trouble decoding / mounting

[ideasman69]

Hi andlabs, love your app!

I am however having a little trouble decrypting a 1TB symwave encrypted drive. Here's what I've done so far:

• created ddrescue image of drive (had 1 read error)
• used reallymine to retrieve the DEK - looked ok
• used reallymine to decrypt image to a new image file The image looks like garbage and no commands will recognise any partitions on it.

I followed a PDF by @themaddoctor on how to mount the drive directly and got the same DEK so that seems solid. Trying to mount the ddrescue image using cryptsetup though still had it appearing with no partitions.

Not sure if there's something I'm missing when dealing with an image file rather than a drive but hoped someone could lend some advice?

[themaddoctor]

Send us the first 1MB and the last 3MB (or just the keyblock) of the disk and I'll look into it.

[ideasman69]

hi @themaddoctor thanks heaps for this. I'm hoping I did it right - first 1mb, last 3mb. Let me know if I did it wrong.

Here's the link to the zip https://drive.google.com/open?id=0BzYK7-SJnoCybGdyUWU1SFRMZEE

[ideasman69]

following your guide @themaddoctor gets me 99% there. the only part where i start getting different results is at the sudo file -s /dev/mapper/wd part.

I get: /dev/mapper/wd: symbolic link to ../dm-0

instead of: /dev/mapper/wd: DOS/MBR boot sector ...

and running sudo kpartx -a /dev/mapper/wd gives me nothing back at all

[themaddoctor]

"first" is NOT encrypted. Are you sure that it is from the drive before the decryption?

[themaddoctor]

"first" contains a partition table, and says that its only partition extends beyond the location of the keyblock. Was this disk reformatted on a Windows 7 machine after being removed from the enclosure?

[ideasman69]

to be honest - i have no idea what happened to it. i'm looking at it for a friend. I do know that he bought a new enclosure and tried the drive in that - whether he tried to format, or chkdsk it - i don't know.

i've managed to recover the majority of data (surprisingly). the drive would work fine with the WD circuit board but as soon as the single bad sector on the disk was hit, the drive would cease to read. I performed a ddrescue of the drive while connected to the circuit board, let it hit the bad sector and unplugged the drive. Then reconnected and continued the ddrescue. Once the image was made, i ran testdisk on it which found the original partition and the files.

what a mess. i guess most people dont understand to leave a faulty or failing drive totally alone until someone can look at it.

thanks for looking and giving me some ideas.

[andlabs]

I would suggest having ddrescue run all the way either with or without the bridge, rather than mixing the two. ddrescue (in simple terms; the actual mechanics are far more complicated) first reads the disk in large chunks and leaves holes if any part of those large reads fail, then it goes back and retries those holes using smaller chunks, filling up holes until it can't anymore. This means you might have a mix of encrypted and unencrypted data without realizing.

[ideasman69]

Sorry didn't make it clear- I used the bridge for the whole rescue. I just meant that once it hit the bad sector and stopped reading, I simply unplugged the USB cable from the pc, then plugged it back in to carry on the recovery. I've saved the whole 915GBs of data so he'll be happy. Such a waste of time though!

[andlabs]

Ah, sorry for the confusion then. Though I do wonder: did you run ddrescue with or without the bridge chip?

[ideasman69]

I did both. The encrypted image was impossible to recover anything from. The image I grabbed with the bridge was totally usable

[themaddoctor]

Ah, but you could have decrypted the image with openssl, since you had the key.

[ideasman69]

I followed your guide on mounting it using cryptsetup which failed to find any partition table. Reallymine said the decryption was successful but image it spat out was rubbish. I'm guessing the drive was quick formatted in the 3rd party enclosure

[themaddoctor]

My guess as well. Using cryptsetup did not find any partitions because the new unencrypted partition table was being passed through the encryption filter, and thereby mangled. But you could have used testdisk on /dev/dm-0 or /dev/mapper/wd. Those devices look just what you see through the bridge.

Anyway, you got your data. I consider that a success.