11-03-2017, 08:51 PM
(11-03-2017, 01:27 PM)philsmd Wrote: Are you sure that you read the guide? see https://hashcat.net/wiki/doku.php?id=fre...pt_volumes
It basically follows the same steps that are also used for TrueCrypt. That means that if you have a boot volume you need to extract 512 bytes from offset 31744 (62 * 512).
Your offset from the picture (0xd000 = 53248) is not the correct offset.
Btw. you also need to know if hmac-ripemd160 or hmac-sha256 was used to encrypt the boot volume (in addition to the Twofish-Serpent algo), for all details see the output of --help (and have a look at all the 137XY = VeraCrypt hash types that are supported).
Offset 31744 is “00000000000000” until offset 53248.
I think that was sha-512