I'm dusting off an hold drive and unfortunately forget the password. I'm going to run a word list against it using TrueCrack however I'm a little confused on how to extract the volume header to run tc against. https://www.truecrypt71a.com/documentation/technical-details/truecrypt-volume-format-specification/ The first sector of the disk contain the MBR (446 byte MBR + partition table). The MBR is obviously a truecrypt MBR due to the fact that I get prompted for a password. I assume that the TC MBR code tries the password against the very first bytes of the active partition. I tried to just DD the first sector (512 bytes) of the first partition (not the MBR) I may be wrong because when I pulled out the disk I got an error stating "Failure to read disk 0 sector 62" meaning it must be doing something with sector 62. The documentation above also makes it seem like more than just the first 512 bytes are used. My goal is to simply DD the volume header (or whatever I need) off of the drive and run Truecrack against it. Any help? As a side note, what is the significance of clicking the "Mount without preboot authentication" option when trying to mount a system drive from the GUI? Why is this needed if you can just pick a partition and decrypt that. Is there something special about being a "system drive"?
