Hi Everyone,
I'm a newbie so I apologize if this question seems brainless but after hours and hours… I have gotten nowhere. I am working with FTK and have a dd image of a drive. I've recovered TrueCrypt passwords and believe that I have found some non-hidden files. For the life of me, I still can not retrieve the data. I have downloaded TrueCrypt and have tried that way as well. I do not understand where I am going wrong. Any advice would truly be appreciated.
OK, we definitely need more detailed info on this one. First, and most important, what makes you believe the recovered passwords are for a truecrypt file or volume? Where did you recover them from? Secondly, what do you mean by non-hidden files? Are these files with a truecrypt file extension?
I am working with FTK and have a dd image of a drive.
What can you tell us about the drive? Is the entire drive TrueCrypt-encrypted are there specific files (or a volume) that were encrypted?
I've recovered TrueCrypt passwords and believe that I have found some non-hidden files.
What is a "non-hidden" file?
For the life of me, I still can not retrieve the data. I have downloaded TrueCrypt and have tried that way as well. I do not understand where I am going wrong. Any advice would truly be appreciated.
I'm not clear on what you're doing or why, and to what, so I wouldn't even begin to understand what you're doing…
Hello )
we need to clarify some points what did you exactly retrieve? the password or the encryption key?
how have you obtained it?
if you have the passphrase and the encrypted disk or volume, you just need truecrypt software to mount the disk/volume.
if you have the encryption key, then you need to be more tricky, and i actually don't know how to precede in this situation.. i'll follow this thread since it sounds interesting.
Non hidden might mean no file signature. Maybe there is a combination of encryption keys and password.
http//
Thanks everyone for the responses and I apologize for the ambiguity. This is mearly for training only. I retrieved a text file with the following info TC Outer=striker Inner=blackout.
Also found evidence of TrueCrypt on the machine through cache/zip, etc.
Found unknown file types that were Lockers (1,2,3) and when opened they are definitely encrypted text files.
It's not the whole drive. So when I try FTK is says that there is nothing encrypted or that the passwords are not valid.
Again, this is for training purposes so I'm fairly confident that they are truly encrypted and meant to be found.
well, you cant decrypt truecrypt volumes using ftk (afaik)
you need to export the encrypted files and use truecrypt to mount them on your forensic workstation using the passwords you discovered.