VeraCrypt software allows you to encrypt your sensitive data with a password. The program is completely free and has an open source code.
1884 
Learn about modern methods for decrypting VeraCrypt, TrueCrypt, and BitLocker containers. Is it possible to extract the master keys from the RAM dump? Let’s consider methods of protection, including hardware and software encryption of RAM. Learn about forensic tools used for data analysis and security.
This content is provided strictly for educational and research purposes only. The authors and editorial team do not endorse or encourage any unlawful activity described in the article. Any attempt to use the described methods for unauthorized access or data extraction is a violation of the law and may result in criminal prosecution under applicable national and international legislation. Act responsibly.
How do VeraCrypt, TrueCrypt and BitLocker containers decrypt? Is it possible to extract the master keys for decrypting these containers from the RAM dump? Will hardware or software encryption of RAM save? What are the methods of additional protection?
Special forensic software allows you to make RAM dumps, extract encryption keys from them and use these keys to decrypt VeraCrypt, BitLocker, TrueCrypt and other crypto containers. It is the only software on the market that offers such capabilities; there are no better paid solutions.
In the event that the computer falls into the hands of forensic experts, they will most likely use this software to extract the keys from the RAM, if, of course, such a dump was made. The keys of VeraCrypt, BitLocker, TrueCrypt and other popular encryption solutions are stored in RAM and are called master keys. If there is a RAM dump, you can find the key for the crypto container from it, and with this key, without knowing the password, you can mount and decrypt the crypto container.
There are actual ways to remove a RAM dump. In addition to directly removing the RAM dump from the working system with all rights, the first method is to freeze the memory. For example, RAM bars are frozen with liquid nitrogen, then they are inserted into a new computer or a special device from which the dump is removed. At low temperatures, the information on the bars is not deleted, and thus partial information can be dumped.
The second way is to reboot. Some motherboards and boards allow you to save memory on reboot, which allows you to take a memory dump with encryption keys stored in RAM by running a Linux distribution with preinstalled memory dump software.
It should be understood that law enforcement officers understand the importance of access to an unlocked computer. They can conduct special measures to get into an apartment where the computer is open and the crypto containers are mounted. This can happen when a family member enters the apartment or a technician comes for repairs. In such a situation, the first priority is to dump the RAM before any other actions on this computer.
There is software for creating a RAM dump, which in some cases causes a blue screen and clears the memory. In the case of using software encryption of keys in RAM, system performance may decrease by 15-20%.
In addition to software encryption, there is also hardware RAM encryption, which is supported by some processors and configured through the BIOS. This method makes working with RAM dumps more difficult, but is also not always reliable.
In general, available forensic analysis tools have certain limitations and do not always allow to extract encryption keys from RAM, especially if additional protection methods are used.
The second way is to reboot. Some motherboards and RAM modules allow memory contents to be saved during reboot, making it possible to take a memory dump with encryption keys using a Linux distribution with preinstalled memory dump software.
It should be understood that law enforcement agencies know the importance of access to an unlocked computer. They can perform special operations to enter a room where the computer is open and the crypto containers are mounted. This can happen due to the sudden entry of police officers along with a family member, technician or delivery person entering the apartment. With proper preparation, the probability of a successful operation is quite high.
It is quite possible that the child will enter the apartment, and police officers may break in with him. You won’t even have time to blink an eye when you will be placed face down on the floor. The same can happen to a wife, a courier or a technician who came to fix a lamp or wires. There are many options. We will not go into the details of how this is done, but it is real and you need to be prepared for it.
The task of employees in such a situation is to remove a RAM dump before any other actions on the computer, so as not to delete important information from the memory. First of all, a RAM dump is taken on a third-party device, and then PGP, BitLocker, VeraCrypt, TrueCrypt, etc. encryption keys are searched for.
Not all employees follow instructions or act correctly. There were cases when employees entered offices with open and unlocked computers and simply turned off the light on the counter. As a result, all unlocked computers with VeraCrypt installed lost any chance of data recovery. Some employees, not knowing the Windows password, deleted the user-set password without creating a backup copy, which was a critical error because without the password it was impossible to access passwords stored in, for example, the Chrome browser. Thus, they could be said to be helping criminals.
Don’t assume that all employees will do the right thing for you. However, there are those who will act wisely. Interestingly, VeraCrypt has a function that, when a new device is connected, forces the system to reboot, completely clearing the RAM and causing a blue screen. If this feature is not enabled, software such as Elcomsoft Forensic Disk Decryptor can be used to dump the RAM.
This method has proven effective when working with forensic software, as special programs can extract encryption keys from a RAM dump and use them to decrypt crypto containers.
They boast that it is the best program on the market for $700. I have a license. It is capable of extracting encrypted keys using VeraCrypt software and decrypting them. I recommend that you familiarize yourself with the links below, use the browser’s automatic translation if you have difficulties.
The key encryption function in VeraCrypt was not specially enabled, the program was simply installed and the container was created. After that, when creating a dump of physical memory, any place for saving was chosen, for example, a flash drive, and the “Start” button was pressed. The program reported that there was insufficient space on the flash drive, after which the path to the computer was selected and “Start” was clicked again. It turned out that VeraCrypt has its own driver that protects RAM from tampering. When trying to create a RAM dump, it is cleared and a blue screen appears.
If this was a police operation, there would be a complication, because all the work would be in vain – the computer is encrypted again. There are ways to dump RAM despite this driver. A $700 program with advanced RAM dump capabilities cannot do this, even if you disable the protection function in VeraCrypt. Rebooting the computer nullifies the usefulness of this program. Even after disabling the protection function, the Elcomsoft program still cannot dump the RAM, because the VeraCrypt driver even after uninstalling the program does not allow it to be done and causes a blue screen when trying to dump.
FTK Imager is also a special forensics program that you can download for free, but it also cannot create a RAM dump. In the end, managed to remove the RAM dump, despite the protection.
In practice, VeraCrypt and TrueCrypt were mounted so that there were keys in RAM. BitLocker is currently mounted.
How to make a RAM dump with standard settings? The standard VeraCrypt settings were used: the “Disable memory protection” checkbox was not set, and key encryption in RAM was also not enabled. TrueCrypt also had standard settings. The specialized expensive software Elcomsoft Forensic Disk Decryptor, which was used earlier, caused a blue screen when trying to create a RAM dump. This specialized software could not remove the RAM dump. But there is a free solution – DumpIT.
DumpIT is launched, administrator privileges are granted, the action is confirmed, and a RAM dump is created. The program starts the dumping process. After the dump is complete, Elcomsoft Forensic Disk Decryptor is used to extract the keys from the image. The path to the keys is specified, the 32 GB dump that was just created is selected. The PGP options are turned off, only VeraCrypt and BitLocker remain, so as not to overload the system, and “Next” is clicked.
The process went quite quickly. After a pause, when everything was finished, the software reported that the master key for TrueCrypt and BitLocker was found. The key for VeraCrypt was not found.
These keys are stored in the “keys” file. Interestingly, BelkaSoft’s RamCapture can also dump RAM, unlike some specialized software. The possibility of decrypting containers is being considered. All containers are dismantled. If you have access to a computer, you can simply click “archive key”. It is not necessary to do this by pulling from RAM, although sometimes this is the only way.
Next, TrueCrypt and VeraCrypt are considered. First, the path to the TrueCrypt container is specified. Everything works fine with TrueCrypt. The memory dump and saved keys are indicated. Entering the saved keys and pressing “Mount”. The disk is mounted successfully. The TrueCrypt container works fine, after which it is unmounted.
The next step is to try with VeraCrypt. Does not work with VeraCrypt even though memory encryption was not enabled. Perhaps the VeraCrypt keys are stored in a certain area, or in an encrypted area, or the driver does not allow the software that makes the RAM dump to access these keys. As a result, even with a RAM dump, VeraCrypt cannot be mounted.
Attention is drawn to why the option to encrypt keys in RAM is not enabled by default.
This is due to the fact that when this function is enabled, the RAM is slowed down by 15-20%. Therefore, this feature is not enabled by default. As shown in the example, even paid solutions used by experts do not help.
Therefore, further tests will be performed on TrueCrypt, since the TrueCrypt key has been found. BitLocker is now under consideration. As you can see, the software is expensive and popular, I don’t want to criticize it too much, because there are no other solutions, but when you try to specify the path to the BitLocker encrypted drive, even if it is unlocked, the software crashes. That is, the key is found in the RAM, but the software fails.
Attempts were made to create an image of this drive so that the image is not used instead of the device itself. But even trying to download this image fails. It doesn’t work. In fact, even professional forensics software doesn’t work well. Even the most ordinary expert will face the same problems as the author. It just won’t be able to mount the drive. This process will not be shown in detail, but the point is that the software crashes.
You can download as a disk, you can specify a container. An image is now being created for demonstration. FTK Imager is a great free software for creating disk images, RAM dumps and mounting these images.
Let’s try to find the password used to open the container. The search was also successful, “123” was found. It might be a coincidence because the password is too short. Let’s try to find a longer text. The search in Russian is not performed correctly, so we add a new text to the clipboard for the test.
The following texts are inserted into the clipboard one by one:
test 1
test 2
test 3
These texts must be stored in RAM. The dump is removed and we will try to find these texts manually. A new RAM image is created, added to FTK Imager and searched for information by keywords.
We are trying to search for “test 1”. As you can see, the text has been found. Then we look for “test 2” and “test 3”. All the texts are found, although they are a little mixed up.
Despite the enabled hardware encryption, the texts from the clipboard are successfully located in the RAM dump. This indicates that hardware encryption does not fully protect information in RAM from being extracted. The information is mixed, but still available for analysis.
In general, hardware encryption of RAM has not shown high efficiency. Despite its use, the information that was there can still be found in the RAM. We will wait for the completion of the key search and check whether we can find the TrueCrypt key with hardware encryption enabled.
So, as you can see, the process of searching for keys took much more time compared to the usual search in unencrypted memory. But still managed to find the master key. Now let’s check: the TrueCrypt container has been unmounted, the found key has been saved, and we’ll try to mount the container again using the saved key.
The container was successfully mounted using the stored key. This calls into question the point of hardware encryption if the key can still be found in RAM. At the same time, the performance of the system drops, although exact performance tests were not conducted, it is noticeable by feeling.
Conclusion: hardware encryption in the form in which we would like to see it does not work properly. It uses a new processor on the AM5 socket and a motherboard with support for two hardware encryption methods, but despite this, the clipboard and TrueCrypt keys can still be found in the RAM dump.
As for VeraCrypt, it’s a great product. Even without enabling software encryption of keys in RAM, specialized software cannot extract this key because it is unable to create a RAM dump. VeraCrypt protects information using a driver that clears memory when attempting to access keys. There is also a function of software encryption of RAM, which increases security, despite some slowdown in performance.
In addition, VeraCrypt has a setting to clear RAM when a new device is connected. If an unknown device is inserted, the memory is cleared and the system goes into a blue screen. At the moment, there are no ready-made products capable of retrieving the VeraCrypt master key from RAM.
Although the author is not a professional forensic scientist, perhaps experts with more experience have their own solutions for extracting the keys, but what has been done by yourself using available professional tools has been shown.
1884