±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35886
New Yesterday: 2 Visitors: 162

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Anyone got a bot to find deleted truecrypt container header?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6  Next 
  

jaclaz
Senior Member
 

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Mar 06, 18 19:38

- 4144414D
It's a bit rough as I put it together on the train but this guide along with some sample data should help you understand how to use hunt.

github.com/4144414D/py...es/hunt.md


Very nice Smile though, if I may, there is a "main" link missing:

By looking for sections of continuous high entropy we can target the likely locations of TrueCrypt headers. By checking the sectors around 27701 and 48476 we are able to check a small number of sectors as every check will take some time, particularly on VeraCrypt headers.

How (with what tool) is user going to calculate the entropy and get the example diagram (so that he/she can identify likely targets)?

That is "Shannon" Entropy, right?

Something *like* entropie?

github.com/dupgit/entropie

with -b 512 Question
or
deadhacker.com/2007/05...ary-files/

or binwalk?
github.com/ReFirmLabs/...wiki/Usage

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

4144414D
Member
 

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Mar 06, 18 20:37

- jaclaz

How (with what tool) is user going to calculate the entropy and get the example diagram (so that he/she can identify likely targets)?


Ah, that section is just explaining what is happening. You don't need to do any identification yourself the script takes care of all of that for you. It does the entropy calculations and finds the likely places for headers itself. I'll add some words to explain that a little better.

- jaclaz

That is "Shannon" Entropy, right?

Yup. Again I'll add that when I get a moment.

- jaclaz


Yes, binwalk is an amazing tool. Truly fantastic.

My personal favourite for visualising entropy is PortEx (https://github.com/katjahahn/PortEx) it's designed for executables but it'll make a nice diagram of basically anything.

Example image from the GitHub here: camo.githubusercontent...4f2e706e67  
 
  

jaclaz
Senior Member
 

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Mar 06, 18 21:12

Thanks Smile

That is clear now, still if you could describe how exactly you managed to create the graphic, it would be useful (notwithstanding the buiilt-in autodetect capabilities of your nice script).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

4144414D
Member
 

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Mar 07, 18 08:47

- jaclaz
That is clear now, still if you could describe how exactly you managed to create the graphic, it would be useful (notwithstanding the buiilt-in autodetect capabilities of your nice script).


Added those comments now, thank you. If you have any other comments or corrections let me know. You can even do a pull request if you are feeling adventurous, although that is a lot of effort. I was thinking of linking to an existing tutorial about calculating and visualising the entropy if you happen to know of a good existing one?

I've not written the guide for this one but if you fancy a challenge here's the next image. It is a FAT volume that once contained a container, it was reformatted FAT, and a number of pictures copied on to it. This overwrote the header at the start of the container. The password is 'password' again.

raw.githubusercontent....ample2.zip

I need to make pytruecrypt a pip package so it's easier to install though.  
 
  

loonaluna
Member
 

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Mar 07, 18 20:49

Hey thanks for your tutorials. I've installed it all and got it running and it does exactly what it shows in the tutorial, with your example file. I have a chunk of material I need to look into though, so high and low entropy is not an option for me, so I think I need to do a brute force instead of a chain. I know how to extract this chunk into a smaller file, but I'll still have to do a brute force of each sector (or hex kb of this sector or whatever it's called), until I cover the entirety of the free space that I suspect is involved here. Do I do this with dump.py instead of python.py instead, and if so how?  
 
  

4144414D
Member
 

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Mar 07, 18 21:13

- loonaluna
I know how to extract this chunk into a smaller file, but I'll still have to do a brute force of each sector.


If you can extract this space into a smaller file you can still run hunt.py against it to find, hopefully, your missing TrueCrypt header. If you do what jaclaz suggested in one of your other threads and extract a few gb around where the sections of unallocated space are.

This thread: www.forensicfocus.com/...c/start=7/

The high/low entropy all happens without any effort from you and it's what I would run first for sure. It'll work on sections of the image just as well as the whole image.

You can try the brute force option but it will be extremely slow. Try it on that 30mb test file first and you'll see how slow it is.


You can just run hunt.py against the whole 2TB image, but I feel like it may crash as it's currently holding all the entropy information in memory. The entropy calculations will take an age too.

Given that you think your missing containers are well over 2GB the hunt.py command would be:

hunt.py <your image> <your password> --chain=4000000


EDIT: Also a quick note, if your password has a space in it this won't work. I'll need to update the script.  
 
  

loonaluna
Member
 

Re: Anyone got a bot to find deleted truecrypt container hea

Post Posted: Mar 07, 18 23:43

Ah ok I misread the chain concept as something that differentiated suspiciously obscure space typical of truecrypt from typically boring text files with little entropy. That's why I put a test container I made through the same script, didn't get much of anything at all, and thought I needed a brute instead. But of course I hadn't changed chain=256 to chain=4 million, so that's why the headers didn't show up probably. By the way, what is the reason why chain=4000000 when the file is 2GB?  
 

Page 2 of 6
Page Previous  1, 2, 3, 4, 5, 6  Next