5

I encrypted (with TrueCrypt) all my hard drives and had the passwords stored in an encrypted file on my USB disk. The passwords are all (except one) 50 character randomly-generated ciphers, there's no way I could remember them. I decided that I wanted to securely wipe my USB disk real fast so I put the passwords file on my hard drive for a moment, ran TrueCrypt on the USB drive to perform a secure wipe, then re-formatted it with Windows to be used as a non-encrypted drive. As I was about to move the passwords file back to the drive, there was a freak power outage (at 12:30am on a calm, clear night)... Suffice it to say, my computer shut off, my passwords file is still on the encrypted disks, and now all 4 of my disks I've used for the past 10 years remain inaccessible to me.

I'm guessing the answer is no, but is there any reasonable way I could decrypt my disk, esp. knowing which algorithms and such which were used? Also, one of the disks has a password that is basically a sentence with a few extra random characters. I remember about 95% of this sentence. Is there a way I could brute force it without having to click Auto-Mount, Enter the password, wait for it, click ok, and repeat with 1 character different?

stoicfury
  • 205
  • 1
  • 2
  • 8
  • no, knowing used algorithms won't help. Passphrase generation should be relatively straight forward with python, but as I never used TrueCrypt, I can't really help you with automating it. – Hubert Kario Jul 07 '13 at 08:31
  • 2
    @HubertKario Wrong. Knowing the used algorithms does help. Specialized software solutions to this problem use the algorithm information (if available) to speed up their scanning process. In fact, when it comes to cryptography, **all** information you can get helps: the algorithm, part of the password, the password length, ... all that can help recover lost keys. Mind you, I'm not saying it'll be much easier when you have such information, but it does have value. – e-sushi Jul 07 '13 at 15:58

2 Answers2

11

In good crypto systems (like TrueCrypt), knowing the encryption algorithm should not give you any advantage in cracking the encryption, and indeed it doesn't. For all of your randomly-generated passwords, it's safe to say that the encrypted disks will remain encrypted forever; you'll never be able to brute-force the key/password.

As for your other password (the one made out of a sentence), you can generate a wordlist using any programming language with which you're familiar, and then feed it to TrueCrack which will automate the process for you.

Adi
  • 43,953
  • 16
  • 137
  • 168
  • 2
    TrueCrack is probably not the best tool. It's extremely slow. The best method would be to look at the header format TrueCrypt uses, and use that to extract the hash. You can run that through a much, much more efficient tool like hashcat or oclhashcat, which TrueCrack cannot hold a candle up to (seriously, they will be doing 100+ mhash/s while TrueCrack will be doing a few khash/s on a given, powerful system). – forest Apr 08 '16 at 01:24
2

I doubt you will be able to recover your encrypted data by other means than brute-forcing... and that will take ages.

To have any other chance, you would need memory dumps and/or hibernation files from your PC; meaning you would have to get a memory dump from your running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, you would need a copy of the hibernation file(s) as soon as your system is turned off. If, you could try to use specialized tools like “Elcomsoft Forensic Disk Decryptor” which claim to be able to acquire the necessary decryption keys by analyzing memory dumps and/or by deriving them from the hibernation file(s).

Besides the fact that such software comes at a price, I personally have had mixed experiences with this approach and can't really recommend it as the practical results are pretty bad.

You could as well try to recover the bytes of your deleted password-text-file from disk. Chances that those bytes aren't overwritten are actually higher than the chances you'll be able to recover the keys from (memory or file) dumps with specialized software.

So, your options boil down to a number of 3:

  1. You try to (partly or completely) "undelete" the "deleted" password-text-file by using a byte-by-byte approach, trying to recover the "deleted" bytes directly from disk. Chances that that will work highly depend on your system usage and if the disk sectors have been overwritten in the mean time.
  2. You try to "brute-force" your way into the encrypted images and will spend the next few years running a dedicated system trying to do so. Since you have partial knowledge about the passwords you used (like length and symbols), you might tend to go down this road. If, you could take a look at the tools mentioned in another, related question here at security.SE. That might help, but isn't a guarantee as you used pretty strong passwords. Time is your enemy here.
  3. You take a red marker and draw a big, fat circle around the date where you deleted your passwort-text-file. Then, write "Next time, I should at least have a backup of my passwords on some USB stick or something" and learn from the experience. It's probably the most depressing option, but it's also the most realistic and the least time-wasting one.

I'm sorry I can't give you too much hope... but at least I could give you some good options you could try.

Good luck!

Community
  • 1
e-sushi
  • 1,286
  • 2
  • 14
  • 41