3/9/2023 0 Comments Using truecryptThe TrueCrypt Rescue CD was retrieved, and the “decrypt drive” option was run successfully. Windows startup repair was used in an attempt to rectify the situation, but was unsuccessful.At some point during this process, the operating system stopped booting successfully. The drive had to be swapped back and forth a couple of times, in order to confirm some networking settings.This was a process they had carried out successfully in the past. The laptop in question had a broken screen, so the IT department decided to transfer the drive to a new machine temporarily, while the screen was repaired.Timelineīefore the equipment was shipped to us, we asked our client for as much detail as they could provide on what had happened to the drive, and this is roughly what they told us: The first one requires the user to supply the passphrase, and then uses the copy of the volume header on the CD to derive the volume encryption key, and carry out a sector-by-sector decryption of the drive. The last three of these options simply involve copying the relevant data from the CD to the hard drive. By booting the encrypted machine from the CD, the user is presented with the following four “repair” options: The idea is that this is kept safe (although it’s of little use to an attacker in itself, without the passphrase), because it might be useful if the drive suffers any corruption. the TrueCrypt MBR, bootloader, and volume header). Note that the user can select the encryption algorithm to be used (AES, Serpent, Twofish, or a “cascade” of multiple algorithms), and the hash algorithm to be used in generating a key from the passphrase (RIPEMD-160, SHA-512 or Whirlpool).īefore the drive is encrypted, TrueCrypt forces the user to create a “rescue disk”, which is a CD containing a copy of the original contents of the first track, plus a copy of the new contents of the first track (i.e. All of the subsequent sectors on the drive are encrypted using the volume encryption key, in XTS mode.įurther details of the cryptography are available in the TrueCrypt documentation (which isn’t officially available any more, but you will find a version if you Google for it).The volume encryption key – along with some metadata – is encrypted under a key derived from the passphrase to form a 512-byte volume header, and this is written to the final sector of the first track.A new master boot record (MBR) and bootloader are written to the first track of the disk.The user supplies a passphrase, and a volume encryption key is randomly generated by TrueCrypt.The drive in question had the full-disk encryption (FDE) flavour of TrueCrypt installed. We simply had to try to work out what had happened, and recover the original data. Of course, our particular task here was not related to the “security” or otherwise of TrueCrypt – we had been given the correct passphrase, so we didn’t have to try to attack TrueCrypt’s cryptography in any way. Nonetheless, it is still in widespread use (including by our client, obviously), most experts still consider it to be secure, and there remains sufficient interest in it for a crowd-funded security audit to have recently been carried out by NCC Group’s Cryptography Services team. Most readers will be familiar with TrueCrypt, an open-source package that allows for encryption of entire disks, partitions, removable drives or container files, and might also have heard about the rather bizarre way in which the TrueCrypt developers pulled the plug on the project in early 2014. Because they were adamant that they knew the correct TrueCrypt passphrase, they still had the TrueCrypt Rescue Disk for the laptop, and the data recovery firm had confirmed that there were no problems with the drive at the physical level, we thought there was a good chance that we could help. The laptop contained some business-critical data which hadn’t been backed up, so our client was understandably very keen to get it back. They had already sent the drive to a specialist data recovery firm, who imaged the disk successfully but found the contents to be encrypted and couldn’t make any progress. One of our clients recently approached us for assistance with recovering data from a laptop hard drive which had been encrypted using TrueCrypt.Ī hardware repair gone wrong had led to problems booting the operating system and a variety of attempted fixes had been unsuccessful.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |