We have to locate these keys in the memory dump. The default cipher used by TrueCrypt is AES in XTS mode which uses two 256 Bit AES-keys. (Note that recent papers suggest storing the keys in CPU registers, more specifically in SSE registers or in MSR registers instead of in the RAM in order to mitigate against these attacks.). Since the data is encrypted and decrypted on the fly, these keys remain in memory. The extracted master and secondary key is used for any further encryption and decryption of data. If the header gets correctly decrypted (a magic cookie is found), TrueCrypt reads the configuration (encryption algorithm and mode, etc.) as well as the master and secondary key into memory, and safely overwrites the memory regions where the password / key-file location was stored. In order to mount an encrypted volume, TrueCrypt uses the password and/or one or more key-files in order to decrypt the header (first 512 bytes of the volume). We briefly summarize the relevant technical details of TrueCrypt. Comparing different memory dumps let us conclude that password caching was not enabled in the TrueCrypt software. TrueCrypt offers the possibility to cache the passwords for mounting encrypted volumes. We reconstruct the setup by launching a VirtualBox installation, and we extract the memory using Mantech Memory Dumper mdd. We see that TrueCrypt was running at the moment the dump was taken … good.įurther inspection of the memory dump reveals that the Operating System is Windows XP SP3, and the latest version of TrueCrypt (7.0a) is used. To get an overview of the memory dump we inspect it with volatility. A different way to get a dump of the memory would be to conduct a “cold boot attack” as described in this paper. Papers describing the attack and tools can be found at. This allows forensic analysts (or a malicious hacker) to plug into any running computer that has a Firewire port and gain full access to the machine within seconds. The memory dump was supposedly extracted via the Firewire port: The Firewire specification allows devices to have full DMA access. Given is a memory dump (128 MB) of a running Windows XP SP3 machine as well as a 32 MB file containing random data (a TrueCrypt volume image, according to the problem description). Recover the key using the truecrypt image and the memory dump. When we grabbed one of their USB sticks from a computer, we also grabbed the memory using the Firewire port. Description:Īll of the machines at the AED office are encrypted using the amazing TrueCrypt software. This is a writeup of the PlaidCTF 500 pts challenge “Fun with Firewire”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |