±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32893
New Yesterday: 9 Visitors: 145

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

WDE - Truecrypt (Project Assistance)

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 12:17 am

Hi, I am new to the website and apologise if the topic is redundant or not in the right place.

I am currently studying computer forensics and my project aim is to produce an effective procedure in detecting strictly whole disk encryption, pulling keys from volatile memory and decrypt then mount the drive on a forensic workstation.

Achieved: I have successfully mounted and decrypted a Bit-locker drive using 'bdemount' in linux (Ubuntu) and gained full access to the drive.

Current Task: I have now moved on to truecrypt 7.1a and successfully gained access to a TC container using volatile memory using the extracted key. However, this is not WDE yet, TC does supply the functionality and the current drive being used is encrypted with the default AES encryption method.

I have managed to recover the master key from volatile memory using 'aeskeyfinder' (Linux) which doesn't fit my criteria (only AES keys). However, extracting keys using Elcomsoft Forensic Disk Decryptor displays multiple PGP keys which completely confuses me.

Problem: I have used the Truecrypt plugins in Volatility but they simply do not work, nor display the encryption method. All resources I have found relate directly to TC containers or volumes, not the entire disk.

Question: How can I effectively and easily extract TC WDE keys and mount the drive to view its contents (similar to the bit-locker technique, I am happy to use both Windows and Linux).

Note: EFDD displays an error message when attempting to decrypt (Invalid Key from memory dump).

Any help appreciated and apologies for the wall of text.

Thanks,
Corey.  

coreyj81
Newbie
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 10:32 am


AmNe5iA
Member
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 12:02 pm

- AmNe5iA


Thank you for the assistance, I have used cryptsetup and failed (I think it only supports volumes or containers). When I attempt to request info of the drive, it prompts for a pass phrase. I'm unsure how to fully use the tool and was unable to pass the master key for decryption.

I didn't come across the other two, Ill give them a try and let you know!  

coreyj81
Newbie
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 3:00 pm

cryptsetup doesn't allow you to pass the masterkey directly, though the other two do.

A truecrypt file (e.g. file.tc) is essentially the same as a truecrypt partition (e.g /dev/sda1) or disk (e.g. /dev/sda) with the exception of truecrypt bootable system partitions which have a slightly different structure. I'm not sure any of these tools will open a truecrypt bootable system partition

Also technically Bitlocker and Truecrypt are actually FVE not WDE.  

AmNe5iA
Member
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 11:11 pm

MKDecrypt seems to be the right solution however, states that the wrong key is being used. aeskeyfinder outputs the following:

df6445b4b8b8d997617946b1f8050bb2
cbd47cc4684184c4b39e922f5b8a21bf53eb8b2c7eadeae7e8baa20dc6c09492
65b2ed49c1f1c857d863973cb49637214b23caf54cef8cbddfd2cd7e8e433dbb
6d3469720a3f597ac70eddea30690dc5530af99731517a954f9bcbd2e1dba962
65b2ed49c1f1c857d863973cb49637214b23caf54cef8cbddfd2cd7e8e433dbb
4b9e532541a94627b70da15381550e86b811a9f9a0c19b927107a44cb2074b75

MKDecrypt asks for either a 128, 256 or 384 hexadecimal character length. I assume true-crypt uses a 256 bit key.

I have used combinations of the keys above yet, none work.

Command used: sudo ./MKDecrypt.py -v /dev/sda "aes key 256"

Unwanted message: /dev/sda exists
Masterkey does not decrypt a normal/outer volume. Trying for a hidden volume...  

coreyj81
Newbie
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Fri Apr 01, 2016 7:42 am

There is something sounding "wrong", an AES key should be 256 bits, i.e. 32 bytes or 64 hex characters, see:
volatility-labs.blogsp...n-and.html

Whilst the MKdecrypt expect 128/256/386 hex characters:
Code:
	if not len(args.MASTERKEY) == 128 and not len(args.MASTERKEY) == 256 and not len(args.MASTERKEY) == 384:
		print('MASTERKEY is not of the correct length.  It should be 128, 256 or 384 hexadecimal characters in length.')
		exit(1)

128 hex characters are 64 bytes or 512 bits, maybe you need the two 256 bit keys used in (whatever it means) XTS mode:
mweissbacher.com/blog/...truecrypt/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Fri Apr 01, 2016 8:09 am

Truecrypt 7 work in XTS mode which requires two 256 bit keys concatenated together to form one 512 bit key. This equates to 128 hex characters (512 / 4 (a nibble) = 128). If cascaded encryption is being used i.e. aes-> twofish then four 256 bit keys are required (1024 / 4 = 256 hex characters) If three level cascaded encryption is being used i.e. aes->twofish->serpent then six 256 bit keys are required this equates to 384 hex characters (1536 / 4 = 384).

For your AES key to work you will have to correctly identify the two 256 bit keys from memory and concatenate them together in the right order. For non cascaded encryption this is relatively simple as there is only two options either <key1>+<key2> or <key2>+<key1>  

AmNe5iA
Member
 
 

Page 1 of 3
Go to page 1, 2, 3  Next