Coder Social home page Coder Social logo

tcgetkey's Introduction

What is tcgetkey?
=================

This is my simple (ugly) PoC at recovering TrueCrypt keys from memory dumps 
gathered from linux systems using the FireWire bus. It will then use the
recovered keys to decrypt the volume.


It contains 2 programs:

get_mem_dump	gets the memory image via firewire
tcgetkey	scans the dump and decrypts the volume


In order to identify the keys, a new approach was employed, by calculating 
and comparing Shannon entropy of certain memory regions.

This is a very rough PoC with probably a lot of stupid bugs in the code.




How to build tcgetkey?
======================

Just run 'make'. You'll need the following:

openssl-dev		 for the AES routines
libforensic1394		 for the FireWire code


You can get OpenSSL from:
http://www.openssl.org/

You can get libforensic1394 from:
https://freddie.witherden.org/tools/libforensic1394/



How to use the tools?
=====================

You should first acquire a memory dump, by typing:

sudo ./get_mem_dump memory_dump.image

Then you should obtain the truecrypt container (e.g tc.image) and analyze it:

./tcgetkey memory_dump.image tc.image decrypted.image

If it successfully finds your keys, it would attempt to decrypt the whole volume.
You would get instructions on how to proceed, but it's basically:

losetup /dev/loopX decrypted.image
mount /dev/loopX /mnt/decrypted



Limitations
===========

tcgetkeys supports only physical memory images gathered from Linux hosts.
It is (well sort of) kernel/architecture-independent except that it only supports little-endian ones now.

Hidden volumes are not supported (this is pending further investigation).



Disclaimer
==========

DO NOT use the tools to illegally break into encrypted containers.
I am not responsible for any harm these tools can do on your systems.


Credits
=======

Freddie Witherden for writing and maintaining libforensic1394
Dhiru Kholia for his cooperation
wiki.kernel.org for their detailed documentation of the on-disk layout of EXT filesystems
Torbjörn Pettersson for his "Cryptographic key recovery from Linux memory dumps" paper.


Author
======

Milen Rangelov <gat3way-at-gat3way.eu>

tcgetkey's People

Contributors

anuxraw avatar

Stargazers

5l1v3r1 avatar

Watchers

James Cloos avatar avatar

Forkers

5l1v3r1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.