Our entry for TrueCrypt has a HUGE number of comments concerning corrupted volumes. Our site even shows up on the first page when you type "truecrypt recovery" in Google.
I tried a while back to get people to post to the forums about it, but that of course didn't happen. Obviously people frustrated with data loss needed to vent and that's cool -- I didn't exactly provide solutions.
Recently, while looking into encryption alternatives for PGP Whole Disk Encryption (which some friends were having problems with) I started looking into how to recover corrupted TrueCrypt volumes. Although I've been using TC daily for years and had no problems, with a large organization there's always going to be drive and other types of failures that will mean lost data so preparation for failure is necessary to even suggest an alternative. Although the TrueCrypt FAQ suggests using Window's own tools (chkdsk), another solution was something that we already host: TestDisk. Also, TestDisk could be used for Mac and Linux users, whereas TrueCrypt's site doesn't list anything besides Windows repair tools.
TrueCrypt recovery
Re: TrueCrypt recovery
First of all, such tools only help you if the filesystem inside the TrueCrypt container is corrupted. Judging from the comments of the TrueCrypt entry, most people who have problems are unable to mount the container.webfork wrote: Recently, while looking into encryption alternatives for PGP Whole Disk Encryption (which some friends were having problems with) I started looking into how to recover corrupted TrueCrypt volumes. Although I've been using TC daily for years and had no problems, with a large organization there's always going to be drive and other types of failures that will mean lost data so preparation for failure is necessary to even suggest an alternative. Although the TrueCrypt FAQ suggests using Window's own tools (chkdsk), another solution was something that we already host: TestDisk.
In addition, TestDisk seems to fix different problems than chkdsk.
Linux repair tools:webfork wrote: Also, TestDisk could be used for Mac and Linux users, whereas TrueCrypt's site doesn't list anything besides Windows repair tools.
My YouTube channel | Release date of my 13th playlist: August 24, 2020
Re: TrueCrypt recovery
Good add, thanks.SYSTEM wrote:Linux repair tools
Re: TrueCrypt recovery
https://windowssecrets.com/top-story/le ... n-systems/
Very nice read....a new, $300, wizard-driven app can unlock BitLocker-, PGP-, and TrueCrypt-encrypted files, folders, and drives — no matter how strong a password you’re using.
Re: TrueCrypt recovery
I just noticed this thread, It would be interesting to know if the corrupted volumes were not properly unmounted or were auto-unmounted/forced unmount.
For some reason this past week there have been some extra articles/news regarding memory dumping; I had even coincidentally* search for it before reading ghacks article. DumpIt is a command line app that creates a memory dump, or Mandiant Memorizer + Audit Viewer. There was an artcile as well I stumbled with about Maid tool http://theinvisiblethings.blogspot.com/ ... crypt.html
The question is how likely the memory dump is going to contain the keys (if hibernation is not used).
Are there any utilities to "clear the RAM" for example after an encrypted volume has been unmounted or the system is shutting down?
For some reason this past week there have been some extra articles/news regarding memory dumping; I had even coincidentally* search for it before reading ghacks article. DumpIt is a command line app that creates a memory dump, or Mandiant Memorizer + Audit Viewer. There was an artcile as well I stumbled with about Maid tool http://theinvisiblethings.blogspot.com/ ... crypt.html
The question is how likely the memory dump is going to contain the keys (if hibernation is not used).
Are there any utilities to "clear the RAM" for example after an encrypted volume has been unmounted or the system is shutting down?
Re: TrueCrypt recovery
I don't know of any such utility, but I find that (supported by joby_toss article reference) would make an excellent request for the TrueCrypt developers...Marc wrote:Are there any utilities to "clear the RAM" for example after an encrypted volume has been unmounted or the system is shutting down?
Re: TrueCrypt recovery
I'm pretty sure they're aware of it.
Re: TrueCrypt recovery
@guinness
Of course they are aware of RAM dumping used to retrieve Truecrypt key files! the question is whether there is an easy on the eyes of the users to apply way of making sure their encrypted data won't be penetrated via memory dumping.
Now according to Truecrypt FAQ in Memory Dumping Truecrypt is unable to clear keys from memory in system partitions/drives. "as Microsoft currently does not provide any appropriate API for handling the final phase of the system shutdown process."
For non-system partitions/volumes: when a non-system TC volume is dismounted, "all master keys stored in RAM are erased by the Truecrypt driver".
Another interesting info:
Of course they are aware of RAM dumping used to retrieve Truecrypt key files! the question is whether there is an easy on the eyes of the users to apply way of making sure their encrypted data won't be penetrated via memory dumping.
Now according to Truecrypt FAQ in Memory Dumping Truecrypt is unable to clear keys from memory in system partitions/drives. "as Microsoft currently does not provide any appropriate API for handling the final phase of the system shutdown process."
For non-system partitions/volumes: when a non-system TC volume is dismounted, "all master keys stored in RAM are erased by the Truecrypt driver".
Another interesting info:
How to Clear RAM Without Restarting http://wiki.answers.com/Q/How_do_you_cl ... windows_xpKeep in mind that most programs do not clear the memory area (buffers) in which they store unencrypted (portions of) files they load from a TrueCrypt volume. This means that after you exit such a program, unencrypted data it worked with may remain in memory (RAM)
Re: TrueCrypt recovery
I wouldn't be worried about it. On shutdown, an attacker only has seconds before the information fades from memory.Marc wrote: Now according to Truecrypt FAQ in Memory Dumping Truecrypt is unable to clear keys from memory in system partitions/drives. "as Microsoft currently does not provide any appropriate API for handling the final phase of the system shutdown process."
http://en.wikipedia.org/wiki/Memory_ref ... h_intervalWikipedia wrote: The actual persistence of readable charge values and thus data in most DRAM memory cells is much longer than the refresh time, up to 1-10 seconds.
My YouTube channel | Release date of my 13th playlist: August 24, 2020