Data Recovery after Diskpart cleaned and created new partition

This is a life-destroying moment for me. I have a 2TB External Hard drive, with 2 partitions. The first one is 50 MB (actually ~48.5MB) UDF containing setup files for veracrypt and truecrypt, and keyfiles. The second partition is a Veracrypt-encrypted partition of size 1.8TB, which was quick formatted by Veracrypt. The drive was GUID -based, and the first partition was made an OEM partition using Diskpart and the second one an EFI partition in order to prevent accidental formatting by the system. However, a sudden accidental right click has pasted this script in diskpart and ran it before I could halt it. Diskpart doesn't even ask for confirmation before cleaning a drive.

Code:

select disk 0
clean
convert gpt
create partition primary size=300
format quick fs=ntfs label="Windows RE tools"
assign letter="T"

The new partition has a 300MB partition called Windows RE tools, and the rest is unallocated. I assigned a letter to the unallocated drive without formatting, hence it's a RAW partition, but Veracrypt couldn't open it. Is there any way to recover the previous data. It is extremely important for me and my job depends on it. The disk containing the backup of the data crashed last week and I had sent it to RMA. Hence I'm left with no backups.


I have opened the disk using WINHEX and I have seen the contents of the 50MB UDF partition, the keyfiles and the setup files. They are intact. Then there is a whole lot of gibberish, which I believe is the Veracrypt partition. And at the end of the disk there are thousands of zeroes, which I believe is there because the partition was quick formatted with Veracrypt. Now, could anyone tell me how to recover data from this? Is it at all possible?

UDF, GPT, veracrypt - Plus you ran diskpart clean. All too complicated.

Anyway, post a screenshot of your external drive in Windows Disk Management.(Please remove all other external storage devices.)

Also a screenshot of how Minitools Partition Wizard sees it.

Third run the Partition Recovery Wizard on the external drive, do a Quick Scan. Let Quick scan complete.Post a screenshot of the Partitions shown. (See my post here for reference Raid 5 became unallocated.)

Once you have snapped it, click on Cancel and close the Partition Wizard.

Let us see whether at all we can see any light at the end of the tunnel.

You said using WinHex you were able to see the contents of the UDF partition.Are you sure that all the data in the full 50MB are intact? Even if part of that partition at the beginning has been zeroed by diskpart clean I would think that even if we manage to recover the gibberish data in the other partition,it cannot be decrypted.

Post these three screenshots. Even if not me, some other member with more insight on veracrypt may chip in with some ideas.

Thank you for your kind reply. However, WinHex came to my rescue this time. I was able to locate the end of UDF partition, by comparing to other UDF partitions I have. Then I was able to copy the first few random sectors to a file. I could not copy all due to dearth of space. However, Veracrypt could mount it, though the mounted volume was corrupted. However, the fact that it was opened by Veracrypt is a success, I believe.

"However, Veracrypt could mount it, though the mounted volume was corrupted."

I don't know much about veracrypt and from what little I read veracrypt creates the UDF partition and puts all the data including the key in it.

I also believe that diskpart clean would not have touched the UDF partition.(People were having trouble deleting the Virtual CD UDF partition created by Western Digital's Smartware. Windows could not delete the partition.)

So your effort should be to find out the start point of the UDF partition and then copy all data from the start of the partition to the end of the partition.

That is the reason why I wanted you to run the Partition Recovery Wizard.. If quick scan does not find the partitions then run the Full Scan. If the UDF partition is found, the Found Partitions window at the end of the quick scan or full scan will show you the start and end sectors of that UDF partitions.That will facilitate to recover the complete veracrypt file and if no data in it was lost you should be able to mount and open the files.

I presume you are trying to copy in the same drive.What I was thinking was if we know the original disk structure from the Partition Recovery Wizard then you can create the same partition structure on another drive and copy the sectors to the appropriate partitions.I do think you are capable of doing these things.I can only analyse the situation and give you the ideas from the "armchair" :).

While I have used WinHex on a few occasions on my desktop in India, I am more than happy with bootice when it comes to copying and restoring sectors.You can have a look at bootice in my post here Lost partitions!
It can copy single sectors or a block of sectors and then restore it.

Please keep us posted on your adventure.:)

I don't know much about veracrypt and from what little I read veracrypt creates the UDF partition and puts all the data including the key in it.

Sir, veracrypt works exactly like Truecrypt. It creates an encrypted NTFS (or Fat, if anyone wants) partition. The first few sectors of the partition is the encryption header which, if damaged, will render the entire partition useless. There's also a backup header somewhere else in the partition, but that's another story.

I also believe that diskpart clean would not have touched the UDF partition.(People were having trouble deleting the Virtual CD UDF partition created by Western Digital's Smartware. Windows could not delete the partition.)

That is true in case of WD My Passport which comes with a Virtual CD in UDF format. That is probably embedded in the firmware and hence cannot be erased. However, the UDF in my case is made by me. And so it has been erased by Diskpart.

So your effort should be to find out the start point of the UDF partition and then copy all data from the start of the partition to the end of the partition.
That is exactly what I did with WinHex, Sir. I found out the starting point of the encrypted partition.

That is the reason why I wanted you to run the Partition Recovery Wizard.. If quick scan does not find the partitions then run the Full Scan. If the UDF partition is found, the Found Partitions window at the end of the quick scan or full scan will show you the start and end sectors of that UDF partitions.That will facilitate to recover the complete veracrypt file and if no data in it was lost you should be able to mount and open the files.
Unfortunately, as the GPT has been rewritten, the lost partitions cannot be found. And as there is no way any of the recovery systems will recognise the encrypted partition, as it looks gibberish. The only way is to mark the beginning of the partition using WinHex manually. I've attached a picture depicting the scenario.

I presume you are trying to copy in the same drive.What I was thinking was if we know the original disk structure from the Partition Recovery Wizard then you can create the same partition structure on another drive and copy the sectors to the appropriate partitions.I do think you are capable of doing these things.I can only analyse the situation and give you the ideas from the "armchair" .

Oh no. I have tried my best not to overwrite any data on the original drive. All I have done is to open it in Winhex in read-only mode. I've just copied the first few sectors of the encrypted drive and saved it to a file in my internal hard drive, just to check if the header is intact. Thankfully, it is.

While I have used WinHex on a few occasions on my desktop in India, I am more than happy with bootice when it comes to copying and restoring sectors.You can have a look at bootice in my post here Lost partitions!
It can copy single sectors or a block of sectors and then restore it.

Ok. I'll definitely try to use it. I've ordered another 2 TB hard disk yesterday. I'll clone the original one, and start working with the copy.


Please keep us posted on your adventure.
Sure. I also live in India, Kolkata to be precise, and I mailed one of the companies providing data recovery services. They estimated that the charge for recovering the data would amount to Rs. 40000. Hence, I'm trying my best to do it on my own.

Here's a comparison of the partitions before and after the DISKPART fiasco.

MycroftHolmes said:

Here's a comparison of the partitions before and after the DISKPART fiasco.

OK, how was it before in Windows Disk Management?

Have you seen it show the 50MB UDF partition anytime before?

Now the 615MB UDF Read only Virtual CDROM partition in WD Passport will only show up as a separate CDROM device. The other partition was shown as a HDD and only this partition could be manipulated by Windows Disk Management.It could not delete the 615 MB UDF Partition. How to remove hidden Virtual CD (VCD) partitions on your Western Digital external disks

So, what matters now is whether your 50 MB UDF Partition was shown in Windows Disk management in one disk. If it was, then diskpart Clean would have wiped it.

If it was not shown in Windows Disk Management at all earlier then perhaps not.

That is how I see it.

The fact that you can see the UDF data with WinHex makes me believe that your UDF data is still there.

I may be wrong. I am just thinking aloud.:)

And you said that you could find the start as well as the end sector.Can you specify the exact sector Numbers?

If these are within the first 2048 sectors, then diskpart clean did not write zeroes to it. (DiskPart clean writes zeros to sectors 0 to 2047 and like last sectors.)

MycroftHolmes said:

Here's a comparison of the partitions before and after the DISKPART fiasco.

OK, how was it before in Windows Disk Management?

Have you seen it show the 50MB UDF partition anytime before?
Windows Disk Management showed the partition just as I sketched it.

Now the 615MB UDF Read only Virtual CDROM partition in WD Passport will only show up as a separate CDROM device. The other partition was shown as a HDD and only this partition could be manipulated by Windows Disk Management.It could not delete the 615 MB UDF Partition. How to remove hidden Virtual CD (VCD) partitions on your Western Digital external disks

This isnt that Virtual Drive. Virtual Drives only comes with WD MY Passport series, not Elements. My HDD is WD Elements. I made a 50MB Partition and made it UDF by using the following command:
format <Driveletter> /fs: UDF /q
You may try it too, if you have any spare memory card. It'll become UDF.


So, what matters now is whether your 50 MB UDF Partition was shown in Windows Disk management in one disk. If it was, then diskpart Clean would have wiped it.

If it was not shown in Windows Disk Management at all earlier then perhaps not.

That is how I see it.

Correct. Diskpart has cleared the first part of the UDF partition. However, it didn't overwrite the data in it, as the command used in Diskpart was clean and not clean all

The fact that you can see the UDF data with WinHex makes me believe that your UDF data is still there.

I may be wrong. I am just thinking aloud.:)

Data is there. Partition is lost. Only way of recovering data is by using a data recovery software that can recover raw data.

And you said that you could find the start as well as the end sector.Can you specify the exact sector Numbers?

If these are within the first 2048 sectors, then diskpart clean did not write zeroes to it. (DiskPart clean writes zeros to sectors 0 to 2047 and like last sectors.)



Sure. The encrypted partition starts at offset 3300000(Hex) and ends 4 sectors before the end of disk.

Just a note that if data is important it is reckless not to back it up at all times. Here is a free method to keep data backed up at all times to the cloud, which can also be used to sync it at the same time to all other machines: Sync, Backup and Store your Files to the Cloud with OneDrive

Rest assured you are in the best possible hands with Jumanji.