zenon/digital-forensics-truecrypt
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Tobias Eidelpes 2021-10-24 16:27:52 +02:00
commit b5c2669ec8
5 changed files with 109 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.gitignore vendored Normal file
View File

@ -0,0 +1,7 @@
*.pdf
*.aux
*.fdb_latexmk
*.fls
*.log
*.synctex.gz
*.out

1
pw.txt Normal file
View File

@ -0,0 +1 @@
91509

100
report.tex Normal file
View File

@ -0,0 +1,100 @@
\documentclass[a4paper,12pt]{article}
\usepackage{geometry}
\usepackage[english]{babel}
\usepackage{microtype}
\usepackage{hyperref}
\setlength{\parindent}{0pt}
\title{Truecrypt Report}
\author{Tobias Eidelpes 01527193}
\date{\today}
\begin{document}
\maketitle
\section{Introduction}
This report is about a password encrypted container which contains sensitive
information. The password required to open the container should be found and the
information inside shared. The purpose of this report is to analyze the
container, investigate whether the password can be cracked, draw conclusions
about the security of the container and document all findings in the process.
\section{Setting}
An encrypted truecrypt container has been created and downloaded from the
website~\footnote{\url{https://seclva.ifs.tuwien.ac.at/forensics/mktruecrypt.php}}
provided in the assignment on October 14, 2021. This website allows a truecrypt
container to be generated which is secured with a password. The password is
randomly generated by the website, but properties such as the length and
character set of the password can be defined beforehand. Additionally, the
student id has to be submitted with the length and character set. In this case
the truecrypt container is secured with a five digit password. Upon successful
download we receive a file called \texttt{tc01527193.tc}~\footnote{sha256sum:
d49b99389f62fc248f88721eac28a40b478ccd16d3a3828dc3d220f24fa6b344}. This file
marks the encrypted container. On a Linux operating system the container can be
mounted using the following command:
\begin{verbatim}
$ sudo cryptsetup --type tcrypt open tc01527193.tc sdd
\end{verbatim}
This immediately opens a prompt where the password has to be submitted. We have
therefore confirmed that the container is indeed encrypted. The next task is to
find the password for the container. Truecrypt secures containers by default
using the RIPEMD-160 hash function and the XTS encryption mode. Since the
password is randomly generated and relatively short, the password can be found
by trying all possible combinations of five digits (=bruteforcing). The
container is passed to Hashcat~\footnote{\url{https://hashcat.net/hashcat/}}
(version 6.2.4) to crack the password:
\begin{verbatim}
$ hashcat -a 3 -m 6211 tc01527193.tc "?d?d?d?d?d"
\end{verbatim}
After 1 second at a hashrate of approximately 75000 H/s on an AMD GPU RX480, the
password is revealed to be \texttt{91509}. The container can now be opened
decrypted and mounted under Linux with:
\begin{verbatim}
$ sudo cryptsetup --type tcrypt open tc01527193.tc container
$ sudo mount /dev/mapper/container /mnt
\end{verbatim}
The directory \texttt{/mnt} now contains the contents of the container. There
are three files in it: \texttt{awesome.jpg}, \texttt{secret.txt} and
\texttt{wasted.jpg}. The two image files picture Spongebob under a rainbow
(\texttt{awesome.jpg}~\footnote{sha256sum:
7d8355b740c5f07e4c4ed682374867dbbcd7921297bb6139a59d36ed94575949}) and Spongebob
with Patrick (\texttt{wasted.jpg}~\footnote{sha256sum:
c3d05ee9e7eb5e14aaf87365afc88b3261820325df6a8eed37e11a5a092ebb5a}). The third
file (\texttt{secret.txt}~\footnote{sha256sum:
cab63727fe97d8a25326cefc46346007941151a6c2c81708b74f0cf5f78d94b7}) contains the
text
\begin{verbatim}
2ca0841020b08bffa9eb1c056ff3ab4b31f144b229
\end{verbatim}
\section{Analysis}
Due to the password being relatively short at five digits, it is very easy to
crack. In a real-world scenario passwords usually contain at least seven
characters and not just digits but also alphanumeric characters. A seven digit
password is crackable in around 133 seconds with a hashrate of 75000 H/s. If
only lowercase characters are used and the password is still seven characters
long, it takes around one day and six hours to crack the password. If uppercase
and lowercase chracters as well as digits are possible, the password is cracked
in about 544 days. A password which secures the container for at least 10 years
and is only made up of digits requires a length of at least 14. If lowercase and
uppercase characters and digits are used, the password has to be at least 8
characters long. These are all upper bounds, because the password might be
cracked earlier if the cracker is lucky and the password is one of the earliest
combinations which the computer tries. From these numbers it is possible to give
a recommendation for secure passwords. Passwords should be randomly generated,
at least eight characters long and contain lowercase and uppercase letters as
well as digits. This provides robust protection from crackers for a century.
\end{document}

1
secret.txt Normal file
View File

@ -0,0 +1 @@
2ca0841020b08bffa9eb1c056ff3ab4b31f144b229

BIN
tc01527193.tc Normal file
View File

Binary file not shown.