Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt Master Key Extraction and Volume Identification

Posted by Soulskill on from the be-sure-to-use-it-the-right-way dept.

An anonymous reader writes "The Volatility memory forensics project has developed plugins that can automatically find instances of Truecrypt within RAM dumps and extract the associated keys and parameters. Previous research in this area has focused specifically on AES keys and led to the development of tools such as aeskeyfind. The Volatility plugin takes a different approach by finding and analyzing the same data structures in memory that Truecrypt uses to manage encryption and decryption of data that is being read from and written to disk. With the creation of these plugins a wide range of investigators can now decrypt Truecrypt volumes regardless of the algorithm used (AES, Seperent, combinations of algos, etc.). Users of Truecrypt should be extra careful of physical security of their systems to prevent investigators from gaining access to the contents of physical memory."

4 of 222 comments (clear)

  1. Re:What would be sweet... by Anonymous Coward · · Score: 2, Funny

    And dont forget to put the RPI inside a Faradey Cage....

  2. Re:Memory dump lol by Desler · · Score: 5, Funny

    A billion people not in your parents' basement?

  3. Re:Key recovery from memory by Smerta · · Score: 3, Funny

    Nice try, NSA.

  4. Re:Burn after reading? by Hal_Porter · · Score: 3, Funny

    It's that Southern Cypherpunk series of books about a hacker/waitress, Mary Sue Stackdump.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;