Opening a crypto container via a RAM dump

[Man]

Introduction​

As they say, Good day! Today I would like to discuss with you the topic of cryptocontainers and their opening. Every year the issue of data security becomes more and more acute, as well as the issue of their reliable storage. It is in this case that the technology of storing data in cryptocontainers comes to our aid.

What is a crypto container?​

A crypto container is a special object that is used to store keys and other confidential information. It is a protected memory area that can be used for secure storage and transmission of data.

Cryptocontainers are usually created using special API functions of the operating system or software that provides cryptographic services. These functions allow you to create, open, close, and destroy cryptocontainers.

One of the main uses of a crypto container is to store a key pair. For example, when using the SSL/TLS protocol to secure the connection between a web server and a browser, the server certificate and its corresponding secret key can be stored in a crypto container. This ensures the security of storing this important data.

In addition, a crypto container can be used to store other types of confidential information, such as passwords, access tokens, and other data that must be protected from unauthorized access.

It is important to note that cryptocontainers are not completely secure. They can be hacked or compromised if an attacker gains access to the computer or device where they are stored. Therefore, it is important to use reliable security methods such as encryption and authentication to minimize risks.

Create your own crypto container​

There are many programs for creating cryptocontainers. The most popular of them are TrueCrypt and its successor VeraCrypt.

TrueCrypt was a popular encryption tool until 2014, when its developers announced they were ending support. After that, the project was renamed VeraCrypt and its source code was published on GitHub.

VeraCrypt continues to support many of the features of TrueCrypt, including the ability to create encrypted containers and disk partitions, as well as the ability to encrypt an entire hard drive. It also adds new features, such as support for new encryption algorithms and improved protection against attacks.

Both tools provide a simple and convenient way to protect your data from unauthorized access.

Anticipating the indignation of some readers regarding the use of outdated software, I will say right away that the technologies and methods presented in this article are for informational purposes only and form a general understanding of the applied area for further improvement of their skills in this area.

Now we can get started.

Download the archive from the official website

Since the host system in our example is AstraLinux and its bit depth is 64, we choose option 4.

Unpack the downloaded archive:

tar xfvz truecrypt-7.1a-linux-x64.tar.gz

Install using the command:

./truecrypt-7.1a-setup-x64

During the installation process, we agree to all permissions.

Then we launch the installed software by entering the name of the program itself into the console.
truecrypt

Next, to create, you should select the required slot. Then select the 'Create Volume' item and follow the prompts.

When we reach the Select File item, we specify the path to the place where the container will be stored and in the “name” field we enter its name.

When choosing encryption and hashing algorithms, you should be careful and make a choice based on your requirements, whether it is the speed of encryption/decryption or the reliability of the algorithms and their cryptographic strength. For the sake of example, I did not change anything and left the default values.

The size should be specified with a small reserve, because no one knows whether you will "report" data to the container. In my case, it is 2 Mb.

Then we set the password. Let it be just "password".

After creation, we connect it using the selection in the main window "Select File" and specify the location of our container.

Select the first slot and click Mount, enter the password.

Now we have access to it via the path /media/truecrypt1

For example, let's create a text file there.

Dump RAM​

First, you should understand what a memory dump is.

A core dump is the contents of the working memory of a single process, the kernel, or the entire operating system. It may include additional information about the state of the program or system, such as processor register values and stack contents. A core dump may be saved automatically when a process terminates due to a fatal error, or manually through a debugger or special program. In Unix-like operating systems, a core dump is saved as a file, usually called core or core.<process number>. In Windows, there are two types of dumps: kernel-mode dumps and user-mode dumps. A user-mode dump, also known as a minidump, contains selected types of data to write, such as full or partial process memory, list, stack, thread state, kernel object descriptors, and a list of loaded and unloaded libraries. A core dump can be useful for debugging a program and analyzing errors.

After getting acquainted with the theory, let's move on to practice. Having tried many ways to create a dump in AstraLinux, I share with you the tool that worked for me.

For me it was LiME. LiME is an open source project, so you can download it from GitHub using the command:

git clone https://github.com/504ensicsLabs/LiME.git

After installation, go to LiME/src/ and run the make command

Create a dump with the command:

sudo insmod lime-5.15.0-70-generic.ko "path=/home/memory_dump format=raw"

path - the path where the file is saved
format - the format of the saved file

You can now unmount the container by clicking the dismount button in TrueCrypt.

Analysis of RAM dump​

There are several ways to analyze a RAM dump:

1. Manual analysis: This is the simplest method, which involves viewing the memory dump using a text editor or specialized program. The user can search for specific lines of code, variables, or data structures to understand what was happening at the time of the crash.
2. Using a debugger: Debuggers such as gdb on Linux or WinDbg on Windows allow you to analyze a memory dump in more depth. They provide tools for viewing the call stack, variables, and data structures, and allow you to set breakpoints and execute commands in the context of the process.
3. Automated Analysis: There are specialized tools that can automatically analyze a memory dump and detect common errors such as using uninitialized variables, accessing memory that has already been freed, etc. Examples of such tools are Valgrind on Linux and Dr. Memory on Windows.
4. Analysis with a static code analyzer: Some static code analyzers, such as Clang Static Analyzer, can analyze your source code and warn you about potential problems that could cause crashes.
5. Using profilers: Profilers such as gprof on Linux or Visual Studio Profiler on Windows can help identify performance bottlenecks in your program and point out possible causes of crashes.
6. Using memory analysis tools: Tools like Memcheck in Valgrind can detect memory management issues such as memory leaks and use of uninitialized variables.
7. Using stack analysis tools: Tools such as StackWalker in Windows can help you analyze the call stack and find out why your program might have entered an invalid state.
8. Using log analysis tools: Logs can provide valuable information about what was happening on the system before a crash. Tools like Log Analyzers can help you find and analyze these records.
9. Using Reverse Engineering Tools: Reverse engineering can be useful for analyzing a memory dump, especially if the source code of the program is not available. Tools such as IDA Pro can help in this process.

The choice of method depends on the specific situation and available resources.

We will perform the analysis on the beloved by many OS Windows. For this we will use the Passware program, the interface of which looks like this.

The program's functionality is quite extensive, but we are interested in only one of its capabilities, namely the Full Disk Encryption item.

Then we select the TrueCrypt we need.

Now we have two options for hacking a crypto container:

• The first option is without a RAM dump.
• The second option is with a RAM dump.

Let's start with the first option.

This option is not desirable. In our case, it worked only because the password is simple and the algorithms used are not the most secure.

We return to the main page and select the second option.

We specify the files with the container and dump respectively.

Now we know the password and can go back to Astra and when mounting, specify the password and extract the contents.

Conclusion​

Cryptocontainers are an important data protection tool, and hacking them can be very difficult for attackers. However, there is a way to bypass the protection of a cryptocontainer using a RAM dump. This method allows access to the contents of the container without knowing the password or encryption key.

It is important to note that this method is illegal and can lead to serious consequences for those who use it. In addition, using this method requires certain knowledge and skills in the field of computer security.

In general, hacking a crypto container via a RAM dump is a complex task that requires specialized knowledge and tools. However, if approached correctly, this method can be an effective way to gain access to protected data.

Source