±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34081
New Yesterday: 0 Visitors: 139

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

WDE - Truecrypt (Project Assistance)

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3 

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Sat Apr 02, 2016 2:54 pm

As stated previously Truecrypt is FVE and so if the disk was encrypted e.g. /dev/sda then there would only be one file system within. Because of this there shouldn't be any sda1 , sda2 etc.

try using the "lsblk" command.

if its shows anything like sda1 or sda2 etc then you know that it can't be the whole disk that is encrypted but one of the partitions.

Is the partition you are trying to decrypt a truecrypt bootable partition? because if it is I don't think any of the tools I linked will work on it.

I haven't used AESKeyFind but i have used Bulk Extractor ( github.com/simsong/bulk_extractor ) to pull the AES keys from a raw RAM image.
I have then been able to find two 256 AES keys that when concatenated together successfully decrypted a truecrypt partition/disk using MKDecrypt.  

Senior Member

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Sat Apr 02, 2016 4:45 pm

lsblk displays the 240GB SSD as sdb and branches to display two partitions: sdb1 100M and sdb2 223.5G.

The sdb2 partition contains a Windows 7 OS that requires pre-boot authentication using Truecrypt.

This confirms that the disk is not WDE and the suggested tools will not work?

This scenario is becoming a burden and I apologise for the hassle however, its become a great learning curve for myself.

Any ideas which tool or method would work?

Thank you.  


Re: WDE - Truecrypt (Project Assistance)

Post Posted: Sat Apr 02, 2016 5:03 pm

- coreyj81

Any ideas which tool or method would work?

Thank you.

Try imaging the sdb2 to a file and run the tools on the file.
Though possible of course at first sight I cannot think of why a "bootable" partition" whould be in any way different from a volume (a primary partition is a volume).
The difference might be where the header is (when compared to a container).

It is not at all clear (to me at least) if useful or "connected" to the issue at hand, but do have a look at sector LBA 62:
See also:
or - maybe - last sector before the beginning of the sdb2 extents, since the first partition is "in the middle".
See also:

- In theory there is no difference between theory and practice, but in practice there is. - 

Senior Member

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Tue Apr 12, 2016 10:05 am

You can examine the truecrypt WDE drive but none of those tools will do what you want automatically.

MKdecrypt should help you discover the correct masterkey if you don't yet know it but it will state that it has found a hidden volume. (Most probably when it encounters the start of the first partition.)

The first sector on the encrypted disk will hold the partition table and the start of the truecrypt bootloader. You will need to interpret the partition table to complete this process. I would suggest dd-ing the first sector and either interpreting it manually in a hex editor or run the 'file' command against it.

Sectors 0 - 61 should contain the truecrypt bootloader in unencrypted form.
Sector 62 should contain the truecrypt header (which is decrypted by the header key calculated from the password/keyfiles)
Sectors 63-<end of the disk> is the disk encrypted using the masterkey.

you will need to use 'dmsetup' to 'device map' the decrypted disk using the correct masterkey.

sudo dmsetup create decrypted --table "0 <disk size in sectors> crypt aes-xts-plain64 <masterkey> 0 /dev/sdb 0"

You will find the decrypted disk located at /dev/mapper/decrypted

sectors 0-62 should be garbage (as they were either unencrypted (0-61) or encrypted with a different key (62)) but sectors 63 and on should now be in plaintext.

To access the partitions you will need to create linear device mappings to them, again using 'dmsetup'

sudo dmsetup create partition1 --table "0 <size of partition 1 in sectors> linear /dev/mapper/decrypted <offset in sectors to partition 1>"


sudo dmsetup create partition2 --table "0 <size of partition 2 in sectors> linear /dev/mapper/decrypted <offset in sectors to partition 2>"

you should then be able to mount both partitions at /dev/mapper/partition1 and /dev/mapper/partition2

Alternatively you could just dd the whole of /dev/mapper/decrypted. Then process the dd image in something like X-Ways/Winhex and use Tools->Disk Tools->Scan for lost partitions... to locate the partitions before examination.  

Senior Member

Page 3 of 3
Go to page Previous  1, 2, 3