This video shows how to recover Truecrypt passphrases and master keys from memory samples using Volatility 2.4. It also covers how to analyze suspect activity through command shell history and clipboard contents.
For more information on Volatility or memory forensics in general, see:
http://volatilityfoundation.org
https://github.com/volatilityfoundation
http://www.memoryanalysis.net
http://volatility-labs.blogspot.com
For more information on the patch applied to Truecrypt, see:
http://mweissbacher.com/blog/2011/05/...
Text to speech narration:
This video shows how to use Volatility’s new true crypt plugins to defeat disk encryption on suspect computers running 64-bit windows 8 and server 2012.
The suspect accesses a USB stick with a key pass database and two true crypt file containers. He unlocks the key pass database.
He begins to mount the first true crypt volume, fruit punch.jpg.
The true crypt passphrase is retrieved from key pass. Note that the user explicitly enables password caching.
The second volume, notes.txt is then mounted in the same way. However, this time, password caching is not enabled.
As you can see, both volumes contain exploit files and payloads, including the zeus source code. The suspect opens power shell and uses win SCP to transfer several executable files to a remote FTP server.
The FTP password is also retrieved from the key pass database and placed into the clipboard.
At this time, we suspend the virtual machine to simulate capturing the suspect computer’s memory.
Now, we insert the seized USB stick into our analysis machine and prepare to analyze the memory sample with Volatility.
Our first plugin is true crypt passphrase, which extracts the cached credentials quickly, but only for the first volume that the suspect mounted.
On the other hand, true crypt master finds the master keys of all mounted volumes and also shows the container file, algorithm, and mode.
Let’s try decrypting the fruit punch file with the passphrase we extracted. This should be a straight forward process.
Once its mounted, we can explore the contents. It appears to contain what we expected, so we’ll close it for now and begin attacking the notes.txt file.
This is a 100 mega byte file encrypted with serpent, to which we now have the master key. We’ll need to create a new true crypt volume with the same size and algorithm as the suspect’s, but with a passphrase of our choosing.
We choose abc123 and complete the setup. We now have a template file with a true crypt header to which we know the password. We write this header onto the suspect’s file so that when true crypt asks, we can supply a valid password.
We must then trick true crypt into loading the master keys we extracted from the memory dump rather than from our template’s header. This is done by moving the master key file into the /etc/truecrypt directory. Our patched version of true crypt will check that location and use it if found.
As we prepare to mount notes.txt, keep in mind that Volatility finds master keys regardless of the algorithm, because it uses a direct, structured approach rather than one based on patterns. If true crypt can find the keys, so can we.
As you can see, accessing this volume took a few extra steps, but it was relatively easy.
The next command locates files on true crypt volumes. The suspect didn’t open any of these files during his session, they were read into memory simply as a result of mounting the volume.
This quick script creates a comma separated list of file object offsets, which we then pass to the dump files plugin. Remember, true crypt and other disk encryption software is transparent to the operating system. Thus, the OS caches files on encrypted volumes in the same way it does non encrypted volumes.
The output directory contains various clear text executable files.
Let’s investigate the suspect’s other activity with Volatility’s consoles plugin. This recovers command history and screen contents of command shells, including power shell, and Perl and Python prompts.
Finally, the clipboard plugin shows the suspect’s FTP password. Together, with the consoles output, you now have the server address, user name, and password.
Информация по комментариям в разработке