TrueCrypt recovery

[webfork]

Our entry for TrueCrypt has a HUGE number of comments concerning corrupted volumes. Our site even shows up on the first page when you type "truecrypt recovery" in Google.

I tried a while back to get people to post to the forums about it, but that of course didn't happen. Obviously people frustrated with data loss needed to vent and that's cool -- I didn't exactly provide solutions.

Recently, while looking into encryption alternatives for PGP Whole Disk Encryption (which some friends were having problems with) I started looking into how to recover corrupted TrueCrypt volumes. Although I've been using TC daily for years and had no problems, with a large organization there's always going to be drive and other types of failures that will mean lost data so preparation for failure is necessary to even suggest an alternative. Although the TrueCrypt FAQ suggests using Window's own tools (chkdsk), another solution was something that we already host: TestDisk. Also, TestDisk could be used for Mac and Linux users, whereas TrueCrypt's site doesn't list anything besides Windows repair tools.

[SYSTEM]

Recently, while looking into encryption alternatives for PGP Whole Disk Encryption (which some friends were having problems with) I started looking into how to recover corrupted TrueCrypt volumes. Although I've been using TC daily for years and had no problems, with a large organization there's always going to be drive and other types of failures that will mean lost data so preparation for failure is necessary to even suggest an alternative. Although the TrueCrypt FAQ suggests using Window's own tools (chkdsk), another solution was something that we already host: TestDisk.

First of all, such tools only help you if the filesystem inside the TrueCrypt container is corrupted. Judging from the comments of the TrueCrypt entry, most people who have problems are unable to mount the container.

In addition, TestDisk seems to fix different problems than chkdsk.

Also, TestDisk could be used for Mac and Linux users, whereas TrueCrypt's site doesn't list anything besides Windows repair tools.

Linux repair tools:

• NTFS partitions can't be repaired under Linux.
• FAT32 partitions can be repaired with dosfsck. However, as Microsoft has developed the FAT32 filesystem, I recommend using chkdsk instead.
• Ext2/3/4 partitions can be repaired with e2fsck. You must use the -f switch, and I suggest using also -C 0.

[webfork]

Linux repair tools

Good add, thanks.

[joby_toss]

https://windowssecrets.com/top-story/le ... n-systems/

...a new, $300, wizard-driven app can unlock BitLocker-, PGP-, and TrueCrypt-encrypted files, folders, and drives — no matter how strong a password you’re using.

Very nice read.

[Marc]

I just noticed this thread, It would be interesting to know if the corrupted volumes were not properly unmounted or were auto-unmounted/forced unmount.

For some reason this past week there have been some extra articles/news regarding memory dumping; I had even coincidentally* search for it before reading ghacks article. DumpIt is a command line app that creates a memory dump, or Mandiant Memorizer + Audit Viewer. There was an artcile as well I stumbled with about Maid tool http://theinvisiblethings.blogspot.com/ ... crypt.html

The question is how likely the memory dump is going to contain the keys (if hibernation is not used).
Are there any utilities to "clear the RAM" for example after an encrypted volume has been unmounted or the system is shutting down?

[Midas]

Are there any utilities to "clear the RAM" for example after an encrypted volume has been unmounted or the system is shutting down?

I don't know of any such utility, but I find that (supported by joby_toss article reference) would make an excellent request for the TrueCrypt developers...

[guinness]

I'm pretty sure they're aware of it.

[Marc]

@guinness
Of course they are aware of RAM dumping used to retrieve Truecrypt key files! the question is whether there is an easy on the eyes of the users to apply way of making sure their encrypted data won't be penetrated via memory dumping.

Now according to Truecrypt FAQ in Memory Dumping Truecrypt is unable to clear keys from memory in system partitions/drives. "as Microsoft currently does not provide any appropriate API for handling the final phase of the system shutdown process."

For non-system partitions/volumes: when a non-system TC volume is dismounted, "all master keys stored in RAM are erased by the Truecrypt driver".

Another interesting info:

Keep in mind that most programs do not clear the memory area (buffers) in which they store unencrypted (portions of) files they load from a TrueCrypt volume. This means that after you exit such a program, unencrypted data it worked with may remain in memory (RAM)

How to Clear RAM Without Restarting http://wiki.answers.com/Q/How_do_you_cl ... windows_xp

[SYSTEM]

Now according to Truecrypt FAQ in Memory Dumping Truecrypt is unable to clear keys from memory in system partitions/drives. "as Microsoft currently does not provide any appropriate API for handling the final phase of the system shutdown process."

I wouldn't be worried about it. On shutdown, an attacker only has seconds before the information fades from memory.

The actual persistence of readable charge values and thus data in most DRAM memory cells is much longer than the refresh time, up to 1-10 seconds.

http://en.wikipedia.org/wiki/Memory_ref ... h_interval