±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34077
New Yesterday: 5 Visitors: 161

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

WDE - Truecrypt (Project Assistance)

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 

WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 12:17 am

Hi, I am new to the website and apologise if the topic is redundant or not in the right place.

I am currently studying computer forensics and my project aim is to produce an effective procedure in detecting strictly whole disk encryption, pulling keys from volatile memory and decrypt then mount the drive on a forensic workstation.

Achieved: I have successfully mounted and decrypted a Bit-locker drive using 'bdemount' in linux (Ubuntu) and gained full access to the drive.

Current Task: I have now moved on to truecrypt 7.1a and successfully gained access to a TC container using volatile memory using the extracted key. However, this is not WDE yet, TC does supply the functionality and the current drive being used is encrypted with the default AES encryption method.

I have managed to recover the master key from volatile memory using 'aeskeyfinder' (Linux) which doesn't fit my criteria (only AES keys). However, extracting keys using Elcomsoft Forensic Disk Decryptor displays multiple PGP keys which completely confuses me.

Problem: I have used the Truecrypt plugins in Volatility but they simply do not work, nor display the encryption method. All resources I have found relate directly to TC containers or volumes, not the entire disk.

Question: How can I effectively and easily extract TC WDE keys and mount the drive to view its contents (similar to the bit-locker technique, I am happy to use both Windows and Linux).

Note: EFDD displays an error message when attempting to decrypt (Invalid Key from memory dump).

Any help appreciated and apologies for the wall of text.



Re: WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 10:32 am

Senior Member

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 12:02 pm

- AmNe5iA

Thank you for the assistance, I have used cryptsetup and failed (I think it only supports volumes or containers). When I attempt to request info of the drive, it prompts for a pass phrase. I'm unsure how to fully use the tool and was unable to pass the master key for decryption.

I didn't come across the other two, Ill give them a try and let you know!  


Re: WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 3:00 pm

cryptsetup doesn't allow you to pass the masterkey directly, though the other two do.

A truecrypt file (e.g. file.tc) is essentially the same as a truecrypt partition (e.g /dev/sda1) or disk (e.g. /dev/sda) with the exception of truecrypt bootable system partitions which have a slightly different structure. I'm not sure any of these tools will open a truecrypt bootable system partition

Also technically Bitlocker and Truecrypt are actually FVE not WDE.  

Senior Member

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Thu Mar 31, 2016 11:11 pm

MKDecrypt seems to be the right solution however, states that the wrong key is being used. aeskeyfinder outputs the following:


MKDecrypt asks for either a 128, 256 or 384 hexadecimal character length. I assume true-crypt uses a 256 bit key.

I have used combinations of the keys above yet, none work.

Command used: sudo ./MKDecrypt.py -v /dev/sda "aes key 256"

Unwanted message: /dev/sda exists
Masterkey does not decrypt a normal/outer volume. Trying for a hidden volume...  


Re: WDE - Truecrypt (Project Assistance)

Post Posted: Fri Apr 01, 2016 7:42 am

There is something sounding "wrong", an AES key should be 256 bits, i.e. 32 bytes or 64 hex characters, see:

Whilst the MKdecrypt expect 128/256/386 hex characters:
	if not len(args.MASTERKEY) == 128 and not len(args.MASTERKEY) == 256 and not len(args.MASTERKEY) == 384:
		print('MASTERKEY is not of the correct length.  It should be 128, 256 or 384 hexadecimal characters in length.')

128 hex characters are 64 bytes or 512 bits, maybe you need the two 256 bit keys used in (whatever it means) XTS mode:

- In theory there is no difference between theory and practice, but in practice there is. - 

Senior Member

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Fri Apr 01, 2016 8:09 am

Truecrypt 7 work in XTS mode which requires two 256 bit keys concatenated together to form one 512 bit key. This equates to 128 hex characters (512 / 4 (a nibble) = 128). If cascaded encryption is being used i.e. aes-> twofish then four 256 bit keys are required (1024 / 4 = 256 hex characters) If three level cascaded encryption is being used i.e. aes->twofish->serpent then six 256 bit keys are required this equates to 384 hex characters (1536 / 4 = 384).

For your AES key to work you will have to correctly identify the two 256 bit keys from memory and concatenate them together in the right order. For non cascaded encryption this is relatively simple as there is only two options either <key1>+<key2> or <key2>+<key1>  

Senior Member

Page 1 of 3
Go to page 1, 2, 3  Next