Location of TrueCrypt Hidden OS Header
#1
The TrueCrypt documentation states that the location of a non-hidden header is the last 512 bytes of the first logical track of the system drive (Sector 62, 0x7C00).

Quote:Note: When you enter a pre-boot authentication password, the TrueCrypt Boot Loader first attempts to decrypt (using the entered password) the last 512 bytes of the first logical track of the system drive (where encrypted master key data for non-hidden encrypted system partitions/drives are normally stored). If it fails and if there is a partition behind the active partition, the TrueCrypt Boot Loader (even if there is actually no hidden volume on the drive) automatically tries to decrypt (using the same entered password again) the area of the first partition behind the active partition** where the encrypted header of a possible hidden volume might be stored. Note that TrueCrypt never knows if there is a hidden volume in advance (the hidden volume header cannot be identified, as it appears to consist entirely of random data). If the header is successfully decrypted (for information on how TrueCrypt determines that it was successfully decrypted, see the section Encryption Scheme), the information about the size of the hidden volume is retrieved from the decrypted header (which is still stored in RAM), and the hidden volume is mounted (its size also determines its offset). For further technical details, see the section Encryption Scheme in the chapter Technical Details.

For a hidden OS, TrueCrypt will attempt to decrypt the non-hidden header first, than it will try to decrypt the area of the first partition behind the active partition. Where exactly is the location of the 512 bytes that can be used by Hashcat to decrypt the hidden header?
#2
I believe the answer is in the FAQ

https://hashcat.net/wiki/doku.php?id=fre...pt_volumes
#3
I've read it, but that is referring to hidden volume of a container.

Quote:If TrueCrypt uses a hidden partition, you need to skip the first 64K bytes (65536) and extract the next 512 bytes.

That does not work with encrypted operating systems.
#4
Did you try from the beginning of the disk or the beginning of the truecrypt boot volume? I think that skip is relative to the beginning of the truecrypt volume.

(07-14-2017, 07:20 PM)Aubie Wrote: I've read it, but that is referring to hidden volume of a container.

Quote:If TrueCrypt uses a hidden partition, you need to skip the first 64K bytes (65536) and extract the next 512 bytes.

That does not work with encrypted operating systems.
#5
I tried both offset 0x1000 (65536 bytes after the beginning of the disk) and 0x17C00 (65536 bytes after the non-hidden volume header). Neither work.
#6
I'm not sure why you are even trying to "brute-force" the offset.
The instructions are very clear: if the whole disk (operating system) is encrypted i.e. the system starts with the special boot loader (a so called boot volume), "you need to extract 512 bytes starting with offset 31744 (62 * 512 bytes)." as the FAQ already says https://hashcat.net/faq#how_do_i_extract...pt_volumes
#7
The FAQ does not describe where to find a hidden OS volume header.
#8
As said in the description, a hidden OS requires another partition on the disc. It's probably the first 512 byte of that second partition or the 512 byte of sector 62 of that disc. Should be easy to find out by trying.