Imaging Truecrypt e...
 
Notifications
Clear all

Imaging Truecrypt encrypted drives

8 Posts
5 Users
0 Likes
921 Views
Redcelica67
(@redcelica67)
Posts: 130
Estimable Member
Topic starter
 

I have recently created an e01 image of an encrypted drive, which had been wholly encrypted using Truecrypt by its owner. Why is it that that, even though my image is a bit by bit copy, it cannot be opened using the Truecrypt password which I had in my possession? I resulted in opening the Truecrypt container and imaging the contents as a logical drive using FTK. Scratching my head and any advice would be welcomed. ?

Just to clarify my method, I mounted the e01 image using FTK Imager, I then mounted this in Truecrypt. I entered the correct password but Truecrypt would not accept it.

 
Posted : 02/08/2011 10:48 pm
 96hz
(@96hz)
Posts: 143
Estimable Member
 

I think the way FTK imager mounts is not a kin to the way EnCase physical disk emulator mounts, so I suspect Truecrypt can not actually see the mounted image as a physical drive. I believe FTKi is closer to a network share when it mounts, although for some applications they can access the drive as if it were physical. I have had similar problems when dealing with volume shadow copies where the mounted image would not behave as a physical disk.

I would suggest either using Encase PDE or relaying the image to a hard drive and mounting (in Truecrypt) from there.

Be interested if anyone else has experienced this and any other suggestions for mounting without a dongle/EnCase ?

 
Posted : 03/08/2011 12:37 am
Redcelica67
(@redcelica67)
Posts: 130
Estimable Member
Topic starter
 

Thanks 96hz for your reply. The Truecrypt mounted the image, that was firstly mounted as a drive with FTKi, with no problem. The result was that when I entered the password, Truecrypt displayed a message saying that either the password was incorrect or it may not be a Truecrypt file……

 
Posted : 03/08/2011 12:53 am
(@shep47)
Posts: 51
Trusted Member
 

I'm guessing FTK isn't really handling the drive mount correctly because of the encryption. As you have the data I would clone it back to a physical hard drive, attached that to your computer (or in the original hardware) and see if you can access it then. Once you have access via TC and the password I would then create an independant physical/logical image whilst it is in the unencrypted state. Good luck.

 
Posted : 03/08/2011 12:13 pm
(@ludlowboy)
Posts: 71
Trusted Member
 

I had a similar problem with a chat examination using Internet Evidence Finder.
I mounted the image with FTK but the Internet Evidence Finder software could not see the mounted drive.
I mounted the drive with EnCase and the Internet Evidence Finder software saw the drive and worked fine.
I assume that there is something different in the way that FTK and EnCase mount drives.

 
Posted : 03/08/2011 1:00 pm
Redcelica67
(@redcelica67)
Posts: 130
Estimable Member
Topic starter
 

I have a parallel thread going for this amongst the Truecrypt community for anyone interested. http//forums.truecrypt.org/viewtopic.php?p=96245#96245

 
Posted : 04/08/2011 11:25 am
ecophobia
(@ecophobia)
Posts: 127
Estimable Member
 

When you mount with TrueCrypt, in the window where you type the password go to "Mount Options" and choose "Use backup header embedded in volume if available" and see if it works for you.

 
Posted : 04/08/2011 8:36 pm
Redcelica67
(@redcelica67)
Posts: 130
Estimable Member
Topic starter
 

Thanks Ecophobia, I think I tried this but maybe the best bet now the case is to run some trials in the lab. I'll report back when I have a solution. That's after my 2 weeks vacation of course -)

There are some useful pointers that have landed today in the Truecrypt forum via the link in my last reply in this thread.

 
Posted : 04/08/2011 11:02 pm
Share: