View unanswered posts | View active topics It is currently Thu, 2017/10/19 8:06 pm



Reply to topic  [ 11 posts ] 
OTFbrutus error - "Cannot Read Volume Header" 
Author Message

Joined: Sun, 2013/09/01 9:35 pm
Posts: 6
Unread post OTFbrutus error - "Cannot Read Volume Header"
Thank you for creating such a useful program. When I try to use OTFBrutus, I get a error that says: "cannot read volume header" . I am using version 7.1a of Truecrypt - Windows 8 (also have same error on Windows 7). Can you please tell me how I can get around this error?

Thank you


Sun, 2013/09/01 9:41 pm
Profile
Site Admin

Joined: Sun, 2005/04/03 7:02 pm
Posts: 302
Location: Los Angeles, CA USA
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
You didn't mention what type of volume, I am assuming a device or partition hosted volume and my best guess is that it's a UAC issue. Have you tried it with UAC off or "Run as Administrator?"

Another option:
You don't actually need the whole device/partition to test the password. You only need the header. You could run a hex editor, such as winhex or hxd, in administrator mode, open the device or partition and copy the first 1MB to a new file on your hard drive. You might then be able to run OTFBrutusGUI in non administrator mode and load this file instead of the device/partition.


Mon, 2013/09/02 4:06 am
Profile WWW

Joined: Sun, 2013/09/01 9:35 pm
Posts: 6
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
i have tried running it as administrator as well as with UAC turned off. Yes, I am trying to decrypt a truecrypt hosted volume (a truecrypt file). In order to get the header, do I just open the volume file with a hex editor and copy the first one meg of the file? I can give it a try since it does not seem possible to open the file.

Update: I was able to copy the first 1 meg of my test file but I do not think I did it correctly. When I pulled it into OTFBrutus, the program worked (no volume header errors) but did not correctly identify the password (my test password which was definitely in the password file I pointed to). If I point OTFBrutus to the actual encrypted volume,, it detects the password perfectly. Can you please give me some specifics on how to extract the header correctly using HxD?

Thank you


Mon, 2013/09/02 5:56 am
Profile
Site Admin

Joined: Sun, 2005/04/03 7:02 pm
Posts: 302
Location: Los Angeles, CA USA
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
UAC and admin mode should not normally affect a file hosted volume.

There's not a lot to copy the file header.
Open your file in HxD
Edit Menu -> Select Block (Ctrl E)
Start = 0, End = 999999, dec
Edit Menu -> Copy (Ctrl C)
File Menu -> New (Ctrl N)
Edit Menu -> Paste (Ctrl V)
File Menu -> Save (Ctrl S)


Mon, 2013/09/02 12:26 pm
Profile WWW

Joined: Sun, 2013/09/01 9:35 pm
Posts: 6
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
Thanks for the quick reply. When I follow the instructions below for my test file, it seems to work, but when I try the same thing with any of my hosted volumes, I still get the cannot read volume header error. i have tried it with three different volumes and all the same thing (all hosted volumes). I guess I am at a loss at this point. I have my word list built but no way to run it against the encrypted volumes. Any additional help would be greatly appreciated.


Mon, 2013/09/02 1:55 pm
Profile
Site Admin

Joined: Sun, 2005/04/03 7:02 pm
Posts: 302
Location: Los Angeles, CA USA
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
Let's be 100% clear on what is and is not working.

Test TrueCrypt File Container
Open in HxD, save first 1MB to test_file_header
It works
Load test_file_header in OTFBrutusGUI
It works

Actual TrueCrypt File Container
Open in HxD, save first 1MB to actual_file_header
It works
Load actual_file_header in OTFBrutusGUI
cannot read volume header

If it works with a test file but not your other files, then I don't know. There has to be something different about test_file_header and actual_file_header.


Mon, 2013/09/02 3:07 pm
Profile WWW

Joined: Sun, 2013/09/01 9:35 pm
Posts: 6
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
Yes, that is correct.
I saved the actual volumes header file in the same manner that I saved the test volumes header file.
The test volumes header file can be read and processed correctly but the actual volumes header file cannot.
The only difference that I know between the files is that the test volume is 1 meg in size and the actual volume is about 800 gig.
They were both created with AES-Twofish encryption settings and everything else left as default. The actual volume is using a password that is the same as an third older volume (about 1 TB in size) i created a while ago (on a different drive but same version of Truecrypt 7.01a) and I have tried both the third volume and it also comes back as cannot read the volume header. Is there a way to further troubleshoot the differences between the two files?


Mon, 2013/09/02 3:41 pm
Profile
Site Admin

Joined: Sun, 2005/04/03 7:02 pm
Posts: 302
Location: Los Angeles, CA USA
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
Once you have saved the first 1Mb pieces of the test file and the actual file using HxD, there should be absolutely no difference between the two. There has to be something different about them that you are causing, such as file name, location where you are saving the file, etc.

Try this, save actual_file_header and overwrite a working test_file_header and then load the overwritten test_file_header in OTFBrutusGUI


Mon, 2013/09/02 4:45 pm
Profile WWW

Joined: Sun, 2013/09/01 9:35 pm
Posts: 6
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
Ok, I will give that a try and report back on my success (or lack of) :) Thanks again for the help!


Mon, 2013/09/02 7:05 pm
Profile

Joined: Sun, 2013/09/01 9:35 pm
Posts: 6
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
Ok, with your help, I was able to make some progress! :)

For whatever reason, the header files for the encrypted volumes were not able to be read from the external drive but once I saved them again to a local drive, no more volume errors. So, here is what happened:

The first header file for the first volume was read and i was able to successfully crack the password and decrypt that volume! Success!

The second header file as was also read but unfortunately, I was not able to crack the password although I know that they are both the same (copied/pasted the password when creating the volumes). Also tried that password manually in truecrypt but no success.

Upon a little more investigating, I noticed that the header files (although created exactly the same way) were formatted differently. The header file for the volume I was able to decrypt looks like the contents are in Japanese (sorry for the crude description) while the other looks like regular alpha characters - just all scrambled up. The only difference between the drives that the header file for the unsuccessfully decrypted drive had the password changed to the new password (the password that decrypted the other volume). Would a password change cause the header file contents to move to a different location or somehow corrupt the volume header?

Thank you again for your assistance!


Wed, 2013/09/04 10:55 am
Profile
Site Admin

Joined: Sun, 2005/04/03 7:02 pm
Posts: 302
Location: Los Angeles, CA USA
Unread post Re: OTFbrutus error - "Cannot Read Volume Header"
If you're saying the headers look different when viewed in HxD, then there is something wrong with one of your files. The first image below shows what a TC header should look like, all characters are completely random, and sounds like your description of the header you successfully decrypted. The 2nd image shows a limited set of some ascii characters, it could not be a valid TC header, and sounds more like the description of the header you cannot decrypt.

Changing the header would not cause the header to move and it would not cause the header to become non random looking. The only thing that could really cause something like this is an issue with your disk or something you or another piece of software on your computer did.

Have you tried the TC mount option "use backup header [...]" yet? If your TC volume container was corrupted somehow, it is possible that only the beginning portion of the file was damaged and the backup header located at the end of the volume could still be intact. If the backup header works, you might then have to run file recovery software on the mounted volume.


Attachments:
rnd.png
rnd.png [ 18.07 KiB | Viewed 13629 times ]
ascii.png
ascii.png [ 17.68 KiB | Viewed 13629 times ]
Sun, 2013/09/08 12:17 pm
Profile WWW
Display posts from previous:  Sort by  
Reply to topic   [ 11 posts ] 

Who is online

Users browsing this forum: Google [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software