Difference between revisions of "TrueCrypt"

From ForensicsWiki
Jump to: navigation, search
m (added Linux as an available platform)
m (Forensic Acquisition)
Line 3: Line 3:
 
== Forensic Acquisition ==
 
== Forensic Acquisition ==
  
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible with an encryption key generated by a user's password and/or an additional datafile.  
+
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.
  
 
==Attacks==
 
==Attacks==

Revision as of 22:29, 23 April 2007

TrueCrypt is an open source program to create and mount virtual encrypted disks in Windows Vista/XP/2000 and Linux.

Forensic Acquisition

If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.

Attacks

The only option for acquiring the content of a TrueCrypt drive is to do a brute-force password guessing attack. AccessData's Password Recovery Toolkit and Distributed Network Attack (DNA) can both perform such an attack, but DNA is faster.

External Links