Forensics/TrueCrypt

From ConShell
Jump to: navigation, search

This page is built according to the Linux version

TrueCrypt is a complicated application and even the truecrypt -h output is a chore to read. You will probably find it helpful anyway.

$ ls -aln .TrueCrypt/
total 44
drwx------   2 1000 1000   80 Mar  8 13:21 .
drwxr-xr-x 164 1000 1000 8192 Mar  9 18:45 ..
-rw-------   1 1000 1000 1765 Jan 28 16:46 Configuration.xml
-rw-------   1 1000 1000  299 Nov 16  2010 Favorite Volumes.xml
-rw-------   1 1000 1000  449 Jan 28 16:46 History.xml
prw-------   1 1000 1000    0 Mar  8 13:21 .show-request-queue


$ cat .TrueCrypt/Configuration.xml 
<?xml version="1.0" encoding="utf-8"?>
<TrueCrypt>
	<configuration>
		<config key="BackgroundTaskEnabled">1</config>
		<config key="BackgroundTaskMenuDismountItemsEnabled">1</config>
		<config key="BackgroundTaskMenuMountItemsEnabled">1</config>
		<config key="BackgroundTaskMenuOpenItemsEnabled">1</config>
		<config key="BeepAfterHotkeyMountDismount">0</config>
		<config key="CachePasswords">0</config>
		<config key="CloseBackgroundTaskOnNoVolumes">1</config>
		<config key="CloseExplorerWindowsOnDismount">1</config>
		<config key="CloseSecurityTokenSessionsAfterMount">0</config>
		<config key="DisableKernelEncryptionModeWarning">0</config>
		<config key="DismountOnInactivity">0</config>
		<config key="DismountOnLogOff">1</config>
		<config key="DismountOnPowerSaving">1</config>
		<config key="DismountOnScreenSaver">0</config>
		<config key="DisplayMessageAfterHotkeyDismount">0</config>
		<config key="BackgroundTaskEnabled">1</config>
		<config key="FilesystemOptions">noatime</config>
		<config key="ForceAutoDismount">1</config>
		<config key="LastSelectedSlotNumber">1</config>
		<config key="MaxVolumeIdleTime">60</config>
		<config key="MountDevicesOnLogon">0</config>
		<config key="MountFavoritesOnLogon">0</config>
		<config key="MountVolumesReadOnly">0</config>
		<config key="MountVolumesRemovable">0</config>
		<config key="NoHardwareCrypto">0</config>
		<config key="NoKernelCrypto">0</config>
		<config key="OpenExplorerWindowAfterMount">0</config>
		<config key="PreserveTimestamps">1</config>
		<config key="SaveHistory">1</config>
		<config key="StartOnLogon">0</config>
		<config key="UseKeyfiles">0</config>
		<config key="WipeCacheOnAutoDismount">1</config>
		<config key="WipeCacheOnClose">0</config>
	</configuration>
</TrueCrypt>


$ cat .TrueCrypt/Favorite\ Volumes.xml 
<?xml version="1.0" encoding="utf-8"?>
<TrueCrypt>
	<favorites>
		<volume mountpoint="/media/truecrypt1" readonly="0" slotnumber="1" system="0">/dev/sdb1</volume>
		<volume mountpoint="/media/truecrypt10" readonly="0" slotnumber="10" system="0">work/redact.tc</volume>
	</favorites>
</TrueCrypt>

$ cat .TrueCrypt/History.xml 
<?xml version="1.0" encoding="utf-8"?>
<TrueCrypt>
	<history>
		<volume>/dev/sdb1</volume>
		<volume>/home/mdf/fs/ifs/mfoster/redact.tc</volume>
		<volume>/home/mdf/work/redact.tc</volume>
		<volume>/home/mdf/work/redact.tc</volume>
		<volume>/dev/sdc1</volume>
		<volume>work/redact.tc</volume>
		<volume>work.tc</volume>
		<volume>/home/mdf/crypt1</volume>
		<volume>/home/mdf</volume>
		<volume>cryptlocal</volume>
	</history>
</TrueCrypt>

$ file .TrueCrypt/.show-request-queue 
.TrueCrypt/.show-request-queue: fifo (named pipe)

$ sudo lsof -n | grep show-request
<If truecrypt not running, this would be empty output)
truecrypt 4773        mdf   14u     FIFO        8,7      0t0      13717 /home/mdf/.TrueCrypt/.show-request-queue

Further information that would be good to know...

  • How does the process respond to signals e.g. INTR and HUP noting any interesting results
  • Take a core dump using SIGABRT and run strings -a against the coredump, plus a backtrace
  • Use elfdump and ldd to show the ELF signatures and shared library (.so) linkages

Back to Forensics