Assistance with Tru...
 
Notifications
Clear all

Assistance with True Crypt analysis

7 Posts
3 Users
0 Likes
480 Views
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
Topic starter
 

Does anyone have any good info on True Crypt analysis? I have a case where I ran OS Triage on a running computer and it did not detect any crypt programs running. I also checked the sys tray and there were no open crypt programs. I did do an OS Triage live scan (lite) not the full scan. Additionally after the fact, I should have done a FTK memory dump…..but I didn't.

When I tried to do image file previews (pictures) in encase v6.19 after "pulling the plug", I kept getting encryption errors. When I imaged the drive and did an analysis on it, I ran it through Passware, which detected several encrypted files.

Now, I do have the users login (admin) password, along with several other passwords the suspect wrote down, which were located by his computer. Although I have a lot of potential passwords, I don't know which is the password for the true crypt files, nor is the suspect willing to talk.

Is it possible to utilize VMWorkstation to put his computer (image) into a virtual environment, try the passwords to unlock the true crypt files and then do a logical image with FTK?

If anyone has any ideas to help, please respond.

 
Posted : 29/12/2013 6:15 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Does anyone have any good info on True Crypt analysis? I have a case where I ran OS Triage on a running computer and it did not detect any crypt programs running. I also checked the sys tray and there were no open crypt programs. I did do an OS Triage live scan (lite) not the full scan. Additionally after the fact, I should have done a FTK memory dump…..but I didn't.

When I tried to do image file previews (pictures) in encase v6.19 after "pulling the plug", I kept getting encryption errors. When I imaged the drive and did an analysis on it, I ran it through Passware, which detected several encrypted files.

Now, I do have the users login (admin) password, along with several other passwords the suspect wrote down, which were located by his computer. Although I have a lot of potential passwords, I don't know which is the password for the true crypt files, nor is the suspect willing to talk.

You said that you "detected several encrypted files". What does that mean? It doesn't sound as if the issue is whole disk encryption (WDE)…or is it? How do you know that the files are actually encrypted, and that they're encrypted with TrueCrypt?

Is it possible to utilize VMWorkstation to put his computer (image) into a virtual environment, try the passwords to unlock the true crypt files and then do a logical image with FTK?

I would think that anything is possible. I don't think that you've provided enough information here for others to make an explicit statement as to "yes" or "no" regarding what is specifically possible…there are quite a few unknowns and variables.

For example, the image you acquired is from what OS? I would assume Windows based on what you said, but which version? In what format was the image acquired (EWF, AFF, raw dd)?

My primary questions here would include, why do you think that the files you tried to preview are image files, and that they're encrypted? I understand that you found encryption programs, and I also understand that your use of EnCase seems to indicate that the file are encrypted, but have you looked at the files yourself? Have you tried opening them in a hex editor? Have you conducted any analysis of the system to determine (a) if the user viewed the files, and if so (b) with which application?

I'm not trying to suggest that you're wrong or incorrect…not at all. All I'm saying is that in requesting assistance, you've provided a number of "dots", but based on what you've provided, I'm not entirely clear on how they're connected.

 
Posted : 29/12/2013 7:33 pm
(@athulin)
Posts: 1156
Noble Member
 

I have a case where I ran OS Triage on a running computer and it did not detect any crypt programs running.

Don't know that program – do you trust it to detect TrueCrypt? Are there TC binaries/drivers/etc around on the disk?

When I tried to do image file previews (pictures) in encase v6.19 after "pulling the plug", I kept getting encryption errors.

And what do they say? I don't quite see how EnCase can identify TrueCrypt files … you're sure about TC?

File system is … ? I guess NTFS, in which case … is there anything that makes EFS impossible? Do you have EFS-support with your EnCase?

But if you have a readable NTFS file system, you should be able to use autoruns to see if there are any indications of encryption software being started. Or in Prefetch. And so on.

Is it possible to utilize VMWorkstation to put his computer (image) into a virtual environment, try the passwords to unlock the true crypt files and then do a logical image with FTK?

You never know until you try – it seems worthwhile, if nothing else.

 
Posted : 29/12/2013 9:21 pm
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
Topic starter
 

"You said that you "detected several encrypted files". What does that mean? It doesn't sound as if the issue is whole disk encryption (WDE)…or is it? How do you know that the files are actually encrypted, and that they're encrypted with TrueCrypt? "

@ Keydet89 & athulin
When I did a preview with Encase v6, I kept receiving an error window advising the file it was trying to read (there were several) was encrypted. Encase did not advise it was true crypt, I discovered that later on.

As for passware, it did detect there were true crypt files located, and true crypt is installed on the computer.

I did check EFS in both FTK imager and Encase and they did not detect EFS. Hope this makes better sense to you. I also checked the prefetch folder, and at the moment can't remember the outcome, I'll have to recheck tomorrow.

Sorry for the holes, W7. athulin I did look at the files in Hex and it looks like typical encrypted data.

Good questions.

 
Posted : 29/12/2013 10:27 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"You said that you "detected several encrypted files". What does that mean? It doesn't sound as if the issue is whole disk encryption (WDE)…or is it? How do you know that the files are actually encrypted, and that they're encrypted with TrueCrypt? "

@ Keydet89 & athulin
When I did a preview with Encase v6, I kept receiving an error window advising the file it was trying to read (there were several) was encrypted. Encase did not advise it was true crypt, I discovered that later on.

How so? Via Passware?

What were the file names/paths? You had said earlier that you were previewing image files when EnCase alerted you to the files being encrypted…what made you think that these files were image files?

Have you tried running the image file in a VM and logging in yet?

 
Posted : 30/12/2013 5:11 pm
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
Topic starter
 

Keydet89 - Initially I received the error from Encasev6.19 that it could not read some files due to encryption, and as a result I canceled the on site preview. When I brought the hard drive back to our lab, I created an image and ran Passware against the image. Passware advised it was Truecrypt. Additionally I did not put it into a vm yet, was off for the weekend. Hopefully I'll try today.

 
Posted : 30/12/2013 7:40 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

what did you find?

 
Posted : 04/01/2014 5:55 pm
Share: