+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Truecrypt backup header? (/thread-12495.html)
Truecrypt backup header? - 42 - 02-04-2025
Greetings,
I'm working on a standard TrueCrypt container and managed to extract the header (and header hashes) with:
dd if=container of=container.hash bs=512 count=1
That's the 1st 512 bytes and the extracted "hash" i.e. header file works just fine with the known password of a container I test it with (same result as with the container).
Now I would like to do the same with the backup header, it seems from forums it is subposed to be at the last 512 bytes of the container but this does not bear fruit.
I am wondering if anyone has experience with this and knows the exact location of the backup header for a default setting TrueCrupt container?
Many thanks!
Martin
RE: Truecrypt backup header? - b8vr - 02-04-2025
This is from the official documentation of veracrypt. I guess it also goes for older truecrypt. Not sure if your answer is here:
Note: For system encryption, there is no backup header at the end of the volume. For non-system volumes, a shrink operation is done first to ensure that all data are put at the beginning of the volume, leaving all free space at the end so that we have a place to put the backup header. For system partitions, we can't perform this needed shrink operation while Windows is running and so the backup header can't be created at the end of the partition. The alternative way in the case of system encryption is the use of the Rescue Disk.
Note: A backup header (embedded or external) is not a copy of the original volume header because it is encrypted with a different header key derived using a different salt (see the section Header Key Derivation, Salt, and Iteration Count). When the volume password and/or keyfiles are changed, or when the header is restored from the embedded (or an external) header backup, both the volume header and the backup header (embedded in the volume) are re-encrypted with header keys derived using newly generated salts (the salt for the volume header is different from the salt for the backup header). Each salt is generated by the VeraCrypt random number generator (see the section Random Number Generator).
RE: Truecrypt backup header? - b8vr - 02-04-2025
Looking at the format specs, it's not the last 512 bytes:
https://veracrypt.eu/en/VeraCrypt%20Volume%20Format%20Specification.html
The offset of the backup header is the size minus 131072 bytes. And then you grab 512 bytes from there.
RE: Truecrypt backup header? - 42 - 02-04-2025
Yes exactly for standard TrueCrypt files without hidden volumes:
Primary header: 1st 512 bytes
Backup header: 512 bytes starting at last byte-131072
They are not identical as the SALT differs.
Kindest wishes,
Martin