Posts: 5
Threads: 1
Joined: Jan 2017
Hey Everyone,
I am in a really huge bind.
Unfortunately one of my Co-Workers (head developer) passed away over the weekend. It has come to light that he had TrueCrypt on his PC, which has many programs and projects on it, that were not available anywhere else.
Another co-worker tried to log into his PC as our Domain Administrator account (developers PC was at the lock screen).
It appears he had a login script that basically shut the PC down due to an account other than his logging in.
Needless to say the PC is now at the Bootloader screen asking for his TC password (which we do not have).
Is there any way to get his password out of his drive? This is I am assuming a full drive encryption.
I have tried using the DD for Windows thing to get a .bin file, but I do not know what to do with it beyond that point.
Posts: 2,267
Threads: 16
Joined: Feb 2013
01-24-2017, 10:33 PM
(This post was last modified: 01-24-2017, 10:34 PM by philsmd.)
I'm very sorry to hear that.
Please try with the method explained here:
https://hashcat.net/faq#how_do_i_extract...pt_volumes
Hope that it helps (and that the password is not too difficult!)
Posts: 5
Threads: 1
Joined: Jan 2017
01-24-2017, 11:34 PM
(This post was last modified: 01-24-2017, 11:42 PM by Kriptoker.
Edit Reason: Added Source
)
Thank you. He was a good guy, unfortunately he just refused to take care of his health.
I tried this command: dd if= \\?\Device\Harddisk1\DR2 of=64.bin count=64 and I got an 'Error reading file: 87 The parameter is incorrect'. All I found online said something about the data size was having an issue.
So I changed the command to: dd if= \\?\Device\Harddisk1\DR2 of=64.bin bs=4096 count=64 and I received no error and a .bin file was created.
Did I do that part right?
This is where I got the command I ran:
https://passcovery.com/helpdesk/knowledg...article=48 (minus the bs=4096 that I found on the DD site)
Posts: 2,267
Threads: 16
Joined: Feb 2013
wait, didn't you say it is a TrueCrypt boot volume ?
If so, the command you should be using is:
Code:
dd if=...DR2 of=boot_loader.tc bs=1 skip=31744 count=512
at least this is what I get from reading the hashcat wiki ("for a TrueCrypt boot volume (i.e. the computer starts with the TrueCrypt Boot Loader) you need to extract 512 bytes starting with offset 31744 (62 * 512 bytes).")
Posts: 5
Threads: 1
Joined: Jan 2017
Thank you,
That really helped me a lot as I did not really understand what it was saying.
I think/hope i have the right contents now, from the drive.
I am currently running hashcat with the file, so we will see.
Again, thank you.
Posts: 5
Threads: 1
Joined: Jan 2017
I have a random question.
I am using the brute force option, with an incrementing length.
However, knowing that my co-worker would not use all numbers or all letters, or all special characters, is there a way to make the script not try these combinations?
So that any and all combinations will have at least two character types?
If it is in the Wiki, could you point me in the right direction please?
Posts: 2,267
Threads: 16
Joined: Feb 2013
01-27-2017, 09:19 AM
(This post was last modified: 01-27-2017, 09:24 AM by philsmd.)
Yeah, it seems that this is the perfect use case for a mask file (see
https://hashcat.net/wiki/doku.php?id=mas...mask_files) in combination with a reduced set of characters per position (see
https://hashcat.net/wiki/doku.php?id=mas...m_charsets).
Depending on how the policy is that you want to apply, you also might want to look for the maskgen tool of PACK (
http://thesprawl.org/projects/pack/ , which can automatically generate .hcmask files for you).
Posts: 5
Threads: 1
Joined: Jan 2017
Great, thank you for the info.