Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Check out Videos
×

Comment: Re:So let me understand this ... (Score 1) 222

by avltree (#45971033) Attached to: TrueCrypt Master Key Extraction and Volume Identification
It is getting the key out of memory to then decrypt the drive. Not reading the unencrypted drive live. Example scenarios are: 1) You get a memroy sample from a machine and the disk image. FDE was in use. This would allow you to extract the key and decrypt the whole drive. 2) Someone was using file containers and hibernated the machine. The key (could) still be in memory and you could decrypt the containers.

Comment: Re:Burn after reading? (Score 5, Interesting) 222

by avltree (#45970951) Attached to: TrueCrypt Master Key Extraction and Volume Identification
"While not perfect, such activity can be mitigated. TruCrypt can be written to automatically unmount the 'drive' as the computer goes to sleep/hibernate/etc' for FDE, it does dismount and scrub the key during hibernation. Sleep is different though and RAM is not cleared during it. "and could even be written to plop the keys into a random section of RAM each time it re-connects." This doesn't really change anything. TC must still be able to find the key and the current drive version could be extracted from memory and reverse negineering to determine where the key currently is.

Comment: Re:DMA attack (Score 2) 222

by avltree (#45970883) Attached to: TrueCrypt Master Key Extraction and Volume Identification
The DMA part is not new, but several other aspects are: 1) Other tools only find AES keys, the new plugins find any algo that truecrypt uses as it inspects the truecrypt data structures in memory to find the values instead of scanning memory hoping to find a key 2) Volatility shows you files that were being accessed (along with their full path) inside the TC mount 3) All of it is automated for Windows XP through 8 and the server versions

Comment: Re:Memory dump lol (Score 3, Informative) 222

by avltree (#45970797) Attached to: TrueCrypt Master Key Extraction and Volume Identification
Nothing that you mentioned would prevent someone from taking a memory dump of your machine.... With firewire, pci slots, or other DMA-capable hardware slots, memory can be captured with physical access and no user credentials required. With (root) user credentials, memory can be captured through projects such as LiME that are kernel modules that dump physical memory to disk or over the network.

+ - TrueCrypt Master Key Extraction And Volume Identification ->

Submitted by Anonymous Coward
An anonymous reader writes "The Volatility memory forensics project has developed plugins that can automatically find instances of Truecrypt within RAM dumps and extract the associated keys and parameters. Previous research in this area has focused specifically on AES keys and led to the development of tools such as aeskeyfind. The Volatility plugin takes a different approach by finding and analyzing the same data structures in memory that Truecrypt uses to manage encryption and decryption of data that is being read from and written to disk. With the creation of these plugins a wide range of investigators can now decrypt Truecrypt volumes regardless of the algorithm used (AES, Seperent, combinations of algos, etc.). Users of Truecrypt should be extra careful of physical security of their systems to prevent investigators from gaining access to the contents of physical memory."
Link to Original Source

A formal parsing algorithm should not always be used. -- D. Gries

Close