[SOLVED] Recovery of data from encrypted partition

Phorize · 01-15-2013, 03:05 AM

This is going to come across as a very strange question, but what happens if I use the cfdisk on the slackware dvd to rewrite the partition table precisely as I did before?

TobiSGD · 01-15-2013, 06:12 AM

This looks like a valid bootrecord. Have you tried just mounting your partitions? What is the output of

Code:

fdisk -l

Phorize · 01-15-2013, 06:30 AM

Quote:

Originally Posted by TobiSGD

This looks like a valid bootrecord. Have you tried just mounting your partitions? What is the output of

Code:

fdisk -l

Code:

fdisk -l

Gives

Code:

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System

GazL · 01-15-2013, 07:47 AM

Do a

Code:

dd if=/dev/sda | hexdump -C | grep 'LUKS'

(you can probably cancel this fairly early on as it should be within the first couple of hundred mb if what you say about your layout is accurate)

If you don't see a line starting with the characters "LUKS" then your luks header is gone and whatever else has happened to the drive really doesn't matter.

unSpawn · 01-15-2013, 07:52 AM

Quote:

Originally Posted by kristizz

testdisk doesn't find anything.

Please run testdisk again as

Code:

testdisk /debug /log /dev/sda

have it do a search and attach resultant "testdisk.log" as plain text file?

GazL · 01-15-2013, 07:58 AM

unSpawn, Does testdisk detect luks headers? I didn't see any mention of it on its website?

unSpawn · 01-15-2013, 08:08 AM

AFAIK no. The only reason why I would want the PT restored is to have a boundary for running 'isLuks'. One could look for

Code:

#define LUKS_MAGIC {'L','U','K','S', 0xba, 0xbe};

(http://code.google.com/p/cryptsetup/wiki/Specification -> http://code.google.com/p/cryptsetup/...9584a05f81f#51). Also see http://code.google.com/p/cryptsetup/...AskedQuestions.

Phorize · 01-15-2013, 08:52 AM

Quote:

Originally Posted by GazL

Do a

Code:

dd if=/dev/sda | hexdump -C | grep 'LUKS'

(you can probably cancel this fairly early on as it should be within the first couple of hundred mb if what you say about your layout is accurate)

If you don't see a line starting with the characters "LUKS" then your luks header is gone and whatever else has happened to the drive really doesn't matter.

Code:

dd if=/dev/sda | hexdump -C | grep 'LUKS'

gives

Code:

1de41bb20  b7 01 4c 55 4b 53 af 44  31 72 fa 19 f6 54 d4 6b  |..LUKS.D1r...T.k|

rknichols · 01-15-2013, 09:09 AM

You have obviously not re-zeroed the MBR since you still show data beginning at address 0. Easiest thing to do is just skip over the first megabyte and see how much of the rest of the drive got zeroed:

Code:

dd if=/dev/sda bs=1M skip=1 | hexdump | head

You'll then need to add 1 megabyte (0x100000) to the address of that first non-zero line to see where your remaining data begins.

Phorize · 01-15-2013, 09:31 AM

[QUOTE=kristizz;4870578]

Code:

dd if=/dev/sda | hexdump -C | grep 'LUKS'

contnued running and gives:

Code:

1de41bb20  b7 01 4c 55 4b 53 af 44  31 72 fa 19 f6 54 d4 6b  |..LUKS.D1r...T.k|
26d09d8d0  ed 5d 63 45 1f 7f b6 61  8e a2 4c 55 4b 53 49 64  |.]cE...a..LUKSId|
364edab20  7e 17 8e b3 fd 34 ae af  4c 55 4b 53 07 91 0b 54  |~....4..LUKS...T|

GazL · 01-15-2013, 09:31 AM

Quote:

Originally Posted by kristizz

Code:

dd if=/dev/sda | hexdump -C | grep 'LUKS'

gives

Code:

1de41bb20  b7 01 4c 55 4b 53 af 44  31 72 fa 19 f6 54 d4 6b  |..LUKS.D1r...T.k|

Hmm...I don't think that's it. It's about 8GB into your disk, 290 characters into a sector and It's not followed by the 0xba, 0xbe one would expect to see..

Phorize · 01-15-2013, 09:57 AM

Quote:

Originally Posted by rknichols

You have obviously not re-zeroed the MBR since you still show data beginning at address 0. Easiest thing to do is just skip over the first megabyte and see how much of the rest of the drive got zeroed:

Code:

dd if=/dev/sda bs=1M skip=1 | hexdump | head

You'll then need to add 1 megabyte (0x100000) to the address of that first non-zero line to see where your remaining data begins.

Code:

dd if=/dev/sda bs=1M skip=1 | hexdump | head

gives:

Code:

0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
61e5000 4387 4e9c 5bab 1ec4 25b8 1ac7 4bb2 30a1
61e5010 726b 0969 c203 6937 9c9c 1010 4a06 e133
61e5020 2719 6dfc 2bfb 7874 24aa e053 a94b c68d
61e5030 a90d 2ce5 1572 7fd4 6cf8 3c61 de51 de71
61e5040 7de8 dca1 2bd0 072b f06e f9e0 c53a 5cc0
61e5050 e61f e091 b17b 5aa5 221f 3095 8af9 e83a
61e5060 922d d813 9a40 d4a0 dae6 39a9 d8ec 67da
61e5070 4f72 0e77 3b9f 9714 8f73 d701 1eef 830f

Phorize · 05-13-2013, 01:42 AM

I just wanted to say a big thank you to those of you who helped out on this. I wasn't able to locate the partition in the end and ran out of time due to the arrival of my baby daughter. Fortunately I was able to use testdisk to recover the files from my wife's external hard drive; she had forgotten that they had been backed up on there a while ago and then deleted, but it looks like they were never overwritten.