hashcat Forum
Deceased Brother's Veracrypt - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Deceased Brother's Veracrypt (/thread-11828.html)



Deceased Brother's Veracrypt - RyRudiger24 - 02-21-2024

Hi i'm posting to get some Veracrypt related help on behalf of a friend who's Brother sadly passed away.

Upon booting Windows this is the screen prompted with:
https://imgur.com/a/AOxPAVj

After many incorrect attempts, he's then taken to this screen:
https://imgur.com/a/nLEEH9O

Thankfully he guessed his Brother's pin and can access the Desktop + C drive.

On disk management this is what shows:
https://imgur.com/a/7YEqDqZ

The theory is, the encrypted drive is the D drive
which also has another OS on it

This is the default BIOS boot order:
https://imgur.com/a/74CkX1f

I've told him that it may be possible to extract the VeraCrypt hash (OS is Windows)
and perform some attacks on already existing known passwords.

I just don't have the knowledge on how to do the extraction part.

Any advice/help is greatly appreciated.


RE: Deceased Brother's Veracrypt - Snoopy - 02-21-2024

there is a wiki entry on true/veracrypt

https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_extract_the_hashes_from_veracrypt_volumes

the problem is you need direkt access to the disk, is the account you are into an admin account? if yes you could use some hex editor like hxd to extract the needed binary data and then use the veracrypt2hashcat.py located under tools to extract all hashes for an attack (i your case i would extract the first 5 mb from each physical disk and then run the script with all possible offsets (normal, boot, boot+hidden) this ways you should obtain some empty hashes but also the real ones

BUT: if the brother used a PIM other than the standard you will never crack the pass