Donate for the Cryptome archive of files from June 1996 to the present

31 May 2014

TrueCrypt Forensics


2014-0822.htm  TrueCrypt Last Download for Testing  May 30, 2014

A sends:

Notice the TrueCrypt article, check out Volatility Labs (they focus mainly on memory forensics, and have some nice framework for live memory dumps)

Take a look at:

Tuesday, January 14, 2014 TrueCrypt Master Key Extraction And Volume Identification

If you read the article you'll see they use their own framework v2.3.1 and this was released sometime mid-2012 (copy I have on my PC MAC_time is 2012/08/04)

At the end of their article they say the below:

The truecryptsummary plugin supports all versions of TrueCrypt since 3.1a (released 2005) and truecryptmaster supports 6.3a (2009) and later. In one of the more exciting hands-on labs in our memory forensics training class, students experiment with these plugins and learn how to make suspects wish there was no such thing as Volatility.

From the above it seems version 2.x may still not be cracked and may be harder for a forensics expert to access the Master Key.

Here's a Wayback Machine archive

It seems TrueCrypt's own archive has been tampered with for sure.

And checkout


Also strange they would say to use Microsoft’s Bitlocker ....

Oh, and look at r000t, some people out there are saying Sabu was behind TrueCrypt!

Also r000t seems not to follow forensic IT field, otherwise he would not be saying

"The current version of Truecrypt is functionally useless. However, I had Linux 64 bit and Windows binaries of Truecrypt 7.1a (the last “good” version) lying around, which I’ve uploaded to this site. Other versions and PGP signatures for them are available at this Github repo."

I think the last good version, as I said above, is 2.x

Remember there is two methods of HDD encryption available software and hardware, all are breakable, there always needs to be a decryption key.

But anyway check out hardware encryption:


Personally I have never seen one of these drives, only encounter desktop and raid enterprise drives.

Note for FDE Drives:

Typical self-encrypting drives, once unlocked, will remain unlocked as long as power is provided.[citation needed] Researchers at the Universität Erlangen-Nürnberg have demonstrated a number of attacks based on moving the drive to another computer without cutting power.[7] Additionally, it may be possible to reboot the computer into an attacker-controlled operating system without cutting power to the drive.

When a computer with a self-encrypting drive is put into sleep mode, the drive is powered down, but the encryption password is retained in memory so that the drive can be quickly resumed without requesting the password. An attacker can take advantage of this to gain easier physical access to the drive, for instance, by inserting extension cables.[7]

And also concerning software encryption apps:

A 2008 study found data remanence in dynamic random access memory (DRAM), with data retention of seconds to minutes at room temperature and much longer times when memory chips were cooled to low temperature. The study authors were able to demonstrate a cold boot attack to recover cryptographic keys for several popular disk encryption systems despite some memory degradation, by taking advantage of redundancy in the way keys are stored after they have been expanded for efficient use. The authors recommend that computers be powered down, rather than be left in a "sleep" state, when not under physical control by the computer's legitimate owner. This method of key recovery however, is suited for controlled laboratory settings and is extremely impractical for "field" use due to the equipment and cooling systems required.[1]

PS Check out