Difference between pages "Executable" and "TrueCrypt"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(DBG, PDB)
 
(External Links)
 
Line 1: Line 1:
{{expand}}
+
{{Infobox_Software |
 +
  name = Truecrypt |
 +
  maintainer = TrueCrypt Foundation |
 +
  os = {{Linux}}, {{Windows}}, OS X |
 +
  genre = {{Encryption}} |
 +
  license = TrueCrypt Collective License |
 +
  website = [http://www.truecrypt.org/ truecrypt.org] |
 +
}}
  
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
+
'''TrueCrypt''' is an open source program to create and mount virtual encrypted disks in [[Windows|Windows Vista/XP/2000]] and [[Linux]] and [[Mac OS X|OS X]] as well as [[Whole Disk Encryption]] on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports [[AES]], [[Serpent]] and [[Twofish]].  As of version 6.0 TrueCrypt now supports hidden Operating Systems under Windows only.
  
There are multiple families of executable files:
+
== Forensic Acquisition ==
* Scripts; e.g. shell scripts, batch scripts (.bat)
+
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
+
* ELF
+
* Mach-O
+
  
== External Links ==
+
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
+
  
=== MZ, PE/COFF ===
+
== Attacks ==
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
+
The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. [[AccessData|AccessData's]] [[Password Recovery Toolkit]] and Distributed Network Attack ([[DNA]]) can both perform such an attack, but DNA is faster. Another solution is [[unprotect.info]] that can brute-force password to the file-based encrypted volumes.
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
+
* [http://msdn.microsoft.com/en-us/magazine/ms809762.aspx Peering Inside the PE: A Tour of the Win32 Portable Executable File Format], by Matt Pietrek, March 1994
+
* [http://www.microsoft.com/msj/0797/hood0797.aspx Under the Hood], by Matt Pietrek, July 1997
+
* [http://msdn.microsoft.com/en-us/magazine/cc301805.aspx An In-Depth Look into the Win32 Portable Executable File Format], by Matt Pietrek, February 2002
+
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
+
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
+
  
=== DBG, PDB ===
+
TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).
* [http://en.wikipedia.org/wiki/Program_database Wikipedia: Program database]
+
* [http://www.debuginfo.com/articles/debuginfomatch.html Matching Debug Information], by debuginfo.com
+
* [http://support.microsoft.com/kb/121366 Description of the .PDB files and of the .DBG files], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/ff553493(v=vs.85).aspx Public and Private Symbols], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms679293(v=vs.85).aspx DbgHelp Structures], by [[Microsoft]]
+
* [http://web.archive.org/web/20070915060650/http://www.x86.org/ftp/manuals/tools/sym.pdf Internet Archive: Microsoft Symbol and Type Information], by [[Microsoft]]
+
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
+
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h]
+
* [http://sourceforge.net/p/mingw-w64/code/HEAD/tree/experimental/tools/libmsdebug/ libmsdebug], by the [[MinGW|MinGW project]]
+
* [http://moyix.blogspot.ch/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
+
  
=== Mach-O ===
+
== Hidden volumes ==
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
+
  
== Tools ==
+
Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.
 +
 
 +
When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.
 +
 
 +
Previous versions of encrypted containers may be found in the journaling filesystems. It is important to track any changes within the free space of the outer container to detect presence of a hidden container.
 +
 
 +
== Hidden Operating Systems ==
 +
 
 +
Hidden operating system is a system that is installed in a hidden TrueCrypt volume.
 +
 
 +
It is possible to detect network-enabled hidden operating systems by matching downloaded content (from a network dump) with data on a possible decoy system.
 +
 
 +
Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if [[Windows]] system is permanently connected to a LAN) and [[TCP timestamps]].
 +
 
 +
== External Links ==
  
=== MZ, PE/COFF ===
+
* [http://www.truecrypt.org/ Official website]
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
+
* [http://www.truecrypt.org/docs/?s=version-history Version history]
 +
* [http://brimorlabs.blogspot.com/2014/01/identifying-truecrypt-volumes-for-fun.html Identifying TrueCrypt Volumes For Fun (and Profit?)], by [[Brian Moran]], January 20, 2014
  
=== PDB ===
+
[[Category:Encryption]]
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)
+
[[Category:Disk encryption]]

Latest revision as of 14:54, 21 January 2014

Truecrypt
Maintainer: TrueCrypt Foundation
OS: Linux,Windows, OS X
Genre: Encryption
License: TrueCrypt Collective License
Website: truecrypt.org

TrueCrypt is an open source program to create and mount virtual encrypted disks in Windows Vista/XP/2000 and Linux and OS X as well as Whole Disk Encryption on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports AES, Serpent and Twofish. As of version 6.0 TrueCrypt now supports hidden Operating Systems under Windows only.

Contents

Forensic Acquisition

If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.

Attacks

The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. AccessData's Password Recovery Toolkit and Distributed Network Attack (DNA) can both perform such an attack, but DNA is faster. Another solution is unprotect.info that can brute-force password to the file-based encrypted volumes.

TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).

Hidden volumes

Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.

When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.

Previous versions of encrypted containers may be found in the journaling filesystems. It is important to track any changes within the free space of the outer container to detect presence of a hidden container.

Hidden Operating Systems

Hidden operating system is a system that is installed in a hidden TrueCrypt volume.

It is possible to detect network-enabled hidden operating systems by matching downloaded content (from a network dump) with data on a possible decoy system.

Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if Windows system is permanently connected to a LAN) and TCP timestamps.

External Links