Accidentally wrote an ISO to an encrypted 5TB drive… Help?
So, I did a thing - accidentally selected my 5TB external NTFS hard drive (encrypted with VeraCrypt) as the target for writing an ISO. The moment I noticed that "Impression" had switched the drive letter, I immediately killed the process. But yeah… damage done.
Now, the situation:
Currently shows up as:
6 MB FAT
4.3 GB
2 TB unallocated
2.6TB unallocated
The VeraCrypt volume obviously no longer mounts.
Drive was somewhat crucial - lots of structured data I’d really prefer to recover with the original file system intact.
I know chances are slim, especially with encrypted volumes, but has anyone had luck recovering from something like this? I’m open to commercial recovery tools or command-line wizardry. Would love to hear from anyone who’s been down this road.
I'm gonna be the one to say it. You've ruined your ability to decrypt the data. You can try a recovery service but expect to pay a lot for zero results.
I'm sorry this happened to you.
Edit: don't go with commercial software, find a recovery service
This case is due to a logical problem. Cleanrooms are only necessary for physical repairs, like swapping the Head Stack Assembly.
DriveSavers’ cost of entry for a successful recovery is about $2,000. They’ve even given that quote to an iPhone user who needed nothing more than a screen replacement.
Their “state of the art facility” is appropriate for hardware cases where money is no object and you need the best of the best to deliver results no matter the cost.
Realistically, most regular people will be well taken care of using a reasonably priced service like 300 Dollar Data Recovery.
Each VeraCrypt volume contains an embedded backup header, located at the end of the volume (see above). The header backup is not a copy of the volume header because it is encrypted with a different header key derived using a different salt (see the section Header Key Derivation, Salt, and Iteration Count).
It may be possible to recover the encryption key. You might try
asking on VeraCrypt forums/mailing lists or contacting a commercial
data recovery service which understands VeraCrypt. Though I’m not
familiar with VeraCrypt so I may be misunderstanding the cited
documentation.
Of course, OP should create an exact duplicate of the disk to another drive before making any changes to it.
As an aside, I know that GPT partition tables likewise come with a backup header at the end of the disk. Whether LUKS encrypted devices also have backup headers, I don't know, but it doesn't seem so. So, my fellow LUKS users, perhaps you would like to run the following:
Veracrypt has back-up headers located elsewhere in the volume that are unlikely to have been overwritten.
First thing's first I would strongly recommend copying the drive as it currently exists bit for bit to another drive of equal or larger size. Don't work on the original if you can help it.
Now with this copy, you should try to check the option to use the backup header when mounting and try again. If the partition is gone and veracrypt doesn't see it you'll need to try using something that recovers partitions and doesn't mind encrypted partitions or partitions or file system types it doesn't understand and use that to ON THE COPY recover and recreate the partition (this will write data and can cause the possibility of further loss or worsen your ability to recover which is why it is important to perform it on a copy). Testdesk may work for this but there are other options that probably are better.
See this list: https://old.reddit.com/r/datarecovery/wiki/software and choose something from there if this data is truly important. Again only work on a copy on another drive. Some of these software examples actually work against the original drive and make a copy elsewhere and should be safe to use on the original drive so long as they have you select a target drive to push the recovered data to but read the documentation. Testdisk absolutely must be used on a copy.
You will incur data loss and likely should run one of the file recovery software mentioned on the drive once successfully mounted in veracrypt to attempt to recover as much as possible.
I think you need to go commercial recovery. If it was a file you accidentally deleted, that can easily be recovered, but you wrote directly to the device.
I guess it's a question of how much hassle it's worth. I did a messy data recovery of a crashed database for a work client once, but it involved a lot of trial and error and writing special purpose code, plus considerable luck that some things worked better than I had a right to expect. Cost of something like that would be in the multi kilobucks, maybe low 5 figures. We got almost all the data back, though not 100%.
Maybe just put that HDD aside and replace it with a new one, and deal slowly with recovering the data as you get the time to mess with it. Also don't do any write operations on the old drive. Maybe copy it entirely to someplace and work on the copy. In fact better do that anyway, HD's physically crash all the time.