Open TrueCrypt volume only with MasterKey


Status
This thread has been solved! Go to solution…

banderas20

New Member
Apr 23, 2019
16
Ratings
7
3
#1
Hi!

I have a ciphered TrueCrypt volume and I don't have the password, but I have the masterkey.

¿Is there any way to open it with masterkey? I have seen this video


but I don't know which version of TrueCrypt he's using.

Can it be done?

Thanks!
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
55
Ratings
46
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#2
@banderas20 , I examined the video above. It shows you choose the bottom option. I am guessing that doesn't show in the current version from the TrueCrypt site: Keyfiles - Truecrypt

This should there is a "keyfiles" option which can be used when you mount the drive. I would attempt to do that. If that doesn't work, I'll setup a lab to test this.
 

banderas20

New Member
Apr 23, 2019
16
Ratings
7
3
#3
Hi.

That's right. That option doesn't show up in the "official" version, and I can't seem to fin than mod.

Indeed there is a "Keyfiles" option, but it doesn't work. I load the master key and it gives me error. Maybe TrueCrypt is expecting another king of keyfile, and not the master key recovered from RAM.

Thanks a million for your help!
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
55
Ratings
46
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#4
I noticed this thread you posted the same quesiton: Open TrueCrypt volume only with MasterKey - Digital Forensics Forums | ForensicFocus.com

I setup pytruecrypt based on its' github page. You need to do the following:

  1. Make sure you have Python2 installed and running.
  2. Create virtual environment: Python Virtual Environments: A Primer – Real Python
  3. Clone the github repo: git clone https://github.com/4144414D/pytruecrypt.git
  4. Then copy two files: pytruecrypt.py and util.py >> virtualenv/lib/
    Bash:
    ~/pytruecrypt$ cp pytruecrypt.py ../virtualenv/lib/
    ~/pytruecrypt$ cp util.py ../virtualenv/lib/
    Note: you could also just copy both into the example folder where the scripts you are attempt to run reside.
  5. Then make sure you install docopts: pip install docopts
After that, the examples in the example directory will work.
 

banderas20

New Member
Apr 23, 2019
16
Ratings
7
3
#5
I think I finally got it,

with example 4 of the readme:

image key input4.tc output4.dd aes --aes bac01155a46547f00c3ddf9a4a765159fbe1f68d94bf11a3bd6910eedf26d867a63263c949812cd68b7dad91a8dfdacb96942b93cc1b21ffafeeb4791a0befa4

Anyway, I have had to try several combinations to get the Key, by using AESKEYFind together with this article:

Volatility Labs: TrueCrypt Master Key Extraction And Volume Identification

I find it kind of random, when coming up to the right concatenation combination....¿don't you think? ¿Or am I missin something?

Thank you very much!
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
55
Ratings
46
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#6
Did my previous post help get your application working?

From the documentation, it prints out a list of keys which are if different lengths. According to the blog posts which references the TrueCrypt site, they default key is an AES 512 bit key. All you would need to do is understand what a 512bit kill looks like--or how it could be split up as it has been shown with the 256 bit keys.

I think this would just come with experience.
 

banderas20

New Member
Apr 23, 2019
16
Ratings
7
3
#7
Did my previous post help get your application working?

From the documentation, it prints out a list of keys which are if different lengths. According to the blog posts which references the TrueCrypt site, they default key is an AES 512 bit key. All you would need to do is understand what a 512bit kill looks like--or how it could be split up as it has been shown with the 256 bit keys.

I think this would just come with experience.
Yes, it helped.

2 x 256 bit key = 1 512 key. That's correct.

The think it's that you have to try and guess which 2 strings are the correct ones.

Many thanks!
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
55
Ratings
46
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#8
I think that might go for many encryption tasks with involves keys or passwords. You have to try what you think is the right one based on evidence or attempt to brute force it. Nature of these things!

Glad you figured it out!
 
Status
This thread has been solved! Go to solution…

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu