Cracking truecrypt files in minutes? Or just truecrypt harddrives in minutes?

Apparently http://www.lostpassword.com/kit-forensic.htm can be used to crack truecrypt hard drive encryption. Has anyone tried it and is it possible to crack truecrypt files too with this software?

Passware Kit Forensic, complete with Passware FireWire Memory Imager, is the first and only commercial software that decrypts BitLocker and TrueCrypt hard disks, and instantly recovers Mac and Windows login passwords of seized computers.

oshirowanen

Posted 2012-12-11T17:02:50.720

Reputation: 1 858

I'm pretty skeptical of this. – cutrightjm – 2012-12-11T17:10:50.877

1@ekaj- it is a legit vulnerablity, but the list of caveats is long, and its really an attack on windows rather than on Truecrypt or any of its cipher implementations. It made slashdot 3 or 4 years ago. – Frank Thomas – 2012-12-11T17:12:45.587

Answers

This attack only works on Full-Disk Encrypted systems, or otherwise requires that the volume be mounted at the time the attack is undertaken (or when the system last hibernated). the attack works by accessing the key in ram, which wouldn't be possible in the case of a unmounted volume. If the key cannot be found in memory, it attempts to find it in hiberfil.sys, but if the volume was not loaded during the last hibernation, the key will not be there either.

NOTE: If the target computer is turned off and the encrypted volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns brute-force attacks to recover the original password for the volume. http://www.lostpassword.com/hdd-decryption.htm

So, use a strong password, disable hibernation, and do not mount volumes on boot (only mount on demand when you need to, and dismount when you are done) and you should be pretty safe against this tool.

Frank Thomas

Posted 2012-12-11T17:02:50.720

Reputation: 29 039

Meh, makes sense. – cutrightjm – 2012-12-11T17:14:25.643

You don't have to completely disable hibernation, just don't do it with a tc volume mounted. – martineau – 2012-12-11T18:04:42.057

It also seems like if you used a key file that you kept on a thumbdrive that only you possessed, that it would be impossible. – martineau – 2012-12-11T18:13:07.140

1you are right on the hibernation. not sure on the keyfile. most of the time, files that are used are loaded into ram, so unless theres something I'm missing, the key file would then be present in the memory image. – Frank Thomas – 2012-12-11T19:13:41.897

-2

I strongly doubt this. The only decryption methods for truecrypt containers to my knowledge are brute force ones, and thus if you have a strong passphrase and your system is not compromised by a keylogger or other malware it will not be possible to recover a truecrypt file within minutes. This is an article about an truecrypt brute force tool, unfortunately in german, but it's quite slow and so I really doubt the statements made for this toolset.

Since beeing downvoted I want to clarify my statement: if you have a dismounted Truecrypt container and no hiberfil to look for the password chances will be minimal with brute force in case of a strong password. Of course, a system in hibernation state and with mounted truecrypt container you are vulnerable.

Florian Storck

Posted 2012-12-11T17:02:50.720

Reputation: 266