tag:blogger.com,1999:blog-7693961727488638788.post6037270569478628644..comments2024-03-24T09:17:33.072-04:00Comments on [Archive of Volatility Labs]: TrueCrypt Master Key Extraction And Volume IdentificationJamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-7693961727488638788.post-56447024068341174072014-06-07T16:01:31.538-04:002014-06-07T16:01:31.538-04:00Although it's a bit of a late reply, I think w...Although it's a bit of a late reply, I think what he means is that could a user get the key that. say, Cryptolocker uses to encrypt a users files?<br /><br />Basically rendering the ransom for the key to decrypt everything moot.Jigsyhttps://www.blogger.com/profile/07183513221411850175noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-69960053500926775702014-03-04T11:03:20.581-05:002014-03-04T11:03:20.581-05:00You can decrypt master key only using your passwor...You can decrypt master key only using your password or key-file. Or obtain UNENCRYPTED master key from memory dumps, RAM etc. as shown in this great article. It's safe enough to use full disk ecnryption where OS is. Article says more about TC volumes mounted under unencrypted OS - which in fact is obviously much less secure.security-geekhttps://www.blogger.com/profile/15587739087857961101noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-44965730961943087462014-03-04T10:59:04.483-05:002014-03-04T10:59:04.483-05:00As truecrypt site says - use full disk encryption ...As truecrypt site says - use full disk encryption for OS (and other disks too - optional). When there is some memory dump or page file it will remain encrypted on disk, so your master key, even when written to disk, is still safe. <br />Data stored in RAM is always unencrypted, so do your best to prevent from running forensic tools on your running OS. <br />Enable auto lock every 5 minutes of security-geekhttps://www.blogger.com/profile/15587739087857961101noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-2393943125483581982014-02-27T16:03:00.129-05:002014-02-27T16:03:00.129-05:00So just had a quick flick through, how would someo...So just had a quick flick through, how would someone use the masterkey gain access to a full disk encrypted disk or truecrypt container. Would then need to decrypt the master key?Anonymoushttps://www.blogger.com/profile/12860063097927535926noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-35054144554691635822014-01-22T11:02:09.922-05:002014-01-22T11:02:09.922-05:00In that case, the master keys would be in the VM&#...In that case, the master keys would be in the VM's memory. This is even less secure, because the VM's memory is fully contained in the host's memory (i.e. the key is in two places now). Furthermore, if the VM was suspended or snapshotted, its RAM is written to a file on the host's machine so that it can properly be resumed...in which case the master keys are written to the host&#Michael Hale Lighhttps://www.blogger.com/profile/17377327006242921434noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-66832198733513232292014-01-22T10:49:14.353-05:002014-01-22T10:49:14.353-05:00Hmm, I'm not quite sure what ransomware malwar...Hmm, I'm not quite sure what ransomware malware has to do with this. Can you explain a bit more and then I can possible answer. Michael Hale Lighhttps://www.blogger.com/profile/17377327006242921434noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-19488172319720458532014-01-22T07:23:44.848-05:002014-01-22T07:23:44.848-05:00What about if you mounted the container/partition ...What about if you mounted the container/partition in say... a Virtual Machine?G.https://www.blogger.com/profile/10430138626188727668noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-87438371027314593022014-01-16T05:31:25.171-05:002014-01-16T05:31:25.171-05:00Does this have any application for the various ran...Does this have any application for the various ransomware malware that are doing the rounds?Quartzhttps://www.blogger.com/profile/08746947036956709100noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-77116443858108511122014-01-16T05:15:33.987-05:002014-01-16T05:15:33.987-05:00Key files are processed along with other tokens to...Key files are processed along with other tokens to form the master key - once you've loaded the key files in, the master key must remain in memory in order to facilitate the encryption / decryption processes. As such, it doesn't matter whether you're using a password, keyfile, or both - if an attacker can get read-only access to your RAM, they can extract the key.<br /><br />Of courseAetherhttps://www.blogger.com/profile/11735143325786973316noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-30266971383323924392014-01-15T18:21:43.806-05:002014-01-15T18:21:43.806-05:00what about keyfiles?what about keyfiles?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-57450005190845226202014-01-15T13:16:43.667-05:002014-01-15T13:16:43.667-05:00Sure, no worries. shutting the computer down is a ...Sure, no worries. shutting the computer down is a good idea to clear out your sensitive data, however you don't always get the opportunity to do that [before being apprehended by an agent who wants to seize your computer]. There's also the possibility of cold boot attacks (https://citp.princeton.edu/research/memory/) in those cases. Michael Hale Lighhttps://www.blogger.com/profile/17377327006242921434noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-69280731303804428362014-01-15T12:51:49.690-05:002014-01-15T12:51:49.690-05:00Thank you for the information and link. And sorry ...Thank you for the information and link. And sorry for the case of TL;DR. I'm at work right now. So, essentially, shutting down the computer to clear the RAM solves this issue.Anonymoushttps://www.blogger.com/profile/09327131188890340161noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-41371324751987792652014-01-15T12:47:03.938-05:002014-01-15T12:47:03.938-05:00@Waqar: The plugins are planned to be included in ...@Waqar: The plugins are planned to be included in the next Volatility release (2.4). Keep an eye on the blog or code repository for an expected date. Michael Hale Lighhttps://www.blogger.com/profile/17377327006242921434noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-50542467257878037592014-01-15T12:43:33.681-05:002014-01-15T12:43:33.681-05:00@TonySharp: Hmm, yes, that was the point, more or ...@TonySharp: Hmm, yes, that was the point, more or less...but we also were very explicit to point out that TrueCrypt discloses this openly (http://www.truecrypt.org/docs/unencrypted-data-in-ram#Y445), and products such as PGP and BitLocker are in the same boat. Michael Hale Lighhttps://www.blogger.com/profile/17377327006242921434noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-60761569295859269882014-01-15T12:36:53.924-05:002014-01-15T12:36:53.924-05:00What are you saying, that master keys can be hacke...What are you saying, that master keys can be hacked out of TrueCrypt? If so, which alternatives would you recommend?Anonymoushttps://www.blogger.com/profile/09327131188890340161noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-49834910487570279292014-01-15T05:36:18.581-05:002014-01-15T05:36:18.581-05:00Very Nice tutorial, something I was looking for. T...Very Nice tutorial, something I was looking for. The Plug-in mentioned in this tutorial "truecryptsummary" Will it be upload anytime soon? I looked for it and couldn't find it.Anonymoushttps://www.blogger.com/profile/05203822113593669044noreply@blogger.com