It is getting the key out of memory to then decrypt the drive. Not reading the unencrypted drive live.
Example scenarios are:
1) You get a memroy sample from a machine and the disk image. FDE was in use. This would allow you to extract the key and decrypt the whole drive.
2) Someone was using file containers and hibernated the machine. The key (could) still be in memory and you could decrypt the containers.
"While not perfect, such activity can be mitigated. TruCrypt can be written to automatically unmount the 'drive' as the computer goes to sleep/hibernate/etc'
for FDE, it does dismount and scrub the key during hibernation. Sleep is different though and RAM is not cleared during it.
"and could even be written to plop the keys into a random section of RAM each time it re-connects."
This doesn't really change anything. TC must still be able to find the key and the current drive version could be extracted from memory and reverse negineering to determine where the key currently is.
yes, but the idea is to grab the key in order to get around disk encryption. I guess you could remotely compromise the machine, grab the key, and then later get the disk image.
The DMA part is not new, but several other aspects are:
1) Other tools only find AES keys, the new plugins find any algo that truecrypt uses as it inspects the truecrypt data structures in memory to find the values instead of scanning memory hoping to find a key
2) Volatility shows you files that were being accessed (along with their full path) inside the TC mount
3) All of it is automated for Windows XP through 8 and the server versions
Nothing that you mentioned would prevent someone from taking a memory dump of your machine....
With firewire, pci slots, or other DMA-capable hardware slots, memory can be captured with physical access and no user credentials required. With (root) user credentials, memory can be captured through projects such as LiME that are kernel modules that dump physical memory to disk or over the network.
An anonymous reader writes: The Volatility memory forensics project has developed plugins that can automatically find instances of Truecrypt within RAM dumps and extract the associated keys and parameters. Previous research in this area has focused specifically on AES keys and led to the development of tools such as aeskeyfind. The Volatility plugin takes a different approach by finding and analyzing the same data structures in memory that Truecrypt uses to manage encryption and decryption of data that is being read from and written to disk. With the creation of these plugins a wide range of investigators can now decrypt Truecrypt volumes regardless of the algorithm used (AES, Seperent, combinations of algos, etc.). Users of Truecrypt should be extra careful of physical security of their systems to prevent investigators from gaining access to the contents of physical memory.
