Thursday, September 7, 2017

windows - Mounting truecrypt system partition copied to USB drive


I'm rather baffled by this one.


I am using Windows Vista and am running truecrypt version 6.2a system encryption with pre-boot authentication for the C: only. I have a D: which is not encrypted.


Using knoppix I have booted my machine into Linux and used the dd command to copy byte-by-byte the encrypted C: drive onto a USB drive partition of the same block size.


Booting back into Windows Vista and using the truecrypt GUI, I have selected my USB drive partition as the volume to mount (\Device\Harddisk1\Partition2). I then have tried any combination of options including "Mount as read-only", "Use backup header", and "Mount partition using system encryption without pre-boot authentication". I expected this last option to work. However I enter my password and every time I get the message: "Incorrect password or not a TrueCrypt volume".


So, questions:



  1. has anyone successfully made a true partition copy of their encrypted system drive and subsequently mounted it using the TrueCrypt GUI?

  2. do I need to mount using a keyfile instead of the password I use during boot?

  3. do I need to back up the boot partition as well as the C: drive partition?

  4. is there another way of achieving this goal of backing up and mounting my system partition?


Many thanks.


Answer



This is very important! TrueCrypt system encryption partition DOESN'T CONTAIN TRUECRYPT HEADER. Non-system Truecrypt encrypted partition or file container contain header at first 128 blocks and backup copy at last 128 blocks of file/partition. So it's to impossible to decrypt systen encryption partition without backup header. Header of system partition is at the last block of hdd's first track. You can backup header:


dd if=/dev/sdx of=header.img bs=512 count=1 skip=62


If you want to access partition backup you have to clone partition to same size primary partition to different hdd and mark it as bootable. Then you have to restore header. First check if the first track is empty:


sfdisk -l /dev/sdy


If first partition strats at block 63 or more it's ok but if it's lower block number you can't continue.
Restore your header


dd if=header.img of=/dev/sdy bs=512 count=1 seek=62


The you can access your backed up system partition using "Mount partition using system encryption without pre-boot authentication".


Theoretically you can convert Truecrypt system partition to standard Truecrypt parition or file container but you would have to chage some bytes in encrypted header. (decrypt header, change and encrypt again) http://www.truecrypt.org/docs/?s=volume-format-specification byte 124 and 252


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...