I was under the impression that TrueCrypt installed a boot loader that was responsible for the pretty menu that you usually see when you boot. So to my surprise when I wanted to play around with it….it wasn’t. TrueCrypt actually uses a second stage to display that pretty menu. The traditional boot loader more or less just takes care of loading the second stage which sits compressed on the hard disk, if loading fails it will display some messages and that’s it. Since I still wanted to play around with it and preferably with the version actually sitting on my test machine’s hard disk I decided to dump it. The easiest way was to use Evil Maid, I modified the source slightly to prevent infection, it will still infect though if you omit a second argument :)
Here are the steps if you want to do it yourself:
- Retrieve the first 64 sectors, for example with “FTK Imager” if you are under windows
- Download the Evil Maid source
- Apply this patch (patch <evilmaid.patch)
- Run ./patch_tc <file_with_64_sectors> -f
This should look like this:
./patch_tc ~/Desktop/tc-full.dd -f
TrueCrypt EvilMaid patcher v0.1
TrueCrypt Boot Loader detected
PatchTrueCrypt(): Compressed loader size: 11877 bytes
PatchTrueCrypt(): Saved checksum 0x267DAC67
PatchTrueCrypt(): Loader memory size: 0x7000 (28672) bytes
PatchTrueCrypt(): Decompressing the boot loader
PatchTrueCrypt(): Decompression successful
The local directory where the executable patch_tc resides should now contain two files “sectors_backup” and “loader” which is the uncompressed second stage as you can see from a simple strings output:
strings -n 15 loader
No bootable partition found
TrueCrypt Boot Loader 7.1
Boot Non-Hidden System (Boot Manager)
Skip Authentication (Boot Manager)
for hidden system:
BIOS reserved too much memory:
- Upgrade BIOS
- Use a different motherboard model/brand
Warning: Caps Lock is on.
If you are sure the password is correct, the key data may be damaged. Boot your
TrueCrypt Rescue Disk and select 'Repair Options' > 'Restore key data'.
Press 1-9 to select partition:
Your BIOS does not support large drives
due to a bug
- Enable LBA in BIOS
Copying system to hidden volume. To abort, press Esc.
If aborted, copying will have to start from the beginning (if attempted again).
To fix bad sectors: 1) Terminate 2) Encrypt and decrypt sys partition 3) Retry
This time it’s actually an afternoon thought. So let’s say you will be traveling from one country to another and you have stored your truecrypt container on a remote site. There is a chance someone might steel it and try to brute force it. Usually if you are paranoid enough a brute force on a truecrypt container is well…useless. Because you are THAT paranoid you actually also want to make sure that a brute force on your container really is futile. So how about corrupting the container in a controlled way? Check out the file format specifications: http://www.truecrypt.org/docs/?s=volume-format-specification.
A good option would be to change the 4bytes of the encrypted TRUE string to some random bytes. Make sure u have a backup of the original bytes(preferably memorized). This should prevent the successful decryption of the container even if someone has the correct password.
It’s security by obscurity but hey…you can never have enough layers of security. Another interesting idea is to modify the truecrypt source/binary on your hard disk to use the string FOUR instead of TRUE for the whole decryption verification. So unless they also steel your modified version of the truecrypt binary they will not be able to open it.
Just to make sure…the above ideas are only an ADDITIONAL security layer and it CAN be broken if detected by an adversary. I just thought it would be fun to have an additional layer of security on my truecrypt containers.
So you have just finished installing the hidden operating system offered by TrueCrypt. You are however stuck with the following problem…you need frequent access to the hidden operating system…which means that you won’t be using the decoy system that much. According to the guidelines offered by TrueCrypt this means that your plausible deniability is a little bit less plausible. How about fixing this? What if you could “work” at the same time in both operating systems?
So there I was thinking I could write a blog posting with screenshots and a extended howto. Unfortunatly I am not able to perform the idea on my computer and I got no spare computer left. So I’m just going to put it out there and maybe someone feels like implementing it and letting me know how well it works.
The whole thing is rather simple, it actually fits in a sentence:
Run your decoy OS inside your hidden OS with the help of virtualization techniques.
Like stated before the claim is simple. It’s a shame I got no spare computer around atm to test it out. In theorie it should work fine. Only thing that worries me is the possible evidence that a virtualization application might leave on the booted decoy system, I’m thinking there is none…but I haven’t been able to test this.
So just to be clear this is NOT an idea to go against the TrueCrypt Security Precautions, it’s just another method to be able to spend more time in a hidden operating system without having to worry that it could be compromised because of forensics on your decoy os. This way all the timestamps and the temp files will be kept up to date in your decoy os while you are working in your hidden os.
To take it one step further…you could even write a few scripts to startup your email, mark them as read at varieng intervals and surf around on the web. If they ask you why you have script to automate things inside your decoy os, you can just answer with a simple answer: I’m lazy.
If I get a spare computer anytime soon I’ll be sure to let you know how this method works out.
A lot of people ask the question: How can I recover my truecrypt password? Others ask the question: How can I crack a truecrypt container? So out of curiousity I went on a little investigation to know what the current tools are to bruteforce a truecrypt container. So here is a small compilation of the methods I’ve found to bruteforce a truecrypt container.
Continue reading “Truecrypt, a variety of bruteforcing options”
So here I was relaxing and watching Friends…when suddenly one of my old and almost forgotten ideas popped in my head. The problem context is as follow:
Let’s say you image(or you just want to search) a harddisk and want to know if the person has any crypto containers on his/her harddisk? How would you go about this?
Continue reading “Finding crypto containers”
Well truecrypt 6.1 has been released and I thought it was time to update my machine. Since I’ve started using truecrypt I’ve kept screenshot of the benchmarks so for the ones who love numbers here they are. I’ve also made volume headers backup and disabled the boot message that states the machine is encrypted with truecrypt. I have to admit I’m totally fond of truecrypt it’s easy and good for free. Oh and YES I’ve made volume header backups and rescuedisks, you never know when bad luck strikes.
Continue reading “Truecrypt Update & Speeds”