Forensics/TrueCrypt
Jump to navigation
Jump to search
This page is built according to the Linux version
TrueCrypt is a complicated application and even the truecrypt -h output is a chore to read. You will probably find it helpful anyway.
$ ls -aln .TrueCrypt/ total 44 drwx------ 2 1000 1000 80 Mar 8 13:21 . drwxr-xr-x 164 1000 1000 8192 Mar 9 18:45 .. -rw------- 1 1000 1000 1765 Jan 28 16:46 Configuration.xml -rw------- 1 1000 1000 299 Nov 16 2010 Favorite Volumes.xml -rw------- 1 1000 1000 449 Jan 28 16:46 History.xml prw------- 1 1000 1000 0 Mar 8 13:21 .show-request-queue $ cat .TrueCrypt/Configuration.xml <?xml version="1.0" encoding="utf-8"?> <TrueCrypt> <configuration> <config key="BackgroundTaskEnabled">1</config> <config key="BackgroundTaskMenuDismountItemsEnabled">1</config> <config key="BackgroundTaskMenuMountItemsEnabled">1</config> <config key="BackgroundTaskMenuOpenItemsEnabled">1</config> <config key="BeepAfterHotkeyMountDismount">0</config> <config key="CachePasswords">0</config> <config key="CloseBackgroundTaskOnNoVolumes">1</config> <config key="CloseExplorerWindowsOnDismount">1</config> <config key="CloseSecurityTokenSessionsAfterMount">0</config> <config key="DisableKernelEncryptionModeWarning">0</config> <config key="DismountOnInactivity">0</config> <config key="DismountOnLogOff">1</config> <config key="DismountOnPowerSaving">1</config> <config key="DismountOnScreenSaver">0</config> <config key="DisplayMessageAfterHotkeyDismount">0</config> <config key="BackgroundTaskEnabled">1</config> <config key="FilesystemOptions">noatime</config> <config key="ForceAutoDismount">1</config> <config key="LastSelectedSlotNumber">1</config> <config key="MaxVolumeIdleTime">60</config> <config key="MountDevicesOnLogon">0</config> <config key="MountFavoritesOnLogon">0</config> <config key="MountVolumesReadOnly">0</config> <config key="MountVolumesRemovable">0</config> <config key="NoHardwareCrypto">0</config> <config key="NoKernelCrypto">0</config> <config key="OpenExplorerWindowAfterMount">0</config> <config key="PreserveTimestamps">1</config> <config key="SaveHistory">1</config> <config key="StartOnLogon">0</config> <config key="UseKeyfiles">0</config> <config key="WipeCacheOnAutoDismount">1</config> <config key="WipeCacheOnClose">0</config> </configuration> </TrueCrypt> $ cat .TrueCrypt/Favorite\ Volumes.xml <?xml version="1.0" encoding="utf-8"?> <TrueCrypt> <favorites> <volume mountpoint="/media/truecrypt1" readonly="0" slotnumber="1" system="0">/dev/sdb1</volume> <volume mountpoint="/media/truecrypt10" readonly="0" slotnumber="10" system="0">work/redact.tc</volume> </favorites> </TrueCrypt> $ cat .TrueCrypt/History.xml <?xml version="1.0" encoding="utf-8"?> <TrueCrypt> <history> <volume>/dev/sdb1</volume> <volume>/home/mdf/fs/ifs/mfoster/redact.tc</volume> <volume>/home/mdf/work/redact.tc</volume> <volume>/home/mdf/work/redact.tc</volume> <volume>/dev/sdc1</volume> <volume>work/redact.tc</volume> <volume>work.tc</volume> <volume>/home/mdf/crypt1</volume> <volume>/home/mdf</volume> <volume>cryptlocal</volume> </history> </TrueCrypt> $ file .TrueCrypt/.show-request-queue .TrueCrypt/.show-request-queue: fifo (named pipe) $ sudo lsof -n | grep show-request <If truecrypt not running, this would be empty output) truecrypt 4773 mdf 14u FIFO 8,7 0t0 13717 /home/mdf/.TrueCrypt/.show-request-queue
Further information that would be good to know...
- How does the process respond to signals e.g. INTR and HUP noting any interesting results
- Take a core dump using SIGABRT and run strings -a against the coredump, plus a backtrace
- Use elfdump and ldd to show the ELF signatures and shared library (.so) linkages
Back to Forensics