31 May 2014
2014-0822.htm TrueCrypt Last Download for Testing May 30, 2014
Notice the TrueCrypt article, check out Volatility Labs (they focus mainly
on memory forensics, and have some nice framework for live memory dumps)
Take a look at:
Tuesday, January 14, 2014 TrueCrypt Master Key Extraction And Volume
If you read the article you'll see they use their own framework v2.3.1 and
this was released sometime mid-2012 (copy I have on my PC MAC_time is 2012/08/04)
At the end of their article they say the below:
The truecryptsummary plugin supports all versions of TrueCrypt since 3.1a
(released 2005) and truecryptmaster supports 6.3a (2009) and later. In one
of the more exciting hands-on labs in our memory forensics training class,
students experiment with these plugins and learn how to make suspects wish
there was no such thing as Volatility.
From the above it seems version 2.x may still not be cracked and may be harder
for a forensics expert to access the Master Key.
Here's a Wayback Machine archive
It seems TrueCrypt's own archive has been tampered with for sure.
And checkout r000t.com:
Also strange they would say to use Microsofts Bitlocker ....
Oh, and look at r000t, some people out there are saying Sabu was behind
Also r000t seems not to follow forensic IT field, otherwise he would not
"The current version of Truecrypt is functionally useless. However, I had
Linux 64 bit and Windows binaries of Truecrypt 7.1a (the last good
version) lying around, which Ive uploaded to this site. Other versions
and PGP signatures for them are available at this Github repo."
I think the last good version, as I said above, is 2.x
Remember there is two methods of HDD encryption available software and hardware,
all are breakable, there always needs to be a decryption key.
But anyway check out hardware encryption:
Personally I have never seen one of these drives, only encounter desktop
and raid enterprise drives.
Note for FDE Drives:
Typical self-encrypting drives, once unlocked, will remain unlocked as long
as power is provided. Researchers at the Universität
Erlangen-Nürnberg have demonstrated a number of attacks based on moving
the drive to another computer without cutting power. Additionally, it
may be possible to reboot the computer into an attacker-controlled operating
system without cutting power to the drive.
When a computer with a self-encrypting drive is put into sleep mode, the
drive is powered down, but the encryption password is retained in memory
so that the drive can be quickly resumed without requesting the password.
An attacker can take advantage of this to gain easier physical access to
the drive, for instance, by inserting extension cables.
And also concerning software encryption apps:
A 2008 study found data remanence in dynamic random access memory (DRAM),
with data retention of seconds to minutes at room temperature and much longer
times when memory chips were cooled to low temperature. The study authors
were able to demonstrate a cold boot attack to recover cryptographic keys
for several popular disk encryption systems despite some memory degradation,
by taking advantage of redundancy in the way keys are stored after they have
been expanded for efficient use. The authors recommend that computers be
powered down, rather than be left in a "sleep" state, when not under physical
control by the computer's legitimate owner. This method of key recovery however,
is suited for controlled laboratory settings and is extremely impractical
for "field" use due to the equipment and cooling systems required.
PS Check out