[Linux] truecrypt password in RAM

General (Technical, Procedural, Software, Hardware etc.)

Last Post by SleepParalysis 16 years ago

2 Posts

2 Users

0 Reactions

718 Views

RSS

nieuk

(@nieuk)

Active Member

Joined: 16 years ago

Posts: 10

Topic starter 21/03/2009 9:49 pm

I am trying to recover the truecrypt v6.1a password from memory dump on Ubuntu. I found very good paper by Davidoff, that was talking about how to recover clearext password from RAM. In the paper they used truecrypt 5.1a and it worked. I tried to follow the same procedure but with no luck. Anybody tried that before with truecrypt 6.1?

Quote

SleepParalysis

(@sleepparalysis)

Eminent Member

Joined: 18 years ago

Posts: 42

23/03/2009 9:55 pm

You tried the tools linked to in this paper? http//citp.princeton.edu/memory/code/

You might have to try looking through the source code for those tools and see how they are finding the password and then assume that in 6.1 the password may be stored slightly differently. Such as data around the password that identified or pointed to a truecrypt password is now different.

Also, if the truecrypt password is truly stored plaintext then you should be able to run a string search for it against the RAM dump. Maybe you could compare the area where the string is stored in the 5.1a dump to the 6.1 dump (and the data around that area). I don't know if truecrypt has a persistent location that it stores the password in or if it just drops it into RAM wherever with some sort of identifier or what.

When I get some time I will look at this too as I've been wanting to try it.

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
229 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed