Some Basic Options When Dealing with TrueCrypt (aka Finally a Forensics Post)

I’ve recently been working on a presentation I’ll be giving in a few weeks on the topic of memory forensics. I’ve learned a ton while working on it and the old adage of “The best way to understand something is to teach in to others” has proven extremely beneficial to me.

One of the topics that required me to do some digging was on the subject of memory analysis as it relates to TrueCrypt. A few years ago I was asked to examine a system within an extremely short time frame. I looked at the software installed on the system and saw TrueCrypt. I didn’t know a ton back then but I knew enough to know that there was nothing quick about dealing with TrueCrypt.

I’m writing the post that I wish I would have had on that day a few years back. If you see TrueCrypt installed on a system and aren’t quite sure what to do with that bit of information, hopefully this quick overview and some of the resources I’ll mention help. I’m not going to cover using artifacts like prefetch files to determine if TrueCrypt is installed and how frequently it’s been used, we’ll just cover hunting for and dealing with the containers.

Locating TrueCrypt:

One of the things that makes locating TrueCrypt files difficult is their lack of a standard file signature that one would normally use to locate all of a particular file format. There is a free tool called “TCHunt” that will scan a drive or directory and look for files that may be TrueCrypt containers. TCHunt looks for miles that meet specific size requirements (file size divisible by 512 and at least a minimum size), doesn’t have the file header of a known common type and appears to contain a higher than average randomness of data which is a key indicator that the contents may be encrypted.

tchunt

For everything that TCHunt does it’s also amazingly quick. I ran it against a 750GB Hard drive which had over 500GB of data and the complete scan took around three minutes. The tool correctly identified all four TrueCrypt containers on the drive.

Cracking TrueCrypt:

Using Memory:

Ideally you have a memory dump which was acquired while the TrueCrypt container was mounted. In lieu of that the hiberfil.sys may have been written while the container was mounted. TrueCrypt no longer stores it’s password in memory but it does store encryption keys in memory while the container is mounted so the password doesn’t need to be re-entered every time a file is accessed. These keys can be located using tools like bulk extractor and are the key to unlocking the container.

Michael Hale Ligh wrote a great blog post on Volatility Labs earlier this year discussing identifying and acquiring these keys. In the post he references a 2011 blog post by Michael Weissbacher  where he outlines patching TrueCrypt to allow an examiner to use acquired AES keys to mount a TrueCrypt container without knowing the password. There are commercial tools such as passware and elcomsoft which will also allow an examiner to access a TrueCrypt container using keys acquired from a memory dump.

Without Memory:

If no useable memory dump is available and you still want to access a locked TrueCrypt container you’re hoping for quite a few things.

• The user used a short password
• The user stuck to the default settings (RIPEMD-160 and AES) when creating the TrueCrypt container
• You have access to a system with a powerful graphics card

Modern graphics cards (GPUs) can crack passwords at a MUCH faster rate than a computer processor (CPU) can. I recently upgraded to an ATI 7950 3GB model ($230 at Newegg) and I’m able to crack passwords on a TrueCrypt container created with default settings at a rate of 77,000 guesses per second. That sounds like a lot and it’s great for wordlists (I can go through the entire 14,000,000 word rockyou list in under three minutes) but when you start crunching the numbers on a brute forcing attempt you’ll quickly become discouraged.

If standard wordlists don’t crack the password there could be multiple causes. The user could have changed the default settings when creating the container or could have used a password not in your word lists. You could try generating custom wordlists or using your wordlists with different encryption options.

I threw one of the TrueCrypt containers TCHunt found at oclHashcat to try to crack the password. oclHashcat has multiple TrueCrypt encryption options but I tried the default RipeMD160 and AES option first.

hashcat1

It turns out that the password (123mango) was in the rockyou wordlist I was using so the password was cracked in under a minute.

hashcat2

I can’t overstate the value of having some good wordlists for times like these. Brute forcing a password 8 characters or longer is a road nobody wants to go down.

I’ve been using john the ripper for a few years but am just now starting to seriously delve into GPU password cracking so I’d love to hear any tips, techniques or stories you have on these topics.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more