Join Us!

Anyone got a bot to...
 
Notifications
Clear all

Anyone got a bot to find deleted truecrypt container header?  

Page 1 / 3
  RSS
loonaluna
(@loonaluna)
Junior Member

I'm looking to recover a deleted truecrypt container but I don't have any identifying header information. The header could be anywhere on the drive (or it could be deleted of course, and the file could be fragmented, but I'll try). I've learned how to recover deleted containers on other drives, so I know where I'm going this time, but the free space designated as such by winhex that I was hoping would be the beginning of my file and so have my header password, isn't giving any positive results when I create a small file of it and apply the password in truecrypt. So is there a program out there that shifts through this huge amount of data applying a password to every new kb?

Another question, do truecrypt containers have backups of their headers at the end of the file too, like truecrypt partitions do?

Quote
Posted : 02/03/2018 4:42 pm
armresl
(@armresl)
Community Legend

Hello,

Could you provide some information about yourself please.
Are you working, student, etc.?

ReplyQuote
Posted : 02/03/2018 10:38 pm
4144414D
(@4144414d)
Junior Member

If you aren't sure where the header is then hunt.py from pytruecrypt as I explained in your other thread will help locate it.

If you need me to create detailed instructions then let me know and I'll get round to it at some point. I do want to know if you are a student or working in forensics.

ReplyQuote
Posted : 03/03/2018 10:49 am
AmNe5iA
(@amne5ia)
Active Member

Loonaluna,

I'm wondering, did you turn of indexing? This is something like the 5th or 6th post you've made about essentially the same thing.

ReplyQuote
Posted : 03/03/2018 10:58 am
loonaluna
(@loonaluna)
Junior Member

I made the drive a read-only drive, as I thought that would be sufficient and that indexing only happened on the OS drive. Could be wrong though. I thought about opening a new thread as the first one didn't describe the issue properly, and was full of very noobish statements that distracted from the problem once I'd learned some of the basics.

I don't work in forensics, and I'm not a student. A few months ago I screwed up, I deleted two huge truecrypt containers that could be holding important information. Sometime after (not immediately after), after failing with recuva and other standard software because the files are so big, I unplugged the drive, and a month or so later I made an image of the drive which is what I'm working on right now. After weeks of being angry at my mistakes, I think it's time to at least try to recover the file.

ReplyQuote
Posted : 03/03/2018 11:15 am
loonaluna
(@loonaluna)
Junior Member

If you aren't sure where the header is then hunt.py from pytruecrypt as I explained in your other thread will help locate it.

If you need me to create detailed instructions then let me know and I'll get round to it at some point. I do want to know if you are a student or working in forensics.

That would be wonderful, thank you very much. In the other thread, about winhex free space, I was pinning my hopes on two big spaces of 'free spaces' that winhex had identified, but it remains to be seen what winhex is doing and whether the drive is telling the truth about this free space. If that's not the free space, I could go through the entire drive, but I would need a script for that too and I'm terrible at reading code, let alone modifying it. I also can't remember if I used AES or one of the other options on truecrypt when creating the containers.

Regardless, I'll try to install python on my pc this weekend and see if I can make head or tail of the script, at least to get it to run once on a smaller sample of data.

ReplyQuote
Posted : 03/03/2018 12:10 pm
4144414D
(@4144414d)
Junior Member

It's a bit rough as I put it together on the train but this guide along with some sample data should help you understand how to use hunt.

https://github.com/4144414D/pytruecrypt/blob/master/examples/hunt.md

ReplyQuote
Posted : 06/03/2018 5:49 pm
jaclaz
(@jaclaz)
Community Legend

It's a bit rough as I put it together on the train but this guide along with some sample data should help you understand how to use hunt.

https://github.com/4144414D/pytruecrypt/blob/master/examples/hunt.md

Very nice ) though, if I may, there is a "main" link missing

By looking for sections of continuous high entropy we can target the likely locations of TrueCrypt headers. By checking the sectors around 27701 and 48476 we are able to check a small number of sectors as every check will take some time, particularly on VeraCrypt headers.

How (with what tool) is user going to calculate the entropy and get the example diagram (so that he/she can identify likely targets)?

That is "Shannon" Entropy, right?

Something *like* entropie?

https://github.com/dupgit/entropie

with -b 512 ?
or
https://deadhacker.com/2007/05/13/finding-entropy-in-binary-files/

or binwalk?
https://github.com/ReFirmLabs/binwalk/wiki/Usage

jaclaz

ReplyQuote
Posted : 06/03/2018 6:38 pm
4144414D
(@4144414d)
Junior Member

How (with what tool) is user going to calculate the entropy and get the example diagram (so that he/she can identify likely targets)?

Ah, that section is just explaining what is happening. You don't need to do any identification yourself the script takes care of all of that for you. It does the entropy calculations and finds the likely places for headers itself. I'll add some words to explain that a little better.

That is "Shannon" Entropy, right?

Yup. Again I'll add that when I get a moment.

Something *like* entropie?

https://github.com/dupgit/entropie

with -b 512 ?
or
https://deadhacker.com/2007/05/13/finding-entropy-in-binary-files/

or binwalk?
https://github.com/ReFirmLabs/binwalk/wiki/Usage

Yes, binwalk is an amazing tool. Truly fantastic.

My personal favourite for visualising entropy is PortEx (https://github.com/katjahahn/PortEx) it's designed for executables but it'll make a nice diagram of basically anything.

Example image from the GitHub here https://camo.githubusercontent.com/dc9408d203ba6bb5a1442249ba68dbf257780a2c/687474703a2f2f692e696d6775722e636f6d2f374e427a65344f2e706e67

ReplyQuote
Posted : 06/03/2018 7:37 pm
jaclaz
(@jaclaz)
Community Legend

Thanks )

That is clear now, still if you could describe how exactly you managed to create the graphic, it would be useful (notwithstanding the buiilt-in autodetect capabilities of your nice script).

jaclaz

ReplyQuote
Posted : 06/03/2018 8:12 pm
4144414D
(@4144414d)
Junior Member

That is clear now, still if you could describe how exactly you managed to create the graphic, it would be useful (notwithstanding the buiilt-in autodetect capabilities of your nice script).

Added those comments now, thank you. If you have any other comments or corrections let me know. You can even do a pull request if you are feeling adventurous, although that is a lot of effort. I was thinking of linking to an existing tutorial about calculating and visualising the entropy if you happen to know of a good existing one?

I've not written the guide for this one but if you fancy a challenge here's the next image. It is a FAT volume that once contained a container, it was reformatted FAT, and a number of pictures copied on to it. This overwrote the header at the start of the container. The password is 'password' again.

https://raw.githubusercontent.com/4144414D/pytruecrypt/gh-pages/resources/example2.zip

I need to make pytruecrypt a pip package so it's easier to install though.

ReplyQuote
Posted : 07/03/2018 7:47 am
loonaluna
(@loonaluna)
Junior Member

Hey thanks for your tutorials. I've installed it all and got it running and it does exactly what it shows in the tutorial, with your example file. I have a chunk of material I need to look into though, so high and low entropy is not an option for me, so I think I need to do a brute force instead of a chain. I know how to extract this chunk into a smaller file, but I'll still have to do a brute force of each sector (or hex kb of this sector or whatever it's called), until I cover the entirety of the free space that I suspect is involved here. Do I do this with dump.py instead of python.py instead, and if so how?

ReplyQuote
Posted : 07/03/2018 7:49 pm
4144414D
(@4144414d)
Junior Member

I know how to extract this chunk into a smaller file, but I'll still have to do a brute force of each sector.

If you can extract this space into a smaller file you can still run hunt.py against it to find, hopefully, your missing TrueCrypt header. If you do what jaclaz suggested in one of your other threads and extract a few gb around where the sections of unallocated space are.

This thread https://www.forensicfocus.com/Forums/viewtopic/t=16377/postdays=0/postorder=asc/start=7/

The high/low entropy all happens without any effort from you and it's what I would run first for sure. It'll work on sections of the image just as well as the whole image.

You can try the brute force option but it will be extremely slow. Try it on that 30mb test file first and you'll see how slow it is.

You can just run hunt.py against the whole 2TB image, but I feel like it may crash as it's currently holding all the entropy information in memory. The entropy calculations will take an age too.

Given that you think your missing containers are well over 2GB the hunt.py command would be

hunt.py –chain=4000000

EDIT Also a quick note, if your password has a space in it this won't work. I'll need to update the script.

ReplyQuote
Posted : 07/03/2018 8:13 pm
loonaluna
(@loonaluna)
Junior Member

Ah ok I misread the chain concept as something that differentiated suspiciously obscure space typical of truecrypt from typically boring text files with little entropy. That's why I put a test container I made through the same script, didn't get much of anything at all, and thought I needed a brute instead. But of course I hadn't changed chain=256 to chain=4 million, so that's why the headers didn't show up probably. By the way, what is the reason why chain=4000000 when the file is 2GB?

ReplyQuote
Posted : 07/03/2018 10:43 pm
4144414D
(@4144414d)
Junior Member

Ah ok I misread the chain concept as something that differentiated suspiciously obscure space typical of truecrypt from typically boring text files with little entropy.

No, you are completely correct. That is exactly what it does. Hunt tries to locate headers based on the differences between high/low entropy.

That's why I put a test container I made through the same script, didn't get much of anything at all, and thought I needed a brute instead.

A couple of things that are probably causing this.

1) hunt will create a file called 'ent.pickle' once it's calculated the entropy for a file. That's because calculating the entropy takes quite a while, and if we might try a few passes at the same file it doesn't make sense to recalculate the entropy each time.

However, if you move from one file to another and you've stayed in the same folder it will reuse the ent.pickle but for the wrong file. So instead of calculating the entropy it simply says 'Loading source entropy from ent.pickle'. Not the most obvious warning message I admit. If you delete ent.pickle and try again see how it goes.

I personally like to keep each of the images I'm working on in different folders, that way the extracted headers, ent files, and the results logs don't get mixed up.

2) The script isn't designed to run against containers on their own but 'hunts' (hence the silly name) for containers inside disk images. I actually think it'll crash on a full container. It might see the entropy starting at sector 0 but by default, it tries to look 8 sectors either side of where it thinks a header will be and sectors -1, -2, -3 etc do not exist and when it tries to read them it would crash.

I'll make changes to the script to make this more obvious and update the guide when I've finished the write up for example 2.

For now, try the brute force method on what you've extracted but only let it run few a minutes or so. If that doesn't get the header you are better off with the chain method.

But of course I hadn't changed chain=256 to chain=4 million, so that's why the headers didn't show up probably. By the way, what is the reason why chain=4000000 when the file is 2GB?

chain=256 is going to find basically any TrueCrypt header but has the most chance of getting confused with other random files on the disk. That is because 256 sectors are the size of the header, which is about 128kb. It's likely you'll have other random files that are larger than that which hunt will then waste time on trying to decrypt them.

chain=4000000 is looking for a minimum of 4000000 high entropy sectors in a row before it'll start trying to decrypt things. 4000000 * 512 = 2048000000 bytes, which is around the 2gb mark. You are less likely to have other files of that size that are as random as a TrueCrypt container so hopefully, hunt will find the result quicker this way.

Hence the ent.pickle file. If you manage to parse the full 2TB file you could try with a very big chain number and keep lowering it if you don't find anything. The ent.pickle file saves you from recalculating the entropy for each attempt, which saves a lot of time.

ReplyQuote
Posted : 08/03/2018 7:15 am
Page 1 / 3
Share: