TrueCrypt Master Key Extraction and Volume Identification

An anonymous reader writes "The Volatility memory forensics project has developed plugins that can automatically find instances of Truecrypt within RAM dumps and extract the associated keys and parameters. Previous research in this area has focused specifically on AES keys and led to the development of tools such as aeskeyfind. The Volatility plugin takes a different approach by finding and analyzing the same data structures in memory that Truecrypt uses to manage encryption and decryption of data that is being read from and written to disk. With the creation of these plugins a wide range of investigators can now decrypt Truecrypt volumes regardless of the algorithm used (AES, Seperent, combinations of algos, etc.). Users of Truecrypt should be extra careful of physical security of their systems to prevent investigators from gaining access to the contents of physical memory."

Re:Still working as intended

[al0ha]

I wouldn't be claiming this until the audit is completed.

http://istruecryptauditedyet.com/

Re:Burn after reading?

[avltree]

"While not perfect, such activity can be mitigated. TruCrypt can be written to automatically unmount the 'drive' as the computer goes to sleep/hibernate/etc' for FDE, it does dismount and scrub the key during hibernation. Sleep is different though and RAM is not cleared during it. "and could even be written to plop the keys into a random section of RAM each time it re-connects." This doesn't really change anything. TC must still be able to find the key and the current drive version could be extracted from memory and reverse negineering to determine where the key currently is.

Re:What would be sweet...

[jonwil]

An even better idea would be to eliminate software from the equation completly.

Have a hardware device that contains the keys in secure storage that's on the same die as a fast hardware AES implementation (so they cant be read out by someone with full physical hardware access). Or alternately have the keys on some sort of removable storage that plugs directly into the specialized hardware (so as not to expose the keys to the host machine). The hardware would sit between the disk controller and the secure drive and basically MITM all data flowing in either direction and encrypt it as it went to the drive/decrypt it as it came from the drive).

Done properly it would prevent a lot of attacks including the attack described in TFA.

Re:So does this mean the TrueCrypt hijacking busin

Even better, start not just having one TC volume, but many. Separate your stuff out by what you are doing, and unmount it when you are done. Word documents for client "A", open that specific volume, make an edit, unmount. Excel spreadsheets? Same thing.

This way, if the computer gets taken and the master drive image key slurped off, it means control of the OS, but not much else.

Even better, to prevent data leakage (/tmp files), the next step up is having virtual machines or Evalaze-sandboxed applications that channel all writes to one volume, that is easily unmounted.

TrueCrypt is just one tool in a toolbox.

Of course, there is the fact that people may not have to worry about seizure. My biggest security threat are the meth-heads who will break into a place just to grab stuff to take to a pawn shop or fence in order to stop their DTs. They don't care what's on the machine, so basic encryption turns a hardware + data theft into just hardware lost... which is easily replaced by insurance.

Re:TC is usually still mounted after sleep anyway

[CrimsonAvenger]

I use Truecrypt for the entire harddrive on my laptop. And when it hibernates, I have to feed it my Truecrypt password to get it back awake.

Presumably, the difference is that I use whole disk encryption, rather than just a part of the disk....