07-14-2017, 06:17 PM
The TrueCrypt documentation states that the location of a non-hidden header is the last 512 bytes of the first logical track of the system drive (Sector 62, 0x7C00).
For a hidden OS, TrueCrypt will attempt to decrypt the non-hidden header first, than it will try to decrypt the area of the first partition behind the active partition. Where exactly is the location of the 512 bytes that can be used by Hashcat to decrypt the hidden header?
Quote:Note: When you enter a pre-boot authentication password, the TrueCrypt Boot Loader first attempts to decrypt (using the entered password) the last 512 bytes of the first logical track of the system drive (where encrypted master key data for non-hidden encrypted system partitions/drives are normally stored). If it fails and if there is a partition behind the active partition, the TrueCrypt Boot Loader (even if there is actually no hidden volume on the drive) automatically tries to decrypt (using the same entered password again) the area of the first partition behind the active partition** where the encrypted header of a possible hidden volume might be stored. Note that TrueCrypt never knows if there is a hidden volume in advance (the hidden volume header cannot be identified, as it appears to consist entirely of random data). If the header is successfully decrypted (for information on how TrueCrypt determines that it was successfully decrypted, see the section Encryption Scheme), the information about the size of the hidden volume is retrieved from the decrypted header (which is still stored in RAM), and the hidden volume is mounted (its size also determines its offset). For further technical details, see the section Encryption Scheme in the chapter Technical Details.
For a hidden OS, TrueCrypt will attempt to decrypt the non-hidden header first, than it will try to decrypt the area of the first partition behind the active partition. Where exactly is the location of the 512 bytes that can be used by Hashcat to decrypt the hidden header?