WDE - Truecrypt (Pr...
 
Notifications
Clear all

WDE - Truecrypt (Project Assistance)

18 Posts
3 Users
0 Likes
1,783 Views
(@coreyj81)
Posts: 7
Active Member
Topic starter
 

Hi, I am new to the website and apologise if the topic is redundant or not in the right place.

I am currently studying computer forensics and my project aim is to produce an effective procedure in detecting strictly whole disk encryption, pulling keys from volatile memory and decrypt then mount the drive on a forensic workstation.

Achieved I have successfully mounted and decrypted a Bit-locker drive using 'bdemount' in linux (Ubuntu) and gained full access to the drive.

Current Task I have now moved on to truecrypt 7.1a and successfully gained access to a TC container using volatile memory using the extracted key. However, this is not WDE yet, TC does supply the functionality and the current drive being used is encrypted with the default AES encryption method.

I have managed to recover the master key from volatile memory using 'aeskeyfinder' (Linux) which doesn't fit my criteria (only AES keys). However, extracting keys using Elcomsoft Forensic Disk Decryptor displays multiple PGP keys which completely confuses me.

Problem I have used the Truecrypt plugins in Volatility but they simply do not work, nor display the encryption method. All resources I have found relate directly to TC containers or volumes, not the entire disk.

Question How can I effectively and easily extract TC WDE keys and mount the drive to view its contents (similar to the bit-locker technique, I am happy to use both Windows and Linux).

Note EFDD displays an error message when attempting to decrypt (Invalid Key from memory dump).

Any help appreciated and apologies for the wall of text.

Thanks,
Corey.

 
Posted : 31/03/2016 6:17 am
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Have you tried (all Linux)

1. https://gitlab.com/cryptsetup/cryptsetup
2. https://github.com/4144414D/pytruecrypt
or
3. https://github.com/AmNe5iA/MKDecrypt

 
Posted : 31/03/2016 4:32 pm
(@coreyj81)
Posts: 7
Active Member
Topic starter
 

Have you tried (all Linux)

1. https://gitlab.com/cryptsetup/cryptsetup
2. https://github.com/4144414D/pytruecrypt
or
3. https://github.com/AmNe5iA/MKDecrypt

Thank you for the assistance, I have used cryptsetup and failed (I think it only supports volumes or containers). When I attempt to request info of the drive, it prompts for a pass phrase. I'm unsure how to fully use the tool and was unable to pass the master key for decryption.

I didn't come across the other two, Ill give them a try and let you know!

 
Posted : 31/03/2016 6:02 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

cryptsetup doesn't allow you to pass the masterkey directly, though the other two do.

A truecrypt file (e.g. file.tc) is essentially the same as a truecrypt partition (e.g /dev/sda1) or disk (e.g. /dev/sda) with the exception of truecrypt bootable system partitions which have a slightly different structure. I'm not sure any of these tools will open a truecrypt bootable system partition

Also technically Bitlocker and Truecrypt are actually FVE not WDE.

 
Posted : 31/03/2016 9:00 pm
(@coreyj81)
Posts: 7
Active Member
Topic starter
 

MKDecrypt seems to be the right solution however, states that the wrong key is being used. aeskeyfinder outputs the following

df6445b4b8b8d997617946b1f8050bb2
cbd47cc4684184c4b39e922f5b8a21bf53eb8b2c7eadeae7e8baa20dc6c09492
65b2ed49c1f1c857d863973cb49637214b23caf54cef8cbddfd2cd7e8e433dbb
6d3469720a3f597ac70eddea30690dc5530af99731517a954f9bcbd2e1dba962
65b2ed49c1f1c857d863973cb49637214b23caf54cef8cbddfd2cd7e8e433dbb
4b9e532541a94627b70da15381550e86b811a9f9a0c19b927107a44cb2074b75

MKDecrypt asks for either a 128, 256 or 384 hexadecimal character length. I assume true-crypt uses a 256 bit key.

I have used combinations of the keys above yet, none work.

Command used sudo ./MKDecrypt.py -v /dev/sda "aes key 256"

Unwanted message /dev/sda exists
Masterkey does not decrypt a normal/outer volume. Trying for a hidden volume…

 
Posted : 01/04/2016 5:11 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

There is something sounding "wrong", an AES key should be 256 bits, i.e. 32 bytes or 64 hex characters, see
http//volatility-labs.blogspot.it/2014/01/truecrypt-master-key-extraction-and.html

Whilst the MKdecrypt expect 128/256/386 hex characters

if not len(args.MASTERKEY) == 128 and not len(args.MASTERKEY) == 256 and not len(args.MASTERKEY) == 384
print('MASTERKEY is not of the correct length. It should be 128, 256 or 384 hexadecimal characters in length.')
exit(1)

128 hex characters are 64 bytes or 512 bits, maybe you need the two 256 bit keys used in (whatever it means) XTS mode
http//mweissbacher.com/blog/tag/truecrypt/

jaclaz

 
Posted : 01/04/2016 1:42 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Truecrypt 7 work in XTS mode which requires two 256 bit keys concatenated together to form one 512 bit key. This equates to 128 hex characters (512 / 4 (a nibble) = 128). If cascaded encryption is being used i.e. aes-> twofish then four 256 bit keys are required (1024 / 4 = 256 hex characters) If three level cascaded encryption is being used i.e. aes->twofish->serpent then six 256 bit keys are required this equates to 384 hex characters (1536 / 4 = 384).

For your AES key to work you will have to correctly identify the two 256 bit keys from memory and concatenate them together in the right order. For non cascaded encryption this is relatively simple as there is only two options either <key1>+<key2> or <key2>+<key1>

 
Posted : 01/04/2016 2:09 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Looking at your AESkeyfind out put you can ignore the first one as this is a 128 bit key. That leaves five 256 bit keys (one of the keys is repeated twice). Unless you are able to gather more clues as to which two aes keys are the required two you will have to systematically pair up the keys until you find the two keys (in the correct order) that decrypts the disk.

so…

<key1>+<key2>
<key2>+<key1>
<key1>+<key3>
<key3>+<key1>
<key1>+<key4>
etc…

from my own experience however I have found the two keys in close proximity in memory and in the correct order e.g. key 4 and key 5 found in that order in close proximity would indicate that the correct placement would be <key4>+<key5>

 
Posted : 01/04/2016 2:19 pm
(@coreyj81)
Posts: 7
Active Member
Topic starter
 

Thanks jaclaz, the volatility link was a nice read and originally the source of the aeskeyfinder usage.

While the individual keys are 256 bits, the length (character count) is 64 and when combined is a 128 character length string.

MKDecrypt states (purposely to get the message to show) "MASTERKEY is not of the correct length. It should be 128, 256 or 384 hexadecimal characters in length.

AmNe5iA, to my understanding and the usage of MKDecrypt, would I need to convert the string to hexadecimal for a character length of 256?

For example

<key1> & <key2> = <outputKey>

<outputKey> toHex = <hexKey>

Result sudo ./MKDecrypt.py -v "drive" "hexKey"

 
Posted : 01/04/2016 9:45 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

For example

Key1=cbd47cc4684184c4b39e922f5b8a21bf53eb8b2c7eadeae7e8baa20dc6c09492
Key2=65b2ed49c1f1c857d863973cb49637214b23caf54cef8cbddfd2cd7e8e433dbb

EACH of the above is at the same time
a. 256 bits
b. 32 bytes
c. 64 hex characters

You don't "sum" you "concatenate"

For your AES key to work you will have to correctly identify the two 256 bit keys from memory and concatenate them together in the right order.

Key1 & Key2=hexKey

hexKey=cbd47cc4684184c4b39e922f5b8a21bf53eb8b2c7eadeae7e8baa20dc6c0949265b2ed49c1f1c857d863973cb49637214b23caf54cef8cbddfd2cd7e8e433dbb

hexkey is at the same time
a.512 bits (or 2x256)
b. 64 bytes
c. 128 hex characters

jaclaz

 
Posted : 01/04/2016 10:17 pm
Page 1 / 2
Share: