Home
This will follow the steps required to successfully decrypt a hidden VeraCrypt volume using MKDecrypt.py. The steps will include processing a RAM image using a tool that can quickly recover the encryption keys and then decrypting the volume using those encryption keys and MKDecrypt.py.
You will need to be in possession of a RAM image of the machine and the encrypted container, which in this case is called EncryptedContainer.hc (it could also be a block device like /dev/sdb or /dev/sdb2 rather than just a simple file). You can use a program such as Bulk Extractor to quickly find any AES keys within the RAM image.
Here, two possible 128 bit AES keys and two 256 bit AES keys have been located. VeraCrypt requires key sizes of 512, 1024 or 1536 bits in size. It is also known that it uses these keys in XTS mode which means that two keys are concatenated together but are separated by the program and used separately. The two 256 bit keys are also in close proximity in memory with offsets of 2,116,714,508 and 2,116,719,832 bytes respectively.
The AES keys are:
b7 0d 70 10 99 62 c1 d1 7f 24 16 10 c9 aa 8f 9f d8 c6 33 54 68 75 1f d9 67 77 7a 8c 7d a0 58 05
and
4b 3d 6d b8 99 57 10 eb 25 f7 6e 88 9b 65 c1 6d 6d 1c e5 2e d7 05 73 6a 52 68 97 17 cd 3d 65 3c
Concatenating these together and removing the spaces gives:
b70d70109962c1d17f241610c9aa8f9fd8c6335468751fd967777a8c7da058054b3d6db8995710eb25f76e889b65c16d6d1ce52ed705736a52689717cd3d653c
We can now use the MKDecrypt.py program. MKDecrypt.py has to be run as root/superuser so the sudo command has been used. -v, verbose and -m, mount options have been chosen. The encrypted container, EncryptedContainer.hc has been specified and the master encryption key has been pasted at the end of the command.
Success! MKDecrypt.py has successfully decrypted and mounted the hidden TrueCrypt volume.