±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33148
New Yesterday: 2 Visitors: 165

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

WDE - Truecrypt (Project Assistance)

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3  Next 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Fri Apr 01, 2016 8:19 am

Looking at your AESkeyfind out put you can ignore the first one as this is a 128 bit key. That leaves five 256 bit keys (one of the keys is repeated twice). Unless you are able to gather more clues as to which two aes keys are the required two you will have to systematically pair up the keys until you find the two keys (in the correct order) that decrypts the disk.

so...

<key1>+<key2>
<key2>+<key1>
<key1>+<key3>
<key3>+<key1>
<key1>+<key4>
etc...

from my own experience however I have found the two keys in close proximity in memory and in the correct order e.g. key 4 and key 5 found in that order in close proximity would indicate that the correct placement would be <key4>+<key5>  

AmNe5iA
Member
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Fri Apr 01, 2016 3:45 pm

Thanks jaclaz, the volatility link was a nice read and originally the source of the aeskeyfinder usage.

While the individual keys are 256 bits, the length (character count) is 64 and when combined is a 128 character length string.

MKDecrypt states (purposely to get the message to show) "MASTERKEY is not of the correct length. It should be 128, 256 or 384 hexadecimal characters in length.

AmNe5iA, to my understanding and the usage of MKDecrypt, would I need to convert the string to hexadecimal for a character length of 256?

For example:

<key1> & <key2> = <outputKey>

<outputKey> toHex = <hexKey>

Result: sudo ./MKDecrypt.py -v "drive" "hexKey"  

Last edited by coreyj81 on Fri Apr 01, 2016 6:17 pm; edited 1 time in total

coreyj81
Newbie
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Fri Apr 01, 2016 4:17 pm

- coreyj81

For example:

Key1=cbd47cc4684184c4b39e922f5b8a21bf53eb8b2c7eadeae7e8baa20dc6c09492
Key2=65b2ed49c1f1c857d863973cb49637214b23caf54cef8cbddfd2cd7e8e433dbb

EACH of the above is at the same time:
a. 256 bits
b. 32 bytes
c. 64 hex characters

You don't "sum" you "concatenate":
- AmNe5iA

For your AES key to work you will have to correctly identify the two 256 bit keys from memory and concatenate them together in the right order.

Key1 & Key2=hexKey

hexKey=cbd47cc4684184c4b39e922f5b8a21bf53eb8b2c7eadeae7e8baa20dc6c0949265b2ed49c1f1c857d863973cb49637214b23caf54cef8cbddfd2cd7e8e433dbb

hexkey is at the same time:
a.512 bits (or 2x256)
b. 64 bytes
c. 128 hex characters

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Fri Apr 01, 2016 6:16 pm

- jaclaz

You don't "sum" you "concatenate":


My mistake, intentions were concatenation and I placed a sum. Thank you for the clarification and illustration.

As AmNe5iA explained, Truecrypt is technically FVE, using the concatenated keys, should I be targeting the whole drive such as "/dev/sdb" in Linux or a specific partition "/dev/sdb2" where the OS resides in?

I appreciate the assistance provided immensely, thank you!  

coreyj81
Newbie
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Fri Apr 01, 2016 6:41 pm

- coreyj81

As AmNe5iA explained, Truecrypt is technically FVE, using the concatenated keys, should I be targeting the whole drive such as "/dev/sdb" in Linux or a specific partition "/dev/sdb2" where the OS resides in?

Since it is FVE you would logically target the Volume (or partition, if the volume is also a partition).

BUT wait for a hint by the Author, it is possible that the script is intended to recognize "whole disk" or "whole device", haven't looked at it.

There is a lot of confusion in the naming of things, particularly in a mixed *nix/Windows environment, just in case (and to avoid possible misunderstandings):
disk or disk drive = the whole thing, that has a number \\PhysicalDrive1 in Windows, a letter in Linux (/dev/sdb)
partition or volume = the thing that usually gets a drive letter in windows (let's say D: )[1] or a number in Linux (/dev/sdb2)

jaclaz





[1] but not for NTFS formatted volumes that - when on hard disk or similar - are one sector smaller than partition or allocated logical volume space, JFYI (not really related to the specific Truecrypt issue):
reboot.pro/topic/18034...with-dsfo/
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Sat Apr 02, 2016 12:04 am

I tried all combinations of concatenated key strings on both the whole disk as "/dev/sdb" and the particular partition where the OS resides in "/dev/sdb2".

Maybe the script is not intended to work with Truecrypt 7.1a in this way or the aeskeyfinder script is outputting somehow the wrong AES keys.

I've also noticed when running the aeskeyfinder script with the -v parameter it outputs an extended key?

If I may ask, has anyone used an alternative method in decrypting and mounting a Truecrypt drive?  

coreyj81
Newbie
 
 
  

Re: WDE - Truecrypt (Project Assistance)

Post Posted: Sat Apr 02, 2016 2:54 pm

deleted  

Last edited by AmNe5iA on Sat Apr 02, 2016 2:56 pm; edited 1 time in total

AmNe5iA
Member
 
 

Page 2 of 3
Go to page Previous  1, 2, 3  Next