TrueCrypt Help - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: General Talk (https://hashcat.net/forum/forum-33.html) +--- Thread: TrueCrypt Help (/thread-6231.html) |
TrueCrypt Help - Kriptoker - 01-24-2017 Hey Everyone, I am in a really huge bind. Unfortunately one of my Co-Workers (head developer) passed away over the weekend. It has come to light that he had TrueCrypt on his PC, which has many programs and projects on it, that were not available anywhere else. Another co-worker tried to log into his PC as our Domain Administrator account (developers PC was at the lock screen). It appears he had a login script that basically shut the PC down due to an account other than his logging in. Needless to say the PC is now at the Bootloader screen asking for his TC password (which we do not have). Is there any way to get his password out of his drive? This is I am assuming a full drive encryption. I have tried using the DD for Windows thing to get a .bin file, but I do not know what to do with it beyond that point. RE: TrueCrypt Help - philsmd - 01-24-2017 I'm very sorry to hear that. Please try with the method explained here: https://hashcat.net/faq#how_do_i_extract_the_hashes_from_truecrypt_volumes Hope that it helps (and that the password is not too difficult!) RE: TrueCrypt Help - Kriptoker - 01-24-2017 Thank you. He was a good guy, unfortunately he just refused to take care of his health. I tried this command: dd if= \\?\Device\Harddisk1\DR2 of=64.bin count=64 and I got an 'Error reading file: 87 The parameter is incorrect'. All I found online said something about the data size was having an issue. So I changed the command to: dd if= \\?\Device\Harddisk1\DR2 of=64.bin bs=4096 count=64 and I received no error and a .bin file was created. Did I do that part right? This is where I got the command I ran: https://passcovery.com/helpdesk/knowledgebase.php?article=48 (minus the bs=4096 that I found on the DD site) RE: TrueCrypt Help - philsmd - 01-25-2017 wait, didn't you say it is a TrueCrypt boot volume ? If so, the command you should be using is: Code: dd if=...DR2 of=boot_loader.tc bs=1 skip=31744 count=512 at least this is what I get from reading the hashcat wiki ("for a TrueCrypt boot volume (i.e. the computer starts with the TrueCrypt Boot Loader) you need to extract 512 bytes starting with offset 31744 (62 * 512 bytes).") RE: TrueCrypt Help - Kriptoker - 01-26-2017 Thank you, That really helped me a lot as I did not really understand what it was saying. I think/hope i have the right contents now, from the drive. I am currently running hashcat with the file, so we will see. Again, thank you. RE: TrueCrypt Help - Kriptoker - 01-27-2017 I have a random question. I am using the brute force option, with an incrementing length. However, knowing that my co-worker would not use all numbers or all letters, or all special characters, is there a way to make the script not try these combinations? So that any and all combinations will have at least two character types? If it is in the Wiki, could you point me in the right direction please? RE: TrueCrypt Help - philsmd - 01-27-2017 Yeah, it seems that this is the perfect use case for a mask file (see https://hashcat.net/wiki/doku.php?id=mask_attack#hashcat_mask_files) in combination with a reduced set of characters per position (see https://hashcat.net/wiki/doku.php?id=mask_attack#custom_charsets). Depending on how the policy is that you want to apply, you also might want to look for the maskgen tool of PACK (http://thesprawl.org/projects/pack/ , which can automatically generate .hcmask files for you). RE: TrueCrypt Help - Kriptoker - 01-27-2017 Great, thank you for the info. |