TrueCrypt Boot 7.1a Hash Extraction

[timi2shoes]

I am testing cracking the password of a known boot drive with oclhc but have been unable to get it working correctly.

Command used

Code:

oclHashcat64.exe -m 6241 c:\inputfile-512b c:\test-words

I created a dd of the whole drive and have tried every combination of the 512 hash from the drive. I have taken the 512 bytes from the beginning of the drive, the end of the drive. The beginning and end of the first partition. The beginning and end of the 2nd partition.

I have been carving out the data to test using FTK Imager.

  tree.JPG (Size: 12.52 KB / Downloads: 38)

  truecrypt-info.JPG (Size: 8.99 KB / Downloads: 34)

As a side note, I have been able to test extracting the password correctly with other tools which required the first 64KB at the MBR.

Can anyone tell me what I might be doing wrong?

[coolbry95]

have you tried this?

FAQ truecrypt

[timi2shoes]

Yes, I did. That is why I tried every 512 byte possible combination.

From the tree.jpg photo I have attached. Where should I have carved the 512 bytes?

[undeath]

I'm not sure if pre-boot authentication is even supported.

[timi2shoes]

Ok, so I found the correct byte offset. Starting at the first of the drive wrote a program that ran through and tested 512 byte chunks at a time. The hash succeeded at Sector 62 byte offest 31744.

Thanks to philsmd for pointing me where to start searching.

So it seems, the volume header is stored in the last sector of the first track of the encrypted system drive.

[trilsbit]

i thinks it's fanatsic that you went through that trouble. thank you very much for your efforts.

i remember going nuts when i tried this. everthing worked container, non-system, but the boot setup never did.

would you mind, posting more info on how you managed to find it? like some pictures or even the script you wrote?

that would be very nice. thanks for your efforts.