You don't "sum" you "concatenate"
My mistake, intentions were concatenation and I placed a sum. Thank you for the clarification and illustration.
As AmNe5iA explained, Truecrypt is technically FVE, using the concatenated keys, should I be targeting the whole drive such as "/dev/sdb" in Linux or a specific partition "/dev/sdb2" where the OS resides in?
I appreciate the assistance provided immensely, thank you!
As AmNe5iA explained, Truecrypt is technically FVE, using the concatenated keys, should I be targeting the whole drive such as "/dev/sdb" in Linux or a specific partition "/dev/sdb2" where the OS resides in?
Since it is FVE you would logically target the Volume (or partition, if the volume is also a partition).
BUT wait for a hint by the Author, it is possible that the script is intended to recognize "whole disk" or "whole device", haven't looked at it.
There is a lot of confusion in the naming of things, particularly in a mixed *nix/Windows environment, just in case (and to avoid possible misunderstandings)
disk or disk drive = the whole thing, that has a number \\PhysicalDrive1 in Windows, a letter in Linux (/dev/sdb)
partition or volume = the thing that usually gets a drive letter in windows (let's say D )[1] or a number in Linux (/dev/sdb2)
jaclaz
[1] but not for NTFS formatted volumes that - when on hard disk or similar - are one sector smaller than partition or allocated logical volume space, JFYI (not really related to the specific Truecrypt issue)
http//
I tried all combinations of concatenated key strings on both the whole disk as "/dev/sdb" and the particular partition where the OS resides in "/dev/sdb2".
Maybe the script is not intended to work with Truecrypt 7.1a in this way or the aeskeyfinder script is outputting somehow the wrong AES keys.
I've also noticed when running the aeskeyfinder script with the -v parameter it outputs an extended key?
If I may ask, has anyone used an alternative method in decrypting and mounting a Truecrypt drive?
deleted
As stated previously Truecrypt is FVE and so if the disk was encrypted e.g. /dev/sda then there would only be one file system within. Because of this there shouldn't be any sda1 , sda2 etc.
try using the "lsblk" command.
if its shows anything like sda1 or sda2 etc then you know that it can't be the whole disk that is encrypted but one of the partitions.
Is the partition you are trying to decrypt a truecrypt bootable partition? because if it is I don't think any of the tools I linked will work on it.
I haven't used AESKeyFind but i have used Bulk Extractor ( https://
I have then been able to find two 256 AES keys that when concatenated together successfully decrypted a truecrypt partition/disk using MKDecrypt.
lsblk displays the 240GB SSD as sdb and branches to display two partitions sdb1 100M and sdb2 223.5G.
The sdb2 partition contains a Windows 7 OS that requires pre-boot authentication using Truecrypt.
This confirms that the disk is not WDE and the suggested tools will not work?
This scenario is becoming a burden and I apologise for the hassle however, its become a great learning curve for myself.
Any ideas which tool or method would work?
Thank you.
Any ideas which tool or method would work?
Thank you.
Try imaging the sdb2 to a file and run the tools on the file.
Though possible of course at first sight I cannot think of why a "bootable" partition" whould be in any way different from a volume (a primary partition is a volume).
The difference might be where the header is (when compared to a container).
It is not at all clear (to me at least) if useful or "connected" to the issue at hand, but do have a look at sector LBA 62
https://
http//
See also
https://
http//
or - maybe - last sector before the beginning of the sdb2 extents, since the first partition is "in the middle".
See also
https://
https://
jaclaz
You can examine the truecrypt WDE drive but none of those tools will do what you want automatically.
MKdecrypt should help you discover the correct masterkey if you don't yet know it but it will state that it has found a hidden volume. (Most probably when it encounters the start of the first partition.)
The first sector on the encrypted disk will hold the partition table and the start of the truecrypt bootloader. You will need to interpret the partition table to complete this process. I would suggest dd-ing the first sector and either interpreting it manually in a hex editor or run the 'file' command against it.
Sectors 0 - 61 should contain the truecrypt bootloader in unencrypted form.
Sector 62 should contain the truecrypt header (which is decrypted by the header key calculated from the password/keyfiles)
Sectors 63-<end of the disk> is the disk encrypted using the masterkey.
you will need to use 'dmsetup' to 'device map' the decrypted disk using the correct masterkey.
sudo dmsetup create decrypted –table "0 <disk size in sectors> crypt aes-xts-plain64 <masterkey> 0 /dev/sdb 0"
You will find the decrypted disk located at /dev/mapper/decrypted
sectors 0-62 should be garbage (as they were either unencrypted (0-61) or encrypted with a different key (62)) but sectors 63 and on should now be in plaintext.
To access the partitions you will need to create linear device mappings to them, again using 'dmsetup'
sudo dmsetup create partition1 –table "0 <size of partition 1 in sectors> linear /dev/mapper/decrypted <offset in sectors to partition 1>"
and
sudo dmsetup create partition2 –table "0 <size of partition 2 in sectors> linear /dev/mapper/decrypted <offset in sectors to partition 2>"
you should then be able to mount both partitions at /dev/mapper/partition1 and /dev/mapper/partition2
Alternatively you could just dd the whole of /dev/mapper/decrypted. Then process the dd image in something like X-Ways/Winhex and use Tools->Disk Tools->Scan for lost partitions… to locate the partitions before examination.