Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: TrueCrypt Master Key Extraction And Volume Identification

17 Jan 2014   #1
A Guy

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
TrueCrypt Master Key Extraction And Volume Identification

One of the disclosed pitfalls of TrueCrypt disk encryption is that the master keys must remain in RAM in order to provide fully transparent encryption. In other words, if master keys were allowed to be flushed to disk, the design would suffer in terms of security (writing plain-text keys to more permanent storage) and performance. This is a risk that suspects have to live with, and one that law enforcement and government investigators can capitalize on.

The default encryption scheme is AES in XTS mode. In XTS mode, primary and secondary 256-bit keys are concatenated together to form one 512-bit (64 bytes) master key. An advantage you gain right off the bat is that patterns in AES keys can be distinguished from other seemingly random blocks of data. This is how tools like aeskeyfind and bulk_extractor locate the keys in memory dumps, packet captures, etc. In most cases, extracting the keys from RAM is as easy as this:

$ ./aeskeyfind Win8SP0x86.raw

Keyfind progress: 100%

Several keys were identified, but only the two final ones in red are 256-bits (the others are 128-bit keys). Thus, you can bet by combining the two 256-bit keys, you'll have your 512-bit master AES key. That's all pretty straightforward and has been documented in quite a few places - one of my favorites being Michael Weissbacher's blog.

A Guy

My System SpecsSystem Spec
18 Jan 2014   #2

Win7 Pro 32bit

Very disheartening news on the surface. But on page 8 of the .pdf file, it appears that RAM flush/optimizing/scrubbing programs, such as WinUtilities Free Memory Optimizer, Glary Utilities, Clean RAM, or FreeRAM work to wipe the keys' images remaining in RAM.
I'm also hopeful that it's much more difficult to reconstruct cascaded keys, such as AES-Twofish-Serpent, which I always use.
My System SpecsSystem Spec

 TrueCrypt Master Key Extraction And Volume Identification

Thread Tools

Similar help and support threads for2: TrueCrypt Master Key Extraction And Volume Identification
Thread Forum
Which volume of Truecrypt for media backup HDD? Backup and Restore
Solved Can you rename a Truecrypt volume? General Discussion
Truecrypt incorrect password or not a truecrypt volume Software
TrueCrypt volume won't dismount unless I do it Forcibly General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:03 PM.
Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App