Comment: Re:Burn after reading? (Score 1) 222
ahhh I think we were confusing terms. that makes sense
Comment: Re:Burn after reading? (Score 1) 222
How would this change anything?
Comment: Re:So let me understand this ... (Score 1) 222
It is getting the key out of memory to then decrypt the drive. Not reading the unencrypted drive live.
Example scenarios are:
1) You get a memroy sample from a machine and the disk image. FDE was in use. This would allow you to extract the key and decrypt the whole drive.
2) Someone was using file containers and hibernated the machine. The key (could) still be in memory and you could decrypt the containers.
Comment: Re:Burn after reading? (Score 5, Interesting) 222
"While not perfect, such activity can be mitigated. TruCrypt can be written to automatically unmount the 'drive' as the computer goes to sleep/hibernate/etc'
for FDE, it does dismount and scrub the key during hibernation. Sleep is different though and RAM is not cleared during it.
"and could even be written to plop the keys into a random section of RAM each time it re-connects."
This doesn't really change anything. TC must still be able to find the key and the current drive version could be extracted from memory and reverse negineering to determine where the key currently is.
Comment: Re:Why is physical access needed? (Score 1) 222
yes, but the idea is to grab the key in order to get around disk encryption. I guess you could remotely compromise the machine, grab the key, and then later get the disk image.
Comment: Re:DMA attack (Score 2) 222
The DMA part is not new, but several other aspects are:
1) Other tools only find AES keys, the new plugins find any algo that truecrypt uses as it inspects the truecrypt data structures in memory to find the values instead of scanning memory hoping to find a key
2) Volatility shows you files that were being accessed (along with their full path) inside the TC mount
3) All of it is automated for Windows XP through 8 and the server versions
Comment: Re:Burn after reading? (Score 1) 222
This would make it much more difficult, but even the current polymorphic version could be reverse engineered and then the key then extracted.
Comment: Re:Well shit (Score 2) 222
hibernating is okay if you use full disk encryption as the hiberfil.sys will be within the encrypted filesystem.
Comment: Re:Memory dump lol (Score 3, Informative) 222
Nothing that you mentioned would prevent someone from taking a memory dump of your machine....
With firewire, pci slots, or other DMA-capable hardware slots, memory can be captured with physical access and no user credentials required. With (root) user credentials, memory can be captured through projects such as LiME that are kernel modules that dump physical memory to disk or over the network.
+ - TrueCrypt Master Key Extraction And Volume Identification ->
Submitted
by
Anonymous Coward
An anonymous reader writes "The Volatility memory forensics project has developed plugins that can automatically find instances of Truecrypt within RAM dumps and extract the associated keys and parameters. Previous research in this area has focused specifically on AES keys and led to the development of tools such as aeskeyfind. The Volatility plugin takes a different approach by finding and analyzing the same data structures in memory that Truecrypt uses to manage encryption and decryption of data that is being read from and written to disk. With the creation of these plugins a wide range of investigators can now decrypt Truecrypt volumes regardless of the algorithm used (AES, Seperent, combinations of algos, etc.). Users of Truecrypt should be extra careful of physical security of their systems to prevent investigators from gaining access to the contents of physical memory."
Link to Original Source
Link to Original Source