I strongly suggest you re-evaluate your understanding of full-disk encryption, as well as your use-case requirements for it.
|