Encrypted Disk

rknichols · 05-10-2024, 10:03 PM

Quote:

Originally Posted by Jackson111

TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org

Disk /dev/sdb - 4000 GB / 3726 GiB - CHS 486401 255 63
Partition Start End Size in sectors
>P Linux filesys. data 1046287267 1053821026 7533760 [^K~M27n1ҥ %~JMM-7D]

That's not a good sign. It means that testdisk found nothing but the existing partition with unidentifiable content.

If you have the hexedit command available, then rather than fussing with testdisk it's a lot easier just to run "hexedit -s /dev/sdb" (preferably in a window with at least 36 lines so that a complete sector can be shown) and search for the hex string "4C554B53BABE". That's the ASCII characters "LUKS" followed by the hex bytes 0xBA and 0xBE. It would take quite a while to search the whole disk, but if it doesn't find that string in the first few minutes then there is little chance of finding your LUKS header.

Jackson111 · 05-10-2024, 11:00 PM

Quote:

Originally Posted by rknichols

That's not a good sign. It means that testdisk found nothing but the existing partition with unidentifiable content.

If you have the hexedit command available, then rather than fussing with testdisk it's a lot easier just to run "hexedit -s /dev/sdb" (preferably in a window with at least 36 lines so that a complete sector can be shown) and search for the hex string "4C554B53BABE". That's the ASCII characters "LUKS" followed by the hex bytes 0xBA and 0xBE. It would take quite a while to search the whole disk, but if it doesn't find that string in the first few minutes then there is little chance of finding your LUKS header.

Going through the manual I didn't get smarter. Thank you, I thought I maybe didn't understand something.

I'll try hexedit (does it make sense to pipe it through grep?), but now I really want to know what happened, as I am sure a simply accidentally formatted disk wouldn't be such a head scratcher.

rknichols · 05-11-2024, 08:58 AM

Quote:

Originally Posted by Jackson111

Going through the manual I didn't get smarter. Thank you, I thought I maybe didn't understand something.

I'll try hexedit (does it make sense to pipe it through grep?), but now I really want to know what happened, as I am sure a simply accidentally formatted disk wouldn't be such a head scratcher.

Don't try to pipe hexedit output through anything. It's an interactive editor. Just type the "/" key to enter the search function and then enter the string "4c554b53babe" (without the quotes). You want to find that sequence at the start of a sector, which will be a hex address ending in n00, where n is an even number. If it finds that somewhere else, just type "/" and <enter> to continue the search. If your encrypted partition really was the only partition on the disk, that sequence should be found almost immediately.

Jackson111 · 05-11-2024, 09:37 AM

Quote:

Originally Posted by rknichols

Don't try to pipe hexedit output through anything. It's an interactive editor. Just type the "/" key to enter the search function and then enter the string "4c554b53babe" (without the quotes). You want to find that sequence at the start of a sector, which will be a hex address ending in n00, where n is an even number. If it finds that somewhere else, just type "/" and <enter> to continue the search. If your encrypted partition really was the only partition on the disk, that sequence should be found almost immediately.

Out of luck, it seems