Modify TrueCrypt Encryption Bootloader Strings

Requirements

  • Hex editor such as WinHex
  • A hard disk that has been encrypted with TrueCrypt full disk encryption

In a previous post I mentioned that TrueCrypt leaves behind a string in its boot loader (that identifies it as a TrueCrypt boot loader) when using the full disk encryption feature. As you can see in the screenshot below I have modified the original “TrueCrypt Boot Loader” string to read “Windows Boot Loader.”

Modified TrueCrypt Boot Loader

This quick edit takes about ten second to complete. Just open the boot disk with a hex editor and modify the string.

If you don’t understand what I’ve done then here are the steps:

  1. Open the TrueCrypt encrypted hard disk (physical disk) with a hex editor
  2. Locate the TrueCrypt boot loader at the “start” of the hard drive (in sector 0)
  3. Use a hex editor to overwrite the “TrueCrypt Boot Loader” string
  4. Save changes
  5. Boot from the disk to make sure you haven’t messed up the boot loader

So what does this mean?

Many computer forensic examiners will probably not realize what they’re looking at if they actually do take a look at the boot loader. Removing this string ensures that they’re kept in the dark. That is unless they do their own digging around and can figure out that the instructions in sector 0 are in fact part of a TrueCrypt boot loader.

There is plenty of other code in the boot loader. I’m sure patterns in this data can giveaway the fact that the disk has been encrypted with TrueCrypt. I have not researched it and I have not attempted to figure out what this other data actually means, is or does. You should be fine modifying the strings in the boot loader though.

You will want to keep the strings at their original length so as not to mess up code/instructions in other parts of the loader as well. If you start over-writing other code in the boot loader that is not a string, you are probably modifying instructions which will most likely cause boot failure or the loader to crash.

This is another one of those anti-forensic methods that’s not real strong but it gets rid of the word “TrueCrypt” from the drive which would be a dead giveaway to most examiners that TrueCrypt could have been used to encrypt the hard drive (I would hope so anyways). I’ve ran a keyword search in EnCase forensic software as well as other software to verify that there is no other reference to the name TrueCrypt on the fully encrypted disk. There were no other hits.

If there are any papers written on the construction of the TrueCrypt loader or if you’ve done your own research on this then please share what you’ve found. I as well as others will be very interested.

old comments:

  1. MicahMarch 2, 2009 at 3:44 amNice idea. I like that there’s someone else out there looking at the boot sector of a TrueCrypt Windows system encryption drive. I’m currently trying to develop an proof-of-concept exploit to bypass TrueCrypt system encryption, if you’re interested in helping at all. Check out my first post about it at my blog: http://blog.banditdefense.com/2009/03/02/attacking-truecrypt-part-1-the-vulnerability/REPLY
  2. Hans HenrikMarch 11, 2009 at 12:31 amisnt TrueCrypt open source? – yes it is.
    technically, nuf said :pyou could just modify the name/boot procedures abit by source, if you got the compiler/libsmuch easier, and much safer (as you pointed out, messing with it in hex is likely to mess with every single jmp/cmp instructions..)REPLY
  3. YarMarch 11, 2009 at 8:23 pmI’m looking forward seeing more of your work on bypassing/exploiting the truecrypt header Micah.Great idea Hans!I may do something like that for each version that comes out and re-upload the binary here as well as the sourcecode. If that’s allowed in the license anyways.If anyone else does this or something similar, please share here in the comments section.REPLY
  4. MyforwikMarch 3, 2010 at 7:11 pmI have done extensive research on the Truecrypt boot loader.From your screenshot of the HEXs editor I can tell that you were running truecrypt 6.1a. Changing that 1 line of text fools no one.You have to realise that the truecrypt boot loader takes up sectors 1 to 63 of the harddisk – and it is not encrypted.The only way you can really hide truecrypt is to delete your first 63 sectors and use the rescue disk to boot your PC every time you boot up.The strings for the main loggin screen aren’t encrypted. They are simple compressed. If you copy from 0xA00 to about 0×3700 into a file, you can open it, as its a zip file, then all the truecrypt strings that you see on the login screen are available for everyone to see.REPLY
    • Max (Admin)March 3, 2010 at 8:33 pmGreat information Myforwik!I currently cannot confirm or deny your claims but if you could point the readers to some documentation on that it would be great.It would make a great addition to the article or a secondary article, with props to you of course.REPLY
  5. LarsMarch 4, 2010 at 9:32 pmMyfor how is it you are extracting or uncompressing the data?REPLY
  6. Max (Admin)March 4, 2010 at 9:38 pmHere it is uncompressed, I setup a test environment with the latest TrueCrypt version and a Windows XP system in VMWare. It is the last 460 bytes after uncompressing the offsets that Myforwik provided. Bravo Myforwik, I had stopped all research on Truecrypt so this is some exciting information for me, even if it might be public or widely known now. I don’t know if it is but props to Myforwik for the info.Error: .Write.Read.. error:. Drive:. Sector:.. CHS:. MB ..Drive .. not found: ….No bootable partition found. TrueCrypt Boot Loader 6.3a… Keyboard Controls:…. [Esc] .Boot Non-Hidden System (Boot Manager).Skip Authentication (Boot Manager)..? (y/n): .y…n…[.] .[Esc] Cancel…..Enter password.. for hidden system:…: ..Booting…….BIOS reserved too much memory: .- Upgrade BIOS..- Use a different motherboard model/brand…Warning: Caps Lock is on….Incorrect password……If you are sure the password is correct, the key data may be damaged. Boot your..TrueCrypt Rescue Disk and select ‘Repair Options’ > ‘Restore key data’…….Bootable Partitions:….Drive: ., Partition: ., Size: ..Press 1-9 to select partition: .Your BIOS does not support large drives. due to a bug…- Enable LBA in BIOS….Copying system to hidden volume. To abort, press Esc…….If aborted, copying will have to start from the beginning (if attempted again)…..Abort.To fix bad sectors: 1) Terminate 2) Encrypt and decrypt sys partition 3) Retry…..Remaining: …Copying completed..MMAP: ..Memory corrupted.. è..PAMSC’mon TrueCrypt, this isn’t cool :PREPLY
  7. Max (Admin)March 4, 2010 at 9:55 pmI guess what probably needs to happen to do anything serious is to just start going through the TrueCrypt source code as Hans had suggested.I’m currently in the process of “modernizing” the site with a new theme and I’ve a ton of other projects ongoing so I’ve no time to come up with a way to get rid of these strings.I mean the simple option would probably be to modify the source and rebuild (truecrypt binary) but it would be cool to have some process of editing this data, compressing it all again and then adding it back to the boot loader.Also, Lars, here is the process I went through. There are probably better methods but this is what worked for me:
    • 1. Using HXD hex editor copy out the data between the offsets myforwik mentions and save to a file.
    • 2. Extract the data using 7-zip, you’ll have to force it
    • 3. Open the extracted data and the last 460 bytes should be these extra strings
    REPLY
  8. myforwikMarch 12, 2010 at 4:07 pmIts not exactally to 0×3700,If you go to address 0x1B0 there is a two byte integer that is the size of the file.
    So if you read those two bytes (in version 6.3a it is usually 0×97 0x2D = 0x2D97 = 11671 bytes. And the bytes start at 0xA00.The file format is actually gzip, which is openable by most zip programs including windows zip folders etc.Unfortuently if you edit the strings and re-zip, and save it back to 0xA00 it won’t work, because there is a checksum at 434d. Thats why I wrote a program.REPLY
  9. AmmieMay 23, 2010 at 5:18 pmHi!1. Create Truecrypt rescue disc.
    2. Use Winhex application to erase sector 1 to 63.
    3. Then, you are required to use Truecrypt Rescue Disc each PC start.Question:
    1. Erasing sector 1 to 63 once is enough?
    2. Anything to erase/remove/modify aside from Truecrypt boot loader, disregarding network/server tracks?
    3. Is there anyone can verified that this is 100% false-positive, even from new/updated forensic application?
    4. How about Truecrypt volume tracks?Thanks for reply.
    -amREPLY
  10. LARJune 11, 2010 at 6:53 pmTruecrypt is great and stable.Truecrypt drived by the features and marketing strategies.
    Then People and IT Pros like it.
    They just don’t care if it is 100% safe.But any security product which is not 100% open sourced is very dangerous for keeping very sensitive data on your expensive laptop or your super tiny usb flash disk.We can’t prove that it is really safe if we do not have the complete source code and a certification.Imagine have sex with someone you don’t really know.
    Then 1 week later you are positive.Forum is not also open to anyone.I believe any security free/open source products should be certified (not recognized) as 100% safe (certified (not by anyone but by a legit institution like NIST)If i am working on the goverment.
    Should I tell anyone that the conspired product gave us backdoor on it.
    If i am one of the developer.
    Should i tell anyone that i created a personal backdoor on it.LARREPLY
  11. subSeptember 1, 2010 at 2:00 pmIf an expert hacker access my drive whether in person or over the net, could he modify the boot loader (or extend the size if need be) to insert a keylogger (still keeping the TC boot screen intact) that would load a NIC driver then transmit the password over the net, therefore, compromising the use of TC encryption? or would the checksum defeat the extension and modification of the boot loader?REPLY
  12. ScizorOctober 29, 2010 at 9:16 amTried more than once, the strings change on the HEX code but on the boot they keep the same… Any help here?REPLY
  13. emilyOctober 30, 2010 at 6:10 amLAR i agree for what you’d said. Especially the last four line.Other things is even the source code is 100% provided and reviewed/analyzed by the best coder and most notorious hacker in the world, maybe they already seen the hole and patched it themselves and they don’t inform anyone.REPLY
  14. JoaquinDecember 27, 2010 at 9:08 amHelloI created a File container with a keyfile in an external HD partition. (78 GB of data encrypted)Everything was fine until I changed the name of my file container. Since then I can not mount. It shows an error message “Incorrect password or not a TrueCrypt volume.. ” I put back the original name and get the same error messageI did not create any backup head, I do not think there was any problem, simply renaming the file and now I’m going crazy because of the importance of the documentsI exposed this case in forum of Truecrypt, one member of this forum says “you can always look at the file using a hex editor such as WinHex, with special emphasis on the locations of the headers, to see if anything looks amiss” but I have no information or help, I tried to open the container file with this program but do not understand nothing.Can you help, please?I use Truecrypt 7 and Windows XPREPLY
  15. JoaquinDecember 27, 2010 at 9:12 amSorry…
    I forgot to say that I tried to recover the embedded header file “Use backup header embedded in volume if avariable” but I keep seeing the same error messageREPLY
  16. felixkJune 27, 2011 at 7:40 amHiding the fact that you are using Truecrypt is not the answer. If you want to hide your ‘real’ true crypt volume then use a hidden volume, which uses stenography. The real problem with the Truecrypt bootloader being unencrypted is that it can be completely an utterly replaced(cracked) with ones own code that does something like copy the user/s keys as they type them in. This was first presented by Joanna Rutkowska founder and CEO of Invisible Things Lab, at a White hat conference. The only way to allow the use of an encrypted bootloader to my knowledge is with the use of a hardware component that decrypts and has checks etc… the bootloader everytime. The hardware component sets up a secure way of entering the users key and using the truecrypt bootloader. This is sort of what a TPM chip does. Of course TPM is not secure enough if you have the resources of an organisation like the NSA who can literally crack your CPU with an electron microscope and lithography machine. It is safe to say that there is no real total security yet. If your anything but a so called terrorist that the NSA( i.e. the US governemnt i.e. a mega corp) absoutely wants to ‘get’ then there are plenty of secure solutions. But then if you are wanted that badly then normal option is to send in the CIA or something equivalent and use what is called the rubber mallet decryption method or the bullet-in-the head method. For all those want a superb source of information on computer security, cryptography and the like then look no further than Bruce Schneier’s resources like one of his many books or his Cryptograms.
Previous article
Next article

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -spot_img

Latest article