TrueCrypt vs. Passware

[imseca]

I just read one of the topic here regarding Passware, unfortunately this is old and I can no longer reply. Passware claim about cracking Truecrypt is a bold one but has anyone of you tried this software?

Can Passware crack Truecrypt "container/drive" even with keyfile?

[LockBox]

Passware made this claim about two years ago. It's rubbish as they cannot "crack Truecrypt encryption." It's the same old frozen RAM attack. Truecrypt addresses this in their documentation. Truecrypt continues to be solid as a rock.

[passware]

Passware software detects and extracts TrueCrypt encryption keys from memory images or hibernation files.

If the encryption key is present in memory it could be used to decrypt TrueCrypt volumes instantly.

More information can be found at http://www.lostpassword.com/hdd-decryption.htm

[EncryptedBytes]

Quote:

Originally Posted by passware

Passware software detects and extracts TrueCrypt encryption keys from memory images or hibernation files.

If the encryption key is present in memory it could be used to decrypt TrueCrypt volumes instantly.

More information can be found at http://www.lostpassword.com/hdd-decryption.htm

For that to work your fully encrypted drive needs to be mounted and decrypted when someone uses this software, and if someone can get hold of your computer while it is mounted and decrypted, the least of your worries is some overly expensive vendor program pulling the encryption key from RAM.

The hibernation avenue is only valid if the target is not using FDE or has hibernation enabled. Not a really reliable extraction avenue.

[PaulyDefran]

As well, It's not a guarantee that you will be able to run 'foreign' software on the box at all. See:

https://github.com/int0x80/anti-fore...aster/derpherp

I don't want to get into a cat and mouse anti-forensics discussion, but a lot of assumptions are made when it comes to TC. Sure, some users are dumb, and the low hanging fruit always gets picked first...but it isn't a given.

PD

[Enigm]

Quote:

Originally Posted by passware

Passware software detects and extracts TrueCrypt encryption keys from memory images or hibernation files.

If the encryption key is present in memory it could be used to decrypt TrueCrypt volumes instantly.

More information can be found at http://www.lostpassword.com/hdd-decryption.htm

OK, here is what you say on your website :

Quote:

Passware Kit scans the physical memory image file (acquired while the encrypted disk was mounted,

So, you need PHYSICAL ACCESS to the machine WITH MOUNTED ENCRYPTED VOLUMES to do your 'magic' .

I say you are full of baloney, your soft CAN NOT crack TC-volumes .

You are actually confirming what I just wrote on your website :

Quote:

NOTE: If the target computer is turned off and the encrypted volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns brute-force attacks to recover the original password for the volume.

Maybe you should tell your customers how many million years that will take and give them a rough estimate of the resulting power-bill ??

Quote:

Note: The issue described below does not affect you if the system partition or system drive is encrypted* (for more information, see the chapter System Encryption) and if the hibernation file is located on any of the partitions within the key scope of system encryption (which it typically is, by default), for example, on the partition where Windows is installed. When the computer hibernates, data are encrypted on the fly before they are written to the hibernation file.
http://www.truecrypt.org/docs/?s=hibernation-file

[PaulyDefran]

Let me say this: I'm sure there are some actual ~ Snipped as per TOS ~ using TC, and I'm sure they're dumb enough to get caught with mounted disks occasionally - so let's not be too harsh on a vendor for coming up with a *possible* way to extract the keys. Since the data is already accessible, I'd assume a forensicator would copy everything off of the mounted volume/s straight away.

The first problem is, the MARKETING Dept of companies, is usually clueless to the technology, so you get these "We Cracked TrueCrypt!!!!!!" proclamations. The second problem, is trying to defend that proclamation on a site such as this...we'll call your BS. But that's not how MARKETERS think: Gotta always push the product. If they felt the need to defend, they should have just stated the actual capability and (limited) circumstances under which they *can* operate successfully. Friggen marketing depts - 1024x768 in 4:3 Aspect is the shiznit for a new tablet, you gotta have one!

PD

[LockBox]

They did the same with FileVault 2 (which is the FDE for OSX). It all depends on the machine running. Apple even changed it to where they can't even pull off their firewire memory snatch from 'sleeping' mode. Passware charged almost $1000 for their OSX FileVault 2 forensics utility.