VeraCrypt, previously known as TrueCrypt, is an open-source utility for on-the-fly encryption. The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or the entire storage device with pre-boot authentication.
Although data rarely gets encrypted with VeraCrypt, this system is often used by the most sophisticated attackers. It is usually the most sensitive data that gets encrypted.
If the system under investigation uses VeraCrypt for the encryption of disks, partitions, or containers, getting access to the protected data turns into a particularly difficult task. This is because VeraCrypt provides several layers of protection, allowing users to hide the crypto-containers themselves, as well as utilize the large number of different encryption algorithms and additional key files offered by this utility. However, once the container or partition is unlocked, the encryption key used by the utility becomes accessible from RAM.
Extraction and Decryption of VeraCrypt with Oxygen Forensic® Detective
The latest version of Oxygen Forensic® Detective offers a comprehensive VeraCrypt support that includes:
- Extraction of VeraCrypt app from Windows, macOS, and Linux. It might contain key files that can be used for decryption of VeraCrypt containers.
- Extraction of VeraCrypt encryption keys from Windows RAM.
- Decryption of drives, partitions, and separate files with the password, encryption keys, or key files
With Oxygen Forensic® KeyScout, encryption keys from all VeraCrypt versions can be extracted, enabling access to both standard and hidden containers, as well as encrypted disk partitions. The extracted data can then be saved as an .odb file.
Users of Oxygen Forensic® KeyScout can also extract and decrypt data from the disks, their partitions, or separate file containers that have been encrypted with the use of VeraCrypt. For the decryption to be successful, an encryption key or knowledge of the user password is required; this key can be extracted from the RAM.
Since all VeraCrypt encryption algorithms are supported, data from all protected disks, partitions, as well as both standard and hidden containers, can be extracted with the help of Oxygen Forensic® KeyScout.