A similar issue as someone else

[justrach]

Hello Thomas, thanks a lot for spending your time making this tutorial.

I'd like to ask you for some help, though, because unfortunately I'm encountering problems in the very last step of the guide: my father's WD-MyBook external drive used a JMicron chip (now it's fried) and after trying to use the HDD in a new, generic, HDD enclosure I think he did something wrong and let his Windows system mess with the MBR. I then did everything you suggested in detail, then went to the "Mounting with a loop device" section and followed those instructions too, but at the very last step, when you suggest to mount the loop device with :

sudo mkdir -p /mnt/wd
sudo mount /dev/loop1 /mnt/wd ```

(In my case it's "/dev/loop1")

I encounter this kind of error:

mount: /mnt/wd: wrong fs type, bad option, bad superblock on /dev/loop1, missing codepage or helper program, or other error.

How should I proceed? I did everything by the book similar to the other guy ://.

[themaddoctor]

How about you dump sector 2048, so we can see if he damaged it also? sudo dd if=/dev/sdX skip=2048 count=1 | hexdump -C (replace X with the right thing)

[justrach]

00000000  6d 6f b2 b8 7e 1b ee fe  7b c0 79 85 a0 7a 70 63  |mo..~...{.y..zpc|
00000010  de 85 2e b8 08 05 85 c1  c3 a4 46 a1 2c 79 d6 d7  |..........F.,y..|
00000020  bb 3c 19 7a 0c 9d ce 75  24 e0 9e 69 86 d5 52 35  |.<.z...u$..i..R5|
512 bytes copied, 0.00025049 s, 2.0 MB/s
00000030  fb e7 b5 83 39 5a 84 7f  01 a2 98 6f 52 f9 09 6b  |....9Z.....oR..k|
00000040  b1 53 73 fa 3a d3 c2 b5  4d db e0 ed bc e3 2c df  |.Ss.:...M.....,.|
00000050  60 94 42 f8 29 91 d1 61  65 d6 6d 95 66 0f b9 a4  |`.B.)..ae.m.f...|
00000060  8a 3d ef dd d4 7e 18 51  91 51 47 f0 16 e3 61 96  |.=...~.Q.QG...a.|
00000070  81 9d 7a 8b 7d fa e3 c3  a0 ea 5d 04 4e 78 55 43  |..z.}.....].NxUC|
00000080  7a d5 ae 69 cf 41 63 97  df e8 f8 cf 1b 1e a4 20  |z..i.Ac........ |
00000090  96 f2 be 6d 27 87 3c 4e  b1 70 fe 1c ad bd 4a f7  |...m'.<N.p....J.|
000000a0  0b 5a 4d 8e 55 f7 84 18  48 b2 dd b6 f1 e1 45 e5  |.ZM.U...H.....E.|
000000b0  9a 28 fd 59 14 87 80 66  41 e7 b2 84 7b 60 c5 ea  |.(.Y...fA...{`..|
000000c0  85 0d 95 9e b6 47 f5 17  10 24 eb 9b 71 c9 95 43  |.....G...$..q..C|
000000d0  e4 f1 f2 5a 2d 36 6f a0  65 a9 98 e8 ec 5e 3a 47  |...Z-6o.e....^:G|
000000e0  76 b1 9e 33 fa 7f 0c e3  87 5d 92 1d c9 2e 98 b1  |v..3.....]......|
000000f0  70 04 08 d7 c6 23 07 80  aa 94 0a d3 1d af e8 e7  |p....#..........|
00000100  dc e0 8a 6e 04 4e 7b 9f  78 a2 90 fe a8 de 15 6f  |...n.N{.x......o|
00000110  fc c0 e6 c0 5d 37 6c 0b  de 3f 7e 73 dd e2 42 d8  |....]7l..?~s..B.|
00000120  8c 80 47 43 d1 46 8a f0  a1 f2 16 31 e3 f9 4c ad  |..GC.F.....1..L.|
00000130  ee 0b d7 3b 74 83 06 28  5d 95 3b 25 8d f9 03 c1  |...;t..(].;%....|
00000140  48 fe 6e 19 6c 94 61 22  86 46 a2 00 cd 46 7d 94  |H.n.l.a".F...F}.|
00000150  5e dd 8a 9f 2d 64 c8 4c  92 82 47 90 96 dd 9f 0d  |^...-d.L..G.....|
00000160  83 b4 78 09 9b 5b 85 22  07 42 ed 77 54 3a df 3c  |..x..[.".B.wT:.<|
00000170  91 96 f5 a0 30 d6 74 88  26 11 b3 83 29 db ea b9  |....0.t.&...)...|
00000180  28 62 d9 f6 7d 61 ee 58  96 98 53 c1 f8 0e 03 a2  |(b..}a.X..S.....|
00000190  1b 68 7d e4 5a c5 35 57  d1 3d 36 82 c7 85 9f da  |.h}.Z.5W.=6.....|
000001a0  54 09 c3 a5 4d bb 89 15  2c 93 d5 e1 e0 06 4b 94  |T...M...,.....K.|
000001b0  5b 9d e2 1e 6c b3 23 2b  29 2b c5 e5 bd 99 18 61  |[...l.#+)+.....a|
000001c0  8d 4d f7 c7 2f 9c 97 a8  b1 b8 47 61 38 91 1a c3  |.M../.....Ga8...|
000001d0  5f f7 77 e2 ac 4d dc 75  fc b1 d4 1d 84 35 2a 20  |_.w..M.u.....5* |
000001e0  62 b5 d9 60 93 e0 43 66  a6 27 81 2c 13 d5 9c ff  |b..`..Cf.'.,....|
000001f0  f7 ab cf 8d cd 12 48 79  9a af 53 49 cf 66 6f d1  |......Hy..SI.fo.|
00000200

Here is the dump

[themaddoctor]

Looks random enough. What is your DEK?

[justrach]

Thanks a lot for that fast reply, because I really have a lot of memories on that Hard Drive :)) my DEK is 5860528160 - 3TB JMicron Chip.

[themaddoctor]

WHAT IS YOUR DISK ENCRYPTION KEY? If you don't want me to shout, then don't wake me up at 2:30 am.

[justrach]

dcf25d1e0abe94bf61ca08cf75ccc693

The second time I ran it I got

npmlp6789p95kkm17k0p656p117n67o9nmp25n1o0klo94lp61mk08mp75mmm693

Is this the DEK?

[justrach]

root@kali:/home/wd# echo | sudo cryptsetup -d - -c rev16-ecb \
> create wd-layer1 /dev/sdc
WARNING: Device /dev/sdc already contains a 'gpt' partition signature.
root@kali:/home/wd# cat dek.hex | xxd -p -r | sudo cryptsetup -d - --hash=plain \
> --key-size=256 -c aes-ecb create wd-layer2 /dev/mapper/wd-layer1
root@kali:/home/wd# echo | sudo cryptsetup -d - -c rev16-ecb \
> create wd /dev/mapper/wd-layer2
root@kali:/home/wd# sudo file -sL /dev/mapper/wd
/dev/mapper/wd: data
root@kali:/home/wd# sudo file -s /dev/sdc
/dev/sdc: DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating system"; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x10,254,63), startsector 1, 4294967295 sectors
root@kali:/home/wd# sudo dd if=/dev/sdc skip=2048 count=16 | file -
16+0 records in
16+0 records out
8192 bytes (8.2 kB, 8.0 KiB) copied, 0.000212892 s, 38.5 MB/s
/dev/stdin: data
root@kali:/home/wd# sudo file -s /dev/mapper/wd
/dev/mapper/wd: symbolic link to ../dm-2
root@kali:/home/wd# sudo dd if=/dev/mapper/wd skip=2048 count=16 | file -
16+0 records in
16+0 records out
8192 bytes (8.2 kB, 8.0 KiB) copied, 0.000706655 s, 11.6 MB/s
/dev/stdin: data
root@kali:/home/wd# sudo losetup -o 1048576 -f /dev/mapper/wd
root@kali:/home/wd# sudo losetup -j /dev/mapper/wd
/dev/loop1: [0006]:492677 (/dev/dm-2), offset 1048576
root@kali:/home/wd# sudo mkdir -p /mnt/wd
root@kali:/home/wd# sudo mount /dev/loop2 /mnt/wd
mount: /mnt/wd: can't read superblock on /dev/loop2.
root@kali:/home/wd# sudo mount /dev/loop1 /mnt/wd
mount: /mnt/wd: wrong fs type, bad option, bad superblock on /dev/loop1, missing codepage or helper program, or other error.
root@kali:/home/wd# 

This is the whole logcat for the hard drive

[themaddoctor]

This is what I get when I decrypt the sector 2048 that you sent. It is obviously part of a PDF file.

That means that your filesystem must start somewhere else. You might try sector 63. The offset you would need is 512 times 63, whatever that is.

00000000  ed 6d 0b 67 8a ed 8d 5a  09 13 61 51 38 0a 4d 37  |.m.g...Z..aQ8.M7|
00000010  e6 2f a4 79 1b 92 d6 5e  0b f1 25 10 5b f4 7c 37  |./.y...^..%.[.|7|
00000020  52 a6 7e 53 fb 5b d4 f1  2d 98 11 89 5d ea 0d 22  |R.~S.[..-...].."|
00000030  08 96 24 42 a1 9e 52 70  d1 44 c6 23 4f 3f 69 af  |..$B..Rp.D.#O?i.|
00000040  13 ee 99 b4 11 c6 68 76  e5 e4 8c c8 15 d1 ae da  |......hv........|
00000050  f4 f3 d0 e3 b0 51 9a 3d  75 69 58 6f 44 43 ba 22  |.....Q.=uiXoDC."|
00000060  69 21 f4 e1 d0 7e d9 a0  3d a4 fc 05 ca fc 73 0c  |i!...~..=.....s.|
00000070  ac 32 9c 09 56 b0 55 88  f0 44 e7 0b 15 2f 5c 74  |.2..V.U..D.../\t|
00000080  cd e4 43 e0 61 37 4f db  41 49 ee 90 b1 b3 17 b9  |..C.a7O.AI......|
00000090  31 62 fc 2c c9 92 c3 3e  6a f2 b3 51 73 e6 1d 4c  |1b.,...>j..Qs..L|
000000a0  f8 43 f2 1a b8 b6 e1 dd  40 c5 c1 2d 2e 97 aa c4  |.C......@..-....|
000000b0  d8 ac 08 a3 2a de 56 ef  39 46 fc a8 66 4b f2 31  |....*.V.9F..fK.1|
000000c0  c8 0d 0a 65 6e 64 73 74  72 65 61 6d 0d 65 6e 64  |...endstream.end|
000000d0  6f 62 6a 0d 33 34 38 20  30 20 6f 62 6a 3c 3c 2f  |obj.348 0 obj<</|
000000e0  53 75 62 74 79 70 65 2f  49 6d 61 67 65 2f 4c 65  |Subtype/Image/Le|
000000f0  6e 67 74 68 20 35 30 33  32 2f 46 69 6c 74 65 72  |ngth 5032/Filter|
00000100  2f 44 43 54 44 65 63 6f  64 65 2f 42 69 74 73 50  |/DCTDecode/BitsP|
00000110  65 72 43 6f 6d 70 6f 6e  65 6e 74 20 38 2f 43 6f  |erComponent 8/Co|
00000120  6c 6f 72 53 70 61 63 65  20 33 39 36 33 20 30 20  |lorSpace 3963 0 |
00000130  52 2f 57 69 64 74 68 20  32 39 35 2f 48 65 69 67  |R/Width 295/Heig|
00000140  68 74 20 32 30 32 2f 54  79 70 65 2f 58 4f 62 6a  |ht 202/Type/XObj|
00000150  65 63 74 3e 3e 73 74 72  65 61 6d 0d 0a 88 35 f8  |ect>>stream...5.|
00000160  81 9d 2d 51 96 20 f9 9f  6d 18 76 a6 86 59 67 50  |..-Q. ..m.v..YgP|
00000170  a3 de eb 85 f2 29 4d fa  cb 06 77 68 3a 32 df ec  |.....)M...wh:2..|
00000180  b2 e7 5d 21 b0 be ef f5  c4 6d f6 8b 38 60 6d 01  |..]!.....m..8`m.|
00000190  bf 92 a6 77 7c bd eb 71  53 91 0e 74 61 a2 7d ee  |...w|..qS..ta.}.|
000001a0  6c 4d 56 89 76 85 48 30  f8 99 89 80 1c 18 b2 ce  |lMV.v.H0........|
000001b0  2a a8 ca 73 4c 90 cc ef  8a 11 c7 45 e3 0c f3 a6  |*..sL......E....|
000001c0  62 58 6a d0 16 d3 ab 1c  4c 6d c1 59 55 29 6d d5  |bXj.....Lm.YU)m.|
000001d0  32 e5 35 9d 3e bd 86 7e  30 56 79 b8 4f 78 c3 e2  |2.5.>..~0Vy.Ox..|
000001e0  2d fb de 1a 34 9c d0 0d  e3 ab d2 81 95 f1 af e5  |-...4...........|
000001f0  9b a7 aa 89 91 64 15 06  63 43 5d 1e cf 33 83 e1  |.....d..cC]..3..|

[justrach]

root@kali:/home/wd# sudo dd if=/dev/sdc skip=32256 count=1 | hexdump -C
1+0 records in
1+0 records out
00000000  0e 1f 5e 7d 29 8d 10 31  00 fa 86 3a b7 d7 70 51  |..^})..1...:..pQ|
00000010  a7 77 fe 7e 59 b0 60 0c  5a a2 77 e0 9d 13 b3 48  |.w.~Y.`.Z.w....H|
512 bytes copied, 0.0002457 s, 2.1 MB/s00000020  cf 8c a8 14 76 4d 3f ec  a1 dc f3 d1 e8 db 45 b6  |....vM?.......E.|

00000030  17 3a fb d3 61 28 2b a2  6c 37 4d 17 33 70 e7 90  |.:..a(+.l7M.3p..|
00000040  fd 04 19 b1 15 1d 31 e6  94 77 c8 1a b2 52 32 53  |......1..w...R2S|
00000050  fa e0 11 58 6a 82 9a 31  1e fc 30 0e e7 cf d9 a4  |...Xj..1..0.....|
00000060  ec d1 73 53 d9 77 aa 4b  ac ea e1 90 d9 01 5a ec  |..sS.w.K......Z.|
00000070  6d 7c aa c2 21 9e d9 71  30 e6 f1 af a0 8b 46 dc  |m|..!..q0.....F.|
00000080  62 aa 88 e1 1d f5 50 fb  83 1f 94 1e db a1 1f b9  |b.....P.........|
00000090  1c 51 b7 ab 78 53 ea ac  95 cc 24 96 4a e5 96 6d  |.Q..xS....$.J..m|
000000a0  bc 71 ed 40 01 6d a2 a5  d8 cd cd d5 f0 52 aa 56  |.q.@.m.......R.V|
000000b0  7e 07 f0 f3 09 18 32 61  ac ea 3d 17 9a 82 27 d9  |~.....2a..=...'.|
000000c0  97 db ac ff 6e cc 75 35  99 45 bc 1e 9b 1b f5 e7  |....n.u5.E......|
000000d0  92 81 a4 1a 82 31 c9 d0  f5 bd 69 4b 0c 50 79 1a  |.....1....iK.Py.|
000000e0  a8 7e c3 3d 50 74 a4 c4  66 de da 64 87 27 9b aa  |.~.=Pt..f..d.'..|
000000f0  84 04 7e 61 19 21 e6 ab  4e ad 71 70 a4 a7 3a f5  |..~a.!..N.qp..:.|
00000100  2f ab dc e3 e8 97 ab de  e0 25 56 92 14 79 f4 0c  |/........%V..y..|
00000110  49 24 c9 ca ae ba 29 48  b2 59 9a e8 93 c0 a4 b1  |I$....)H.Y......|
00000120  82 64 92 47 da d8 85 52  f4 29 a6 39 1d 56 b3 d9  |.d.G...R.).9.V..|
00000130  30 b1 e1 34 77 20 a6 3c  36 81 ac 85 c2 bc b2 97  |0..4w .<6.......|
00000140  79 7e df 74 c8 69 77 81  a1 a4 35 ec 72 06 e8 ea  |y~.t.iw...5.r...|
00000150  fd 57 3d aa 20 38 40 a5  aa 15 93 60 99 55 60 77  |.W=. 8@....`.U`w|
00000160  4c d4 77 3d 0b c9 9e d1  55 64 7f cb c7 bb a1 5b  |L.w=....Ud.....[|
00000170  34 ba 22 69 c2 c5 30 e3  b2 85 66 b7 a0 06 8e fa  |4."i..0...f.....|
00000180  a4 5a 59 67 40 39 90 27  3e 89 eb 74 c9 d9 9c a0  |.ZYg@9.'>..t....|
00000190  7f 8c 46 bd ea b1 c9 45  5d be d1 05 ca 57 a2 3b  |..F....E]....W.;|
000001a0  db af 4f ec eb 68 80 ac  b0 87 dc d4 16 8c df fe  |..O..h..........|
000001b0  ab 36 8a 8d 22 32 74 aa  16 36 9d e8 54 82 82 4f  |.6.."2t..6..T..O|
000001c0  f6 11 58 35 3f ea cf 3a  ef d3 60 58 e0 3b f4 7b  |..X5?..:..`X.;.{|
000001d0  98 b7 cb 69 b9 82 35 05  db 67 3b 9c 70 f0 a3 13  |...i..5..g;.p...|
000001e0  70 ea 8e 64 cb ec 0f ec  58 54 2b d8 fb 03 4c fc  |p..d....XT+...L.|
000001f0  dc f3 59 f0 79 53 82 25  c1 f7 fa 34 76 09 42 e6  |..Y.yS.%...4v.B.|
00000200

This is the hexdump when I change it to 32256MB instead of 2048 :)

[themaddoctor]

Doesn't look like the start of an NTFS filesystem to me. I guess you are just going to have to hunt for it in /dev/mapper/wd

[justrach]

Thanks for your prompt replies, is there any tutorial on how to go about doing such things? I am new to kernel code/binary code on any system and I would also like to learn during this process haha. Also how do you determine what format is the start of the filesystem going to look like?

Also this drive has 2 partitions - one is the one that is pre partitioned to hold the WD Software and the other partition is the actual drive

sdc             8:32   0   2.7T  0 disk  
├─sdc1          8:33   0    16M  0 part  
└─wd-layer1   254:0    0   2.7T  0 crypt 
  └─wd-layer2 254:1    0   2.7T  0 crypt 
    └─wd      254:2    0   2.7T  0 crypt

[justrach]

Also there is this error at the start if it helps:

root@kali:/home/wd# sudo file -s /dev/sdc
/dev/sdc: DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating system"; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x10,254,63), startsector 1, 4294967295 sectors

[themaddoctor]

The offset I gave you was for the mount command, not the dd command. An elite hacker using Kali should have known that. Stop using Kali.

I don't know where the partitions are. You could try using testdisk on the /dev/mapper/wd device.

[justrach]

Haha sorry about that I’m not really an elite hacker but a student who’s trying to recover all of the my precious photos and videos (some which were of my late grandmother) and Kali was one of the OSes that supported a Live Boot

What is an offset and where is the test drive command supposed to be inserted?

Does the DOS line mean anything in general- like corruption?

[themaddoctor]

The offset is the number after the "-o" sudo losetup -o 1048576 -f /dev/mapper/wd Change it to whatever number I gave earlier, and maybe you can mount one of the partitions.

Testdisk is a completely separate program. Please don't ask me how to use it.

[justrach]

Okay hello there, thanks for the heads up:

I dug around a lot trying to find an answer, and started going thru the partitions and found out it was sector 504, hence 504 times 512. After doing that I went into testdisk and begun the copying of the files and so far it has been copying files at an exceptional 15 MB/s. Thanks a lot for the decryption keys :) and the script which decrypted it.\

Also, sectors 309 and 2048 were bad according to a disk scanner on Windows which might explain the GPT partition error, due to a Windows 7 bug(i dont even know how) Also Thanks a lot for taking your time in answering my queries :))

Also I am curious as a student what file format are the /dev/mapper/wd stored in, and how does it like clone the device with its contents decrypted

[themaddoctor]

/dev/mapper/wd is a fake device that is like looking at the real disk (/dev/sdc), but through a decryption filter. It is not a file in the normal sense. It is not stored anywhere.

If you want to learn more, I suggest that you research the cryptsetup program.

[justrach]

Thanks a lot for your help :))). Sorry I lost my gmail accs password. I’ll learn more up as time passes :)))