Undo DiskCryptor Decrypt

Post Reply
Jeremy Landau
Posts: 1
Joined: Sun May 24, 2020 10:29 pm

Undo DiskCryptor Decrypt

Post by Jeremy Landau »


I wonder what decrypting a mounted Diskcryptor Volume does .... it is crucial for my ongoing recovery work of a messed up disk.

I messed up a disk fully encrypted with Truecrypt - played around with Diskcryptor and took the wrong disk which contained my valuable truecrypt protected data. So now I try to recover.

What happened - I had a fully encrypted disk with Truecrypt 7.1.a, with a hidden volume.
Then Format the disk with Diskcryptor, a quick format when I remember right.
Then found out after a while I am on the wrong disk, stopped Diskcryptor format, and then decrypted.
I am not entirely sure about each option and step I took - as mentioned I was playing around next to other things ...

The decrypt took a very long time. I thought that is needed to completely restore my disk to where it was previously, but obviously that failed.
The truecrypt is not readable anymore, also not via the included backup header.

So I tried some scenarios with a USB stick, and it seems that the Diskcryptor decrypt step ruins the disk.
Without decrypt the initial truecrypt is still in place and can be fully restored via the native backup header of truecrypt.

Therefore I would be happy if it is possible to undo the decrypt step - this obviously killed my truecrypt data, and if this can be undone I am of good hope to get my original disk back. Any hint - thanks!

Posts: 50
Joined: Mon Jan 27, 2020 8:05 pm

Re: Undo DiskCryptor Decrypt

Post by DavidXanatos »

Did you
1. format the disk through DC directly?
2. first quick format with windows than encrypt with DC?

From your description I understand you did case 1, right?
Here what DC is doing, it creates the required header and mounts the partition and than runs a quick format on it.

So when you read a sector of the partition that wasn't written to after the mounting it will try to decrypt whatever was there originally get as a result garbage and present it to you.
For normal operation that's fine as the disk was full of garbage anyways presumably (not in your case unfortunately).

What decrypt does is it decrypts every block and write the result back to the drive.

If you would have done case 1. the encrypt would first read every sector encrypt it and write it back to the disk, such that runnign than decrypt would reverse the process.

So yes the right operation would have been not to run decrypt as it would only yeld a correct result on overwritten sectors which in your case from TC's standpoint are corrupted.

To have any chance of undoing decrypt you would need the original DC header with the header key, unfortunately this one is overwritten once decrypt completes.

So unless you created a DC header backup before running decrypt all the data on the partition are unfortunately not recoverable.

Post Reply