Extracting binary data from TrueCrypt Boot Volume and Cracking
#1
I've recently been asked to give a shot at cracking a TrueCrypt boot volume.  Having never done so before, I just wanted to sanity check what I've done.

To extract the binary data needed for the crack, I ran the following:

dd if=/dev/sdc of=/path/to/file.tc bs=1 skip=31744 count=512

Since this is a boot volume, the data should be at offset 31744 - according to the Wiki, the last sector of the first track.  We're extracting 512 bytes to give to cudaHashcat.

To crack it, we would then run:
./cudaHashcat64.bin -a 0 -m 6241 /path/to/file.tc /path/to/wordlists/

Assuming I was given the correct information and that the volume uses RIPEMD-160 and AES.

Like I said, since this is the first TrueCrypt volume I've run, I just want to make sure I did this right.  Thanks all.
#2
I already realized the error I made. dd should be:

dd if=/dev/sdc of=/path/to/file.tc bs=512 skip=62 count=1

I reversed count and bs, and skip should be number of sectors rather than bytes.
#3
The resulting data should be the same, or not?
#4
I thought skip uses the ibs rather than the bs, and ibs defaults to 512. I could be wrong though.
#5
So I'm sure I have the right dd command for a boot volume now. However, it turns out this is simply an encrypted physical drive, not a system drive - why you'd do that to a 2 TB external USB is beyond me, but thats the situation I'm in. According to the wiki, I need to grab the last sector of the first logical volume. However, there is no partition table in a TrueCrypt encrypted disk, at least not in front of the encryption. How do I go about finding a logical volume if fdisk simply tells me there is no partition table?
#6
Figured it out, just pulled the first 512 on the disk.