![]() The RAM imaging and key extraction attack described in this publication is aimed at live system analysis. Who is going to win this round? Applicability A recent change in VeraCrypt made OTF key extraction harder, while the latest update to Elcomsoft Forensic Disk Decryptor attempts to counter the effect of the change. VeraCrypt has no known weaknesses except one: once the encrypted disk is mounted, the symmetric, on-the-fly encryption key must be kept in the computer’s RAM in order to read and write encrypted data. Supporting more encryption algorithms, more hash functions and a variable number of hash iterations, VeraCrypt is the default choice for the security conscious. I guess the rescue environment allows you to do this whereas the GUI version doesn't.Released back in 2013, VeraCrypt picks up where TrueCrypt left off. So it didn't matter that the rescue disk was created on a completely different system - I knew the password, the disk wasn't damaged or corrupt - all I wanted to do was decrypt it permanently with the password. The reason it worked in this case - I think - is because I didn't need to restore the master key or the headers of the encrypted disk. ![]() It's interesting to see lots of people saying "this isn't possible", but it worked.įrom my very limited knowledge of Veracrypt, I believe there is confusion arising from the fact that I was able to use a rescue disk created from one system to decrypt a system disk encrypted on a different system. Note: In my case it had a ridiculously long ETA (8 days) but it finished within an hour. The decryptor will find the disk matching the password and decrypt it permanently. In that case I guess it would probably try to decrypt the wrong disk, or all the disks with that password.Ĭhoose the d decrypt option and enter your encrypted disk's password. Note: I recommend you unplug all other disks from the system to make this process easier, although the program will apparently work just fine as long as you don't have more than one Veracrypt-encrypted disk plugged in with the same password. Place the EFI folder from your generated rescue disk on to that bootable USB drive.īoot the USB drive on your original computer with the encrypted disk attached (the one which you want to permanently decrypt). Alternatively you can probably use Rufus or something to do this. Use Veracrypt's tool called VeraCryptUsbRescueDisk.zip to format a bootable USB drive. Launch Veracrypt and choose System -> Create Rescue Disk and save it somewhere. I was able to do this in the end by following this procedure:įirst you need a bootable Veracrypt rescue disk but this can be created from any unrelated computer running a Veracrypt-encrypted system disk:īoot a different computer which has a Veracrypt-encrypted system drive (annoying but necessary, apparently, since Veracrypt doesn't supply the rescue ISO as a download anywhere for some reason). ![]() but I'd rather avoid that since I don't have a third disk with enough free space to store all the unencrypted data. I know I could simply mount the partitions individually on a working machine, copy the decrypted data to a third disk manually, then completely erase/format the encrypted disk and copy the unencrypted data back to it. does anyone know if it's possible to permanently decrypt a "foreign" system disk on another computer without using the original rescue disk? I don't care about the bootloader I don't need the decrypted disk to be bootable, or if I do, I can add a regular MBR to it using something like Macrium Reflect. However I would like to permanently decrypt all the partitions on the disk and it seems Veracrypt doesn't let you do that on a "foreign" system disk.
0 Comments
Leave a Reply. |