Difference between pages "Full Volume Encryption" and "TrueCrypt"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (Changed links)
 
Line 1: Line 1:
'''Full Volume Encryption''', or FVE, is a method for encrypting a single partition, either physical or virtual, on a hard drive. It is different than [[Full Disk Encryption]] as parts of the disk are left unencrypted.
+
'''TrueCrypt''' is a Windows program to create and mount virtual encrypted disks.  
  
== Implementations ==
+
== Forensic Acquisition ==
  
; [[BitLocker]]
+
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible with an encryption key generated by a user's password and/or an additional datafile.  
: Included with certain versions of [[Microsoft]] [[Windows|Windows Vista]].
+
  
; [[FreeOTFE]]
+
==Attacks==
: A free and open source FVE program for Microsoft [[Windows]] and [[Microsoft Windows Mobile|Windows Mobile]] PDAs.
+
The only option for acquiring the content of a TrueCrypt drive is to do a brute-force password guessing attack. [[AccessData|AccessData's]] [[Password Recovery Toolkit]] and Distributed Network Attack ([[DNA]]) can both perform such an attack, but DNA is faster.
  
; [[TrueCrypt]]
+
== External Links ==
: A free and open source FVE program for Microsoft [[Windows]].
+
  
==External Links==
+
* [http://www.truecrypt.org/ Official website]
* [http://secude.com/htm/805/en/White_Paper_Section%3A_Full_Disk_Encryption.htm White Papers on Full Volume Encryption]
+
 
+
[[Category:Encryption]]
+
[[Category:Anti-Forensics]]
+

Revision as of 07:33, 27 February 2007

TrueCrypt is a Windows program to create and mount virtual encrypted disks.

Forensic Acquisition

If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible with an encryption key generated by a user's password and/or an additional datafile.

Attacks

The only option for acquiring the content of a TrueCrypt drive is to do a brute-force password guessing attack. AccessData's Password Recovery Toolkit and Distributed Network Attack (DNA) can both perform such an attack, but DNA is faster.

External Links