Hello all, another panicky newbie here. I looked for other posts about encrypted drive corruption, but none of them sounded like what happened here, or how the now-special-needs drive is behaving.

So I got this generic WD 320 GB Scorpio Blue SATAII hdd to back up stuff, and a nice NexStar TX case for it. I encrypt the whole device with TrueCrypt and put all my stuff on it. LVM in W7 says it's only 298 GB but whatever. Everything's hunky-dory, nobody's stealing my 5 years of archived tax information, numerous dissertations and research, and various other priceless bits of information.

Fast forward to about 3.25 hours ago, and I've wiped Windows because it's been a year and it's just running sluggishly, and I wanted to get rid of W7 and Ubuntu 12.04 and start fresh. I get a fresh install of W7 up and running, plug in the hdd, mount it up with truecrypt, no problems, start copying my entire existence over to the computer's hdd, and before a single file is transferred, the computer freezes. I hit Ctrl-Shft-Esc, nothing happens, then the whole thing silently wails in confusion and despair, BSODs and reboots.



Aw, puckernuts. It was in the middle of decrypting - most of you know that's no good. TC's crash analyzer can't find a dump/minidump, and now when I mount it up, I can't access my files. TC can mount the drive; when it does, a message appears: This drive was not dismounted properly upon TrueCrypt exiting; in the future, bla bla bla, would you like to fsck?

Not so fast there, TC. I hit no to see what I could see; I can see the folders at the top level, and two of them are fine, all the files in them are fine. But they're a download cache and my music and I couldn't care less about those. I'm hopeful though, because the file tree and the dl/music files are fine. It's the other folders that say "cannot read, corrupted" when I click on them.

So I've never had to do any backups more simple than copying everything in my User folder. I usually keep a backup of my backup, but I got complacent and gave that hdd to my mother, whom I taught to wipe stuff DoD-style.

So before I fsck, I'd like to make an image of my hdd just in case. I have plenty of room on the W7 drive for a 300GB image, but since it's encrypted it would have to be a bit-for-bit copy, and the only thing I know can do that is dd - but I don't know the more subtle behavior of dd: do I need to match block sizes because the drive is encrypted? will running with converror enabled produce an imperfect clone, since the decryption was incomplete?

I mounted it in TC and ran Recuva but it comes up with garbage and something TrID says is a 51% chance of being a thousand 2 GB GZIP files.

So, how should I clone it? Should I clone it? Does it sound like fscking the mounted partition will wipe out decades of research, archives, my e-library, and dissertations? Is all that information already dead?

Hi, you must stop working on the drive right now!
And as you have realised you need to make a bit copy of the whole drive.
You can use the free version of Dmde to make the image file or better still would be to make a bit copy clone directly to a second drive which is better because then you have the option to run tools from the emergency boot cd.

So once you have created the copy you can run Truecrypt tools from the recovery cd. It takes an age but one way would be to unencrypt the whole drive. You have that option in the recovery disk menu but as I said it does several hours to complete.

Well yeah, that's what I said. My question was if I need to set dd's block size to something specific to ensure a bit-for-bit clone, or barring that, any tools that would more securely make a bit clone.


Do you mean clonezilla?


Clonezilla doesn't come with Truecrypt, and if you're not talking about CZ but saying recovery CD, then something's got you thinking this is a system drive, I think? And wouldn't I not want to decrypt, seeing as it was an incomplete decryption that started this and I wouldn't want to make a further mess?

This hard drive in question is not a system drive and I did not need to create a rescue disk; it is a USB storage device. My system drive is unencrypted and fine. I can see how " I encrypt the whole device with TrueCrypt and put all my stuff on it" can sound like I encrypted my system drive, but I said "I have plenty of room on the W7 drive for a 300GB image," and though that clarified it was a storage device I was talking about. Sorry for not being clearer. I've edited the op to clarify.

Use Clonezilla if you want but I suggested to use Dmde!

Its ALWAYS best to create the rescue disk with ANY encrypted drive for situations like this one without this disk recovery options are in most cased not possible.

Didn't know that. I thought it was just for booting. Well, that's egg on my face. A little late for a rescue disk though.

Also, clonezilla is not a program, it is a custom linux live CD filled with recovery and file analysis software.

So one last question, I guess: dd - if I run , will that make a bit-for-bit copy of the drive? or will it replace random data on /dev/sda1 with disk.img?

Also what was said earlier - completely decrypting the hard drive: will that do more damage to the files or will they be just as scrambled?

Clonezilla is indeed a program I use it all the time from a bootable usb sticl. Clonezilla also is included on many Linux recovery cd's. The DD command will work "IF" you have the drive identifiers correct it will create a 320GB file called disk.img that you can use with data recovery programs or attempt to decrypt the image and not destroy the original data on the 320gb drive. The image is the best way to move forward and as Dick said DMDE also can make an image of the drive you may find the interface easier to use etc.

Ah, I see, Clonezilla Live is a debian live-cd with clonezilla on it. Truth be told, I've never used the program itself, I usually use gparted and dd from the cd. So I downloaded clonezilla and never used clonezilla...

DMDE must be good if there's a dozen phishing sites hawking dmde trojans. Got the free version making a clone now. I'll post when it's done making its 320 GB image.

OK so now I have a 298 GB image on my W7 drive. I tried running md5sum against the unmounted USB drive and the image to see if they were identical but about an hour in it still wasn't done and the drive was getting very hot. Is there a way to check to make sure the image and the partition are identical?

As always, there are risks in DIY recovery attempts, especially with limited experience, and being limited in available tools (utilities) - but assuming you have accepted those risks and understand that you might make things worse, then...


Unless you re-read the "problem" drive again, then the only way I can see to (try to) confirm your image is valid, is for you to examine (and trust?!) the error logs of whichever OS you used to run DMDE (of course that isn't possible if you chose to run DMDE on DOS ), as well as checking whatever errors reporting DMDE gives (I don't use DMDE so I can't give more info on that point), checking the image size, and some checks of the file contents (obviously this is limited).

If no read or write errors were logged by your chosen OS, nor by DMDE, and if your image file is itself readable without error, is exactly the correct size and the file contents look sensible where you can check them (e.g. check file sector 0 for sensible contents, if that sector of the partition has been decrypted) then IMHO you've done as much as you can do to (try to) get confidence in your image file, without re-reading the "problem" drive - if you did decide to do that, then there are more choices.

Assuming that you're keeping the image file as a master, and then doing further work on the original "problem" disk, I would also make another copy of the image file when you are satisfied with it, as a backup.

FYI, your previous suggested dd line was in part wrong, in part non-optimal, and in part we can't know how correct it is, since device names depend on your specific system - but it was so wrong that I hope it wouldn't work (although I can't try it right now). Anyway, since you've decided not to use dd, those issues are now moot.

Please don't leave me ignorant when it comes to the Disk Destroyer - how was it wrong and non-optimal?

DMDE showed the image and the partition to be identical, and I didn't have room for a backup-backup, so I ran chkdsk on the mounted partition. I lost a lot of files but not nearly everything. So I started up Pandora Recovery (to try something else) to see if I could recover what chkdsk deleted, and before it finished loading the drive started to make a grinding noise followed by a clicking noise once a second, and TrueCrypt hung and crashed. Now the drive won't show up in the LVM.

Now what? the image dmde made isn't mountable in Truecrypt.

OK So I got suuuuuuper lucky with that last crash. I ripped open my laptop to take out my 600GB volume, only to find a hidden extra SATAII port! So I plugged the encrypted drive in, and voila, it stops chirping, opens up like nothing's wrong, and all my files are fine! It's still clicking and stuttering a bit but at least the Machine God has granted me a few minutes to move as much as I can!



Edit: okay so quick replies post straight to forum but regular replies have to be approved by a moderator. This post won't make sense until the last post I made is approved.

As you have explained, using dd is now no longer relevant to your issue, as you have used DMDE to create the clone instead, however to answer your question briefly:

- of parameter is wrong; you seem to be specifying a filename, so you need to use a mount point instead.

- conv parameter is non-optimal; consider what would happen exactly to the output file, in the case of a read error on the input file. Hint: you're missing something...

- bs parameter could be considered non-optimal; there are pros and cons to using such a small blocksize, depending on several factors. What is certain, is that it will be a slow copy when using that choice. Would your drive survive for the length of time needed for such a slow copy? Perhaps; perhaps not...

Personally, in your situation I wouldn't have used dd for that purpose anyway, due to the lack of easy restarting after any errors and other limitations.

You have "jumped ahead" with your recent postings and made several decisions for further progress with limited descriptions & info which I don't fully understand, so I'll just wish you good luck.

Well I did say to you to clone to a second drive for that exact reason!

You can restore the image you made with Dmde to a second drive and then run the Truecrypt tools on that drive. Its easy if you just read the manual!

I plugged another hard drive into the USB case I was using and that drive started to grind too, so I'm assuming the bridge in the case is dead. Didn't even last a month. But, at least I have two working hard drives in my laptop now.

I did that last night, dick. I put the dmde image back on the drive in question, and am trying to run a surface scan after running the file recovery scans to see if I can find all my lost documents. Pandora free ed. surface scan only recovers a very limited range of filetypes, though it found one document destroyed by chkdsk, and Easeus Data Recovery free ed. surface scan doesn't see logical volumes, i.e. it assumes the encrypted drive is a raw volume and doesn't see the Truecrypt-mounted volume. I'm assuming since they're doing a surface scan they're not going to see the fragments and deleted contents unencrypted? But if that were true, Pandora wouldn't have found anything. Could any of you recommend a good file recovery program that may recover anything else?

It's a shame truecrypt doesn't have a way to fully decrypt non-system partitions.