Attacking TrueCrypt Containers

TCHead decrypts and verifies the information in a TrueCrypt container’s header. Containers can range from files to copied system volumes from fully-encrypted hard drives. For this, you do of course need the password. If you don’t have the right one, TCHead can run through a word list. Unlike cracking tool John the Ripper, however, it is not able to systematically vary these details by, for example, converting lower case letters to upper case or converting letters to leetspeak.

Still faster than doing it by hand – TCHead tests out different passwords. TCHead also carries out this kind of dictionary attack very, very slooooooowly. In tests on a fairly fast computer, the tool required about a minute to run through 1,000 candidate passwords. By comparison, password crackers usually measure their speed in millions of attempts per second. This poor performance is largely due to the fact that TrueCrypt saves keys for testing internally using Password-Based Key Derivation Function 2 (PBKDF2), which is specifically designed to slow down these types of brute-force attacks.

TCHead is able to deal with standard encryption algorithms such as AES, Serpent and Twofish. TrueCrypt, however, also offers the option of using cascaded algorithms such as a combination of AES and Serpent. Our attempts to deploy TCHead against a combination container failed, with no error message, even though the target password was in the word list. The tool does not currently support mixed encryption algorithms, but that this is on their to-do list.

A statically linked Linux binary and source code, which we were able to compile under Ubuntu 12.04 LTS with a little tinkering, are available to download from the project’s site. There is also a script for building a Windows version using the g++ compiler, though we have not tested this.

In summary, TCHead is a useful addition to any forensic IT specialist’s collection and is one of the few available options for tackling encrypted TrueCrypt containers. But don’t expect too much: if the targeted TrueCrypt user followed even basic password rules, you don’t stand a chance.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s