truecrack Password cracking for truecrypt(c) volume files.

interesting clip , and thanks for that intriguing insight on keyfiles ,lols xD

 

I was reading this thread and I thought I would throw my two cents in. The National Institute of Justice (NIJ) Electronic Crime Technology Center of Excellence has tested this software and have a report out on it -https://justnet.org/pdf/00-TrueCrypt-report-0329.pdf-. Their conclusions were that the product performed as advertised and they recommend it for use by law enforcement, but It can be cracked if the user does not reboot his computer. You can find the password in the RAM of the motherboard. In spite what you might think Truecrypt can be cracked. It's just of matter of when and how you seize the suspect computer.

 

Would like to add that in general the question is not whether some security measure can be cracked (including Truecrypt), but how much time cracking takes. So basically it is about 'delay' and not about 'impossible'. Same is valid for burglar prevention at home or for fireproof safes: the burglar will come in eventually and the fire will destroy the vault content eventually.

Secondly, the cracking mechanism may shorten the cracking time, as do professional burglar accessories. So key logger malware may be difficult to install, but it will recover the key quickly. Brute force cracking of a Truecrypt key may take many decades depending on the strength of the key. A swap file and memory scans may help if one can do that. Etc. etc.

One has to assess the probability that those different mechanisms can be used. And sometimes one can prevent one being used, for example by not using a swap file or not using a computer sleep mode.

 

So turn off password caching and disable the creation of memory dump files, as is discussed in the documentation. I've run those same tests and could not find any instances of the PW in memory. Alternatively, encrypt the OS.

 

I guess that could work, but to me it seems that for the software to know what your password is it would have to have it stored somewhere where it could access it to verify. The NIJ report recommends the best thing to do is to shut down you computer after each use and make sure that it is off a good while afterwards to ensure that the RAM is cleared. That still doesn't mean that you are completely safe since in theory once you are online someone could just image you computer and hack it from there.

 

Hacking a machine that is online is NOT a TC problem. Any software or machine is hackable if you allow someone inside while you are online.

With TC you can select to disable cache of passwords and memory wipe during dismount and/or shutdown. Once the machine is down you are safe. If you don't use firewire disable it and even epoxy the motherboard ports if you don't use firewire. That is the one hardware thing common to LE so make that goes away if you don't use firewire. I don't even want to really type a bunch. Many here know what I am typing about. I would say there is virtually nobody here that would ever run up against that kind of attack model.

On a machine where the user has always had 100% physical control of the unit, and employs TC correctly with solid passwords you can sleep well at night. No normal LE or "bad guy" is ever going to get at your WDE system unless you provide the password. Court cases one after the other prove its reliable.

 

I've also seen, numerous times, where if password cache is off, no key is in memory. I may have to head over to the TC forums and look for the final word.

In ref to a mounted volume (WDE or Container), in addition to the excellent advice offered by Palancar, there are also a few other things you can do. I tested out USB blocking software to great success. One version also blocked SATA/E-SATA/IDE, as well as Network access. You whitelist devices, and all others are blocked. I also had one vendor willing to write me a custom version that would wipe any drive that wasn't whitelisted, immediately upon insert.

Epoxy anything that isn't in use (Servers rarely change in their hardware config).

Int0x80 of DualCore fame, has some Bash scripts that will attack foreign devices, and pollute the system with 10's of thousands of encrypted files of varying size...this goes back to the comment about TIME being the deciding factor. Most Forensicators are overloaded, and if they can't make a dent in the first day or two, it get's back burnered.

Reconning the various forensics forums, indicates that running a Limited Account (if you can) foils some attacks from an Admin account.

Move SysKey externally.

It's also fairly trivial to rig up a 'kill switch' to crash the computer if a side panel is removed, etc...

No offense, but you normally won't be dealing with a guaranteed technically superior adversary if LE comes for your box.

It's a cat and mouse game, and neither side can claim victory.

PD

 

I say, why keep anything that secure on your computer in the first place? I use mine for surfing the web and writing papers. The one I use at work is encrypted, but the password is kept on a secure server that checks my user ID before it decrypts my files.