Difference between pages "TrueCrypt" and "Forensics on GPUs"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (some errors)
 
m (Bibliography)
 
Line 1: Line 1:
{{Infobox_Software |
+
Using a '''Graphical Processing Unit''' ('''GPU''') for forensics analysis attempts to make use of the significant, parallel processing power available on these high cards for a different purpose than their original intent. The idea of forensic analysis on a GPU was first proposed by Marziale, Richard and Roussev in 2007 with a version of [[Scalpel]] that utilized a GPU.
  name = Truecrypt |
+
  maintainer = TrueCrypt Foundation |
+
  os = {{Linux}}, {{Windows}}, OS X |
+
  genre = {{Encryption}} |
+
  license = TrueCrypt Collective License |
+
  website = [http://www.truecrypt.org/ truecrypt.org] |
+
}}
+
  
'''TrueCrypt''' is an open source program to create and mount virtual encrypted disks in [[Windows|Windows Vista/XP/2000]] and [[Linux]] and [[Mac OS X|OS X]] as well as [[Whole Disk Encryption]] on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms ([[AES|AES-256]], [[Serpent]] and [[Twofish]]).  As of version 6.0 TrueCrypt now supports hidden Operating Systems (Windows only).
+
== Bibliography ==
 +
* ''[http://www.acsac.org/2006/papers/74.pdf Offloading IDS Computation to the GPU]'', Nigel Jacob and Carla Brodley, ACSAC 2006.
 +
* ''[http://dfrws.org/2007/proceedings/p73-marziale.pdf Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools]'', Lodovico Marziale, Golden G. Richard III, and Vassil Roussev, DFRWS 2007.
  
== Forensic Acquisition ==
+
<bibtex>
 
+
@inproceedings{1191892,
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.
+
author = {Nigel Jacob and Carla Brodley},
 
+
title = {Offloading IDS Computation to the GPU},
== Attacks ==
+
booktitle = {ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference},
The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. [[AccessData|AccessData's]] [[Password Recovery Toolkit]] and Distributed Network Attack ([[DNA]]) can both perform such an attack, but DNA is faster.
+
year = {2006},
 
+
isbn = {0-7695-2716-7},
TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).
+
pages = {371--380},
 
+
doi = {http://dx.doi.org/10.1109/ACSAC.2006.35},
== Hidden volumes ==
+
publisher = {IEEE Computer Society},
 
+
address = {Washington, DC, USA},
Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.
+
  url="http://www.acsac.org/2006/papers/74.pdf"
 
+
}
When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.
+
</bibtex>
 
+
Previous versions of encrypted containers may be found in the journaling filesystems. It is important to track any changes within the free space of the outer volume to detect presence of a hidden container.
+
 
+
== Hidden Operating Systems ==
+
 
+
Hidden operating system is a system that is installed in a hidden TrueCrypt volume.
+
 
+
It is possible to detect network-enabled hidden operating systems by matching downloaded content (from network dump) with data on possible decoy system.
+
 
+
Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if Windows system is permanently connected to a LAN).
+
 
+
== External Links ==
+
 
+
* [http://www.truecrypt.org/ Official website]
+
* [http://www.truecrypt.org/docs/?s=version-history Version history]
+
 
+
[[Category:Encryption]]
+

Revision as of 16:38, 9 October 2007

Using a Graphical Processing Unit (GPU) for forensics analysis attempts to make use of the significant, parallel processing power available on these high cards for a different purpose than their original intent. The idea of forensic analysis on a GPU was first proposed by Marziale, Richard and Roussev in 2007 with a version of Scalpel that utilized a GPU.

Bibliography

Nigel Jacob, Carla Brodley - Offloading IDS Computation to the GPU
ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference pp. 371--380, Washington, DC, USA,2006
http://www.acsac.org/2006/papers/74.pdf
Bibtex
Author : Nigel Jacob, Carla Brodley
Title : Offloading IDS Computation to the GPU
In : ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference -
Address : Washington, DC, USA
Date : 2006