TrueCrypt Master Key Extraction and Volume Identification 222
An anonymous reader writes "The Volatility memory forensics project has developed plugins that can automatically find instances of Truecrypt within RAM dumps and extract the associated keys and parameters. Previous research in this area has focused specifically on AES keys and led to the development of tools such as aeskeyfind. The Volatility plugin takes a different approach by finding and analyzing the same data structures in memory that Truecrypt uses to manage encryption and decryption of data that is being read from and written to disk. With the creation of these plugins a wide range of investigators can now decrypt Truecrypt volumes regardless of the algorithm used (AES, Seperent, combinations of algos, etc.). Users of Truecrypt should be extra careful of physical security of their systems to prevent investigators from gaining access to the contents of physical memory."
Burn after reading? (Score:4, Insightful)
What would be sweet... (Score:5, Insightful)
Given that we're in an era of low-cost portable devices (Raspberry-Pi, BeagleBoard, etc.), it would be really nice if TrueCrypt could implement a driver that passed data off to an external, open-source device for processing that held the keys in its own memory, and provided no other service than to perform the cryptographic functions and hand back the data. It would be slower, but at least then you don't have the keys in memory on a general purpose computer running browsers, java, flash, adobe reader, etc. etc.
Take one of those devices and attach a small screen to them and you could enter your passphrase using a keyboard attached directly to them, and use a keyfile on a flash stick plugged into the USB port too. The distro powering all of this could be minimal and audited.
Re:Burn after reading? (Score:5, Insightful)
TrueCrypt has to keep the keys somewhere so long as a volume is mounted. Whatever happens, so long as it's not currently on the CPU (and potentially even if it is), something that can read its data structures is always going to be able to find the keys in RAM if the structure is known. Maybe if TrueCrypt has some crazy polymorphic engine and corresponding polymorphic data structure that changed on every run it could get very difficult, but probably not impossible, to extract them.
Re:What would be sweet... (Score:4, Insightful)
There's already a market for Pi cases, I don't see why not..
In other words (Score:5, Insightful)
Shut your machine OFF before you get to the border; don't put it to sleep.
Re:Burn after reading? (Score:4, Insightful)
Upon unmount, TC should write (and overwrite) lots of random junk to the ram it was using to store keys so you don't have to worry about stale ram recovery techniques.
Re:In other words (Score:4, Insightful)
can the border goons compel someone to boot the machine (supplying whatever passwords are necessary to do so) to enter?
No legal power to compel, but refusal is "suspicious behaviour" and is going to fuck up your trip until some real lawyers show up and say the court battle isn't worth the prize. Your name will go on a watch list and goons the world over will give you grief for years to come, but your porn collection will remain private.