Solved

Truecrypt: extract the Key from RAM while Truecrypt volume is mountet: freeware?

Posted on 2010-08-25
18
4,475 Views
Last Modified: 2012-05-10
Hello,

today i stepped around the passware solution to get the truecrypt key from a mounted truecrypt container.
Please see http://www.lostpassword.com/kit-forensic.htm for details.

I would like to know if this is possible with FREEWARE on Windows or Linux basis.

There is a publication about cold boot attack to get the key from the ram, this is not what i mean.
I would like to know how to get the key from the ram when it is just mounted.

happy discussing

bytes
0
Comment
Question by:ByteSleuth
  • 7
  • 4
  • 4
  • +2
18 Comments
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 100 total points
ID: 33521731
Google "truecrypt password memory dump" and you will find many ways to do this manually. However no one seems to have made a free program to do it for you. However this whole topic doesn't make sense to me because if the drive is mounted you already have access to the files. The only point of knowing the key is to return later when the drive isn't mounted, copy the drive image, and mount I yourself. I can't really think of a scenario where this would be better than just copying the files from the mounted volume in the first place.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 100 total points
ID: 33522863
the authoritive resource for this is the paper "Recovery of Encryption Keys from Memory Using a Linear Scan" which is unfortunately behind a paywall. however, it should be possible to attach a debugger to the memoryspace of the driver; I will look into it.
0
 
LVL 2

Assisted Solution

by:furball4
furball4 earned 100 total points
ID: 33538988
@aarontomosky

Retrieving the password is superior for a few reasons:

1. It allows you to access the volume again and again. This isn't just about time-shifting your copying activities, but about having continued access while changes or additions take place on the volume. A mole is better than a defector, right?

2. It reveals the password itself, which the user may have re-used elsewhere. You might bag more than just the contents of the encrypted volume.

3. Ideally you would copy data off the computer when you knew the user was not actively using it. This would reduce the possibility of the user noticing suspicious disk or network usage. Retrieving the password allows this.
0
 
LVL 2

Expert Comment

by:furball4
ID: 33539003
A general question, ByteSleuth. I realize you what use case do you have in mind where you are able to execute the code necessary to retrieve the password, but could not also just install a keylogger and wait until the next time the password was typed? Obviously an instant retrieval might be superior in certain cases, but the keylogger would seem to be a viable alternative in most.
0
 
LVL 2

Expert Comment

by:furball4
ID: 33539030
"I realize you what use case..." should read "What use case..."

Posts can't be edited on here? Craziness.
0
 
LVL 5

Author Comment

by:ByteSleuth
ID: 33539570
Hello all,

its just the challenge to get it from ram. Keylogger would work of course.
The Challenge is getting the key from the ram only. doing a ram image and extracting it. This is the way passware do it via firewire-ram-dump. my challenge would be doing that with opensource-tools or manually.

:-)

just a discussion of course everyone will recieve points for the answers.
So. lets go back to the challenge and extract pass from ram without using commercial tools

bytesleuth
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33539762
Interesting - I wasn't aware the passware tool got you back the actual password, I thought it got you the in-use keys (which are fine for decrypting the volume per se, but won't be able to be generalized to other systems).

However, the easiest way to achieve that is just to patch the truecrypt binaries to log the last passphrase used to the registry. The problem here is we are now moving away from forensic examination (which is legal and ok for EE questions) to hacking/keylogging, which isn't.
0
 
LVL 2

Expert Comment

by:furball4
ID: 33540020
Well I guess I need to read up on the forum rules a bit more, but people trying to secure their systems have to spend just as much time thinking, reading, and discussing these methods as the people who use them. Not to mention all of the potential legal uses of such techniques, including research and law enforcement. But it's true we've gotten off topic, and modifying the binaries doesn't fit the stated goal either.

I can't see a way to accomplish what you are after short of mimicking one of the commercial tools. First you have to find out what information you need out of the RAM. That must be discoverable via examination of the TC source code, but just because it's possible doesn't mean it would be easy. I suspect that DaveHowe is correct - you won't get the password out of RAM because it isn't there, except during and immediately after it is entered by the user. That's not what you are after - you want something you can grab hours/days later as long as the volume remains open. So the steps seem to be:

1. Identify what data you are actually after (in TC source code)
2. Identify a way to locate that data in RAM (in TC source code as well?)
3. Identify a way to read/copy the RAM that TC uses while running (standard tool?)
4. Use 1-3 together to copy the necessary data
5. Use the data to open the volume without the password (altered TC binary?)

Not a lot of tools indicated there... mostly elbow grease. I'm guessing the utility you would use to read/copy RAM in use by another program is very mundane, if not built into most OSes already, but that's not my area of experience. That's also where this method can be killed. Aren't there some hardware-based solutions to this kind of attack? Secure RAM based on an embedded chip that has its own security certificate? The only way around that - assuming the private key was truly unrecoverable from the chip, which isn't much of a leap for us non-NSA folk - would be some kind of man-in-the-middle attack that fooled TC into using something other than the secure RAM. And the certificate architecture will have been engineered specifically to combat that. In fact the more mundane approaches like keylogging are probably the reason why secure memory isn't very common. How much practical good can secure RAM do when the rest of the system is an open book?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33540193
yeah. I am going to do some testing this weekend - the passware tool appears to take a brute-force approach - grab blocks of bytes out of the memory map and try each in turn until it finds one that gives it a valid filesystem, then declare that "right" - but my initial approach is going to be to get the tool to dump the keys, find out what structures the driver holds in memory, and see if I can find a fingerprint to give me a faster search option.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 61

Assisted Solution

by:btan
btan earned 200 total points
ID: 33548416
interesting inputs. Just to add in the following:

a) Use of Volatility plugin - It may not search for the keys but for passphrase in memory but the links below has good inputs also on key structure that would serve as signature for memory search
@ http://www.dfrws.org/2009/proceedings/p132-moe.pdf
@ http://superuser.com/questions/55162/truecrypt-privacy-of-decrypted-data
@ http://jessekornblum.livejournal.com/246616.html

Other possibility
a) Use of Evil Maid - It has source which checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Similarly, editing the code and replay it can help to trap the key - need some efforts though
@ http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html

b) Use of Bootkit - It has potential to steal keys at Preboot since it hooked the MBR and BIOS read/write calls. But in this case, it may be the case that the read/write hooks of the TC can lead to the pointer of the resident crypto keys to be loaded for its encrypt/decrypt - no direct tool to grab it but since it is in same hook, can explore further. need effort though.
@ http://www.h-online.com/security/news/item/Bootkit-bypasses-hard-disk-encryption-742721.html
@ http://www.stoned-vienna.com/
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33548660
@breadtan:

A lot of the factors on the attack are dependent on the attack model.

for a forensic image review, bootkit and evil maid techniques won't work - the attacker won't be using the machine again (or if he does, you won't be able to harvest that info). The Evil Maid is largely against truecrypt's Whole disk solution anyhow, as it would be easier just to swap the truecrypt software on the hd than to try and patch it from cold boot in a non-WDE solution.

the papers are very welcome though - as an aside, if you can find the one I referenced earlier, I will give you the 500 points myself :)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33548674
@bytesluth:

  breadtan has linked to "volitility" which appears to correctly extract keys from a memory dump; little point in me re-inventing the wheel, so I would go with that.

  Now I just need to find TWO papers, as "ram is key" appears to be no longer online either *sigh*.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33548680
@breadtan:

  This little lot may interest you:

http://www.garykessler.net/library/forensicsurl.html
0
 
LVL 61

Assisted Solution

by:btan
btan earned 200 total points
ID: 33551927
@DaveHowe

Thanks for the comments, agree that it depends on the attack model. The two scheme are quite off the model and tedious in intent but with the source, it can be one possibility for hooking to search for the key. I am trying to reuse what is available and expand on it :)

Also if Truecrypt is used in volume encryption instead of HDD as you highlighted, agree the reuse part will be minimal or better still just extract the signature structure and do search. Well highlighted

Very much appreciate the URL - indeed comprehensive list

For the paper that does brute force searches (Hargeaves and H. Chivers, "Recovery of Encryption Keys from Memory Using a Linear Scan"), I found this link but it need to login though

@ http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/4529302/4529303/04529504.pdf

On similar note as Volatility, this is another (quite old 2007) paper (Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process) that would be in the same light and can be considered as alternative (maybe). Check out Fig 3 and section 6.2 in the paper. It focused on Truecrypt volume encryption but it is based on ver4.2 and would differ in current version, but still see it as good to know

@ http://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf
@ http://computer.forensikblog.de/en/2007/08/from_volatools_to_volatility.html
0
 
LVL 61

Expert Comment

by:btan
ID: 33551934
Just to share on Volatool being acquired by MS already

@ http://www.windowsitpro.com/article/microsoft-forefront-client-security/microsoft-buys-forensics-company.aspx

Microsoft announced that it has acquired Komoku, maker of forensics analysis tools. Microsoft intends to integrate Komoku's technology its security offerings.

Komoku was founded in 2004 and developed a set of tools that aid researchers with incident response and forensic analysis. The company's Volatools Basic toolkit, first released at the Blackhat Federal conference in February 2007, is a Python-based platform that can extract information from volatile memory images on Windows XP systems. Volatools was retired in December 2007, however the original developers of Volatools went on to create Volitility Framework, which is an open source forensics toolkit.

Komoku's commercial Volatools Professional platform is a more advanced version of Volatools Basic while Komoku's Acquisition Suite is designed for system state acquisition on Windows 2000, Windows XP, and Windows 2003.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33552426
@breadtan:
  Yeah, I have that link, but you need to be a full IEEE member (or your employer does) to use that link. or you can pay $30 for one-shot access, but I am not sure its worth $30 without reading it.....
0
 
LVL 61

Expert Comment

by:btan
ID: 33552630
@DaveHowe

Noted with thanks, I am also not a member too.
0
 
LVL 5

Author Closing Comment

by:ByteSleuth
ID: 33556116
Keep it going.... at the end we should have an article to face that key, or at least the passphrase
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now