![]() The absolute requirement is that the encrypted disk or container is mounted (unlocked) during the RAM dumping process. If a running PC was acquired with an authenticated session during the time the encrypted container is mounted, you may be able to dump the content of the computer’s RAM into a file and scan that file for on-the-fly encryption keys used in multiple encryption tool (BitLocker, TrueCrypt, VeraCrypt, PGP disk and PGP WDE). The RAM imaging and key extraction attack described in this publication is aimed at live system analysis. Who is going to win this round? Applicability A recent change in VeraCrypt made OTF key extraction harder, while the latest update to Elcomsoft Forensic Disk Decryptor attempts to counter the effect of the change. VeraCrypt has no known weaknesses except one: once the encrypted disk is mounted, the symmetric, on-the-fly encryption key must be kept in the computer’s RAM in order to read and write encrypted data. Supporting more encryption algorithms, more hash functions and a variable number of hash iterations, VeraCrypt is the default choice for the security conscious. ![]() Released back in 2013, VeraCrypt picks up where TrueCrypt left off.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |