/TrueCrypt and VeraCrypt

TrueCrypt and VeraCrypt

When you want to use encryption there are a lot of options available. The two big names for Windows-based systems are BitLocker and Truecrypt. I have discussed Bitlocker before in my post Encryption: BitLocker forensics, TrueCrypt however, is a different story.

TrueCrypt

TrueCrypt is a discontinued freeware utility used for on-the-fly encryption. It can create an encrypted volume contained within a file or encrypt complete (system)partitions. On 28-05-2014 the developer announced that it was no longer safe to use TrueCrypt. Several audits have been performed on TrueCrypt but no critical flaws have been discovered. After this announcement the French company, IDRIX released VeraCrypt, a fork of TrueCrypt.

VeraCrypt

According to its developer, VeraCrypt adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks. VeraCrypt also solves many vulnerabilities and security issues found in TrueCrypt.

As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas VeraCrypt uses 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.

Encryption

TrueCrypt performs on-the-fly encryption. On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. The data stored on an encrypted volume can’t be decrypted without the correct encryption key (password/key file). Not only the data, but the entire filesystem including filenames, free space, metadata etc is encrypted.

Encryption Scheme

When mounting an encrypted volume or when performing pre-boot authentication, the following steps are performed:

Step 1.
The first 512 bytes of the volume 
is read into RAM, out of which the first 64 bytes are the salt. For system encryption, the last 512 bytes of the first logical drive track is read into RAM.

Step 2.
Bytes 65536–66047 of the volume are read into RAM. For system encryption, bytes 65536–66047 of the first partition located behind the active partition are read. If there is a hidden volume within this volume, we have read its header at this point; otherwise, we have just read random data.

Step 3.
Now, TC/VC attempts to decrypt the standard volume header read in step 1. All data used and generated in the course of the process of decryption are kept in RAM. Because the volume does not contain any information about the used parameters when the volume was created, the parameters have to be determined through the process of trial and error:

PRF
PRF used by the header key derivation function, which can be one of the following:
– HMAC-RIPEMD-160
– 
HMAC-SHA-512
– 
HMAC-Whirlpool
– 
HMAC-STREEBOG (VeraCrypt only)
– 
HMAC-SHA-256 (VeraCrypt only)

Password
A password entered by the user and the salt read in step 1 are passed to the header key derivation function, which produces a sequence of values from which the header encryption key and secondary header key (XTS mode) are formed. These keys are used to decrypt the volume header.

Encryption algorithm
During volume creation one of the following encryption algorithms can be selected:
– AES-256
– Serpent
– Twofish
– AES-Twofish
– AES-Twofish- Serpent
– Serpent-AES
– Serpent-Twofish-AES
– Twofish-Serpent
– Camellia (VeraCrypt only)
– Kuznyechik (VeraCrypt only)

Mode of operation
Before decryption, the mode of operation needs to be detected, while LRW and CBC are still supported during decryption, it is only possible to create new volumes using XTS.
– XTS
– LRW (deprecated/legacy)
– CBC (deprecated/legacy)

Key size
During decryption, the program has to determine the key size in order to successfully decrypt the volume.

Step 4.
Decryption is considered successful if the first 4 bytes of the decrypted data contain the ASCII string “TRUE”, and if the CRC-32 checksum of the last 256 bytes of the decrypted data (volume header) matches the value located at byte #8 of the decrypted data. If these conditions are not met, the process continues from step 3 again, but this time, instead of the data read in step 1, the data read in step 2 is used. If the conditions are not met again, mounting is terminated.

Step 5.
Now TC/VC knows that it has the correct password, the correct encryption algorithm, mode, key size, and the correct header key derivation algorithm. If it was able to successfully decrypt the data in step 2, it also knows that it’s mounting a hidden volume and its size is retrieved from data read in step 2 and decrypted in step 3.

Step 6.
The encryption routine is reinitialized with the primary master key and the secondary master key (XTS mode), which are retrieved from the decrypted volume header. These keys can be used to decrypt any sector of the volume, except the volume header area, which has been encrypted using the header keys.

The volume is mounted.

Source: https://andryou.com/truecrypt/docs/encryption-scheme.php

I have visualized the process in a simplified flowchart:

Volume format specification

An encrypted volume is formatted according to the following specification. Note that this specification applies to volumes created by TrueCrypt 7.0 or later. The format of file-hosted volumes is identical to the format of partition/device-hosted volumes (however, the “volume header”, or key data, for a system partition/drive is stored in the last 512 bytes of the first logical drive track).
TrueCrypt volumes have no “signature” or ID strings. Until decrypted, they appear to consist solely of random data.

Free space on each encrypted volume is filled with random data when the volume is created. The random data is generated as follows: Right before volume formatting begins, a temporary encryption key and a temporary secondary key (XTS mode) are generated by the random number generator. The encryption algorithm that the user selected is initialized with the temporary keys. The encryption algorithm is then used to encrypt plaintext blocks consisting of zeroes. The encryption algorithm operates in XTS mode. The resulting ciphertext blocks are used to fill (overwrite) the free space on the volume. The temporary keys are stored in RAM and are erased after formatting finishes.

The layout of a VeraCrypt volume, a TrueCrypt volume is identical.
The layout of a VeraCrypt volume, a TrueCrypt volume is identical.

TrueCrypt layout

Offset (bytes)Size (bytes)Encryption
Status
Description
064UnencryptedSalt
644EncryptedASCII string “TRUE”
682EncryptedVolume header format version (5)
702EncryptedMinimum program version required to open the volume
724EncryptedCRC-32 checksums of the (decrypted) bytes 256-511
7616EncryptedReserved (must contain zeroes)
928EncryptedSize of hidden volume (set to zero in non-hidden volumes)
1008EncryptedSize of volume
1088EncryptedByte offset of the start of the master key scope
1168EncryptedSize of the encrypted area within the master key scope
1244Encrypted
Flag bits (bit 0 set: system encryption; bit 1 set: non-system in-place-encrypted/decrypted volume; bits 2–31 are reserved)
1284EncryptedSector size (in bytes)
132120EncryptedReserved (must contain zeroes)
2524EncryptedCRC-32 checksums of the (decrypted) bytes 64-251
256Var.EncryptedConcatenated primary and secondary master keys
51265024EncryptedReserved (for system encryption, this item is omitted)
6553665536Encrypted / Unencrypted
Area for hidden volume header (if there is no hidden volume within the volume, this area contains random data). For system encryption, this item is omitted. See bytes 0–65535.
131072Var.Encrypted
Data area (master key scope). For system encryption, the offset may be different (depending on the offset of system partition). may be different (depending on the offset of system partition).
S-13107265536Encrypted / Unencrypted
Backup header (encrypted with a different header key derived using a different salt). For system encryption, this item is omitted. See bytes 0–65535.
S-6553665536Encrypted / Unencrypted
Backup header for hidden volume (encrypted with a different header key derived using a different salt). If there is no hidden volume within the volume, this area contains random data. For system encryption, this item is omitted. See bytes 0–65535.

VeraCrypt layout

Offset (bytes)Size (bytes)Encryption
Status
Description
064UnencryptedSalt
644EncryptedASCII string “VERA”
682EncryptedVolume header format version (2)
702EncryptedMinimum program version required to open the volume
724EncryptedCRC-32 checksums of the (decrypted) bytes 256-511
7616EncryptedReserved (must contain zeroes)
928EncryptedSize of hidden volume (set to zero in non-hidden volumes)
1008EncryptedSize of volume
1088EncryptedByte offset of the start of the master key scope
1168EncryptedSize of the encrypted area within the master key scope
1244Encrypted
Flag bits (bit 0 set: system encryption; bit 1 set: non-system in-place-encrypted/decrypted volume; bits 2–31 are reserved)
1284EncryptedSector size (in bytes)
132120EncryptedReserved (must contain zeroes)
2524EncryptedCRC-32 checksums of the (decrypted) bytes 64-251
256Var.EncryptedConcatenated primary and secondary master keys
51265024EncryptedReserved (for system encryption, this item is omitted)
6553665536Encrypted / Unencrypted
Area for hidden volume header (if there is no hidden volume within the volume, this area contains random data). For system encryption, this item is omitted. See bytes 0–65535.
131072Var.Encrypted
Data area (master key scope). For system encryption, the offset may be different (depending on the offset of system partition). may be different (depending on the offset of system partition).
S-13107265536Encrypted / Unencrypted
Backup header (encrypted with a different header key derived using a different salt). For system encryption, this item is omitted. See bytes 0–65535.
S-6553665536Encrypted / Unencrypted
Backup header for hidden volume (encrypted with a different header key derived using a different salt). If there is no hidden volume within the volume, this area contains random data. For system encryption, this item is omitted. See bytes 0–65535.

Security

Even with its flaws, TrueCrypt remains a good encryption method today. If you want to start encrypting something today, you should use VeraCrypt since it uses more advanced encryption methods and fixes some of the flaws TrueCrypt has. For a forensic investigator, however, both formats pose a serious challenge. Since there is no way to “break” the encryption, the only way is to brute-force the passkey, something that with current systems can take years if not decades. The best way to attack a TrueCrypt or VeraCrypt volume is using wordlists (Building wordlists from Forensic Images).

 

Plausible deniability

The most troublesome part of these tools is the fact that the volumes they create can’t be reliably identified. When analyzed, the volumes appear to have no header and only contain random data. By analyzing the size, header and entropy you might be able to identify “possible” volumes, there is, however, no way to be sure that a file really is an encrypted volume or just random data.
When examing a system where you suspect the user might have used encryption tools like TrueCrypt or VeraCrypt you might want to try and detect TrueCrypt and VeraCrypt volumes.

I have visualized the Entropy of 4 different (compressed) files with binvis.io. As you can see the VeraCrypt container is entirely random, this is what makes it impossible to identify a TrueCrypt or VeraCrypt volume with 100% certainty.

VeraCryptAndroid_APKRAR_FileJPG_File
VeracryptAndroid APK fileRAR FileJPG File

This high level of entropy also is a good way to detect potential TrueCrypt and VeraCrypt volumes.

Detection

TrueCrypt has been designed to be hidden. Because of this, it’s impossible to identify TrueCrypt volumes with 100% certainty. However, there are some ways to identify possible TrueCrypt volumes by looking at its size, header (or rather, the lack of a header) and it’s entropy.

Read more about the detection of TrueCrypt and VeraCrypt volumes in my post: Detecting TrueCrypt and Veracrypt volumes.