Decrypting a TrueCrypt drive pulled from another machine

encryption truecrypt disk-encryption

283

If you need to recover data off of a truecrypt encrypted hard drive do the following:

Step 1: plug in the hard drive to a computer with Truecrypt installed.
Step 2: Open Truecrypt and click "Select Device" in the box where it says "Volume".
Step 3: Select the partition that in encrypted and click "OK"
Step 4: Pick a drive letter from the list then click "Mount"
Step 5: After the password box pops up click "Mount options..." check "Mount volume as removable media" and "Mount partition using system encryption without pre-boot authentication" and click "OK".
Step 6: Enter the password and click "OK"
Step 7: Right click on the mounted device in the drive list and click "Open."

This should allow you to see the entire drive and copy over any data you may need.

283

BERNARDO

Updated on September 18, 2022

Comments

BERNARDO almost 2 years
What I want to do (ALL THIS IS PERFORMED ON ONLY ONE SERVER);

(I'm working with example.com for not making any advertisement).

Redirect all incoming HTTP/HTTPS requests (Port 80 and 443) to a specific website, for example, filter.example.com. There I've made my own mechanism to filter malicious requests. After that, the requests should get back to the requested website.

My problem is, that every request is getting redirected back to the filter, so there's an endless loop.

Do you know any solution to that or maybe an alternative (Nginx)?

Here's the problem showed by the packet flow;

"User - Request = https://example.com" -> "Apache redirects it to = https://filter.example.com" -> "After getting filtered = https://example.com" -> "Apache is redirecting it back again."

I really hope you understand my problem.

Thank you.

EDIT:

This are my settings for the filter.example.com ServerName;
```
<VirtualHost *:80>
    ServerName filter.example.com
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>

<VirtualHost *:443>
    ServerName filter.example.com
    RewriteEngine On
    DocumentRoot /var/www/filter/
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/filter.example.com/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/filter.example.com/chain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/filter.example.com/privkey.pem
    ErrorDocument 404 /error404.html
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
</VirtualHost>
```
And here for my "real" website;
```
<VirtualHost *:80>
    ServerName example.com
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    RewriteEngine On
    DocumentRoot /var/www/html/
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    ErrorDocument 404 /error404.html
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
</VirtualHost>
```
So, David wrote;

You will really end up in a redirect loop because the request 1 to www.example.com will redirect to filter.example.com and again to www.example.com endlessly. To avoid this add a cookie/header to the incoming request from www.example.com in filter.example.com(of course, after completing the filter process) something like Filter: true, so you know this is already a filtered request and doesn't need to go to filter.example.com.
```
server {
    server_name filter.example.com;
    //logic to filter 
    add_header 'passed_filter' 'true'; 
}
```
If you redirect logic to add a check to verify if header Filter: true exists, if not redirect to filter.example.com, if yes - skip redirect and follow the normal execution procedure.
```
//If the header is not set, then we understand that this request should be redirected to filter.example.com
if($sent_passed_filter ~= 'true') {
   //logic to redirect to filter
}
```
Is that Nginx, because I'm using Apache. Is there also a solution like that but for Apache?
- Moab almost 12 years
  
  Did you read the FAQ at the truecrypt site?...truecrypt.org/faq
- Blakeg08 almost 12 years
  
  I will read over it more thoroughly. I think the FAQ indirectly answers the question but I would still like to know if anyone has had any hands on experience with this issue.
- Ramhound almost 12 years
  
  @Blakeg08 - You need to do the research before you come just asking for "hands on experiences" otherewise you will ask additional questions already answered by a FAQ.
- barlop almost 12 years
  
  Decrypt is very easy and quick to use. Just try it on a small thing. Like creating a virtual drive with a few pictures in it. I suggest using Truecrypt first as a test, as to say "decrypt a truecrypt drive pulled from another machine" doesn't make sense as far as I know (And I don't know much). What truecrypt does is it creates a virtual drive which it stores as a file. So you can't pull a virtual drive from a machine!!! Truecrypt is far less invasive than that!
- barlop almost 12 years
  
  @Moab I think he is under such a misconception about how truecrypt works, that the FAQ wouldn't address him. The FAQ does not address his misconception.
- user1984103 almost 12 years
  
  @barlop Trucrypt can be much more invasive than that, especially when doing full-disk encryption.
- Blakeg08 almost 12 years
  
  Here's what I have. A laptop with a 500 Gigabyte hard drive with Windows 7 64 bit on it. I installed truecrypt and ran the "encrypt system/drive" process on it. Now the drive is fully encrypted. What I want to do is pull that drive out of the laptop. Then plug it into my desktop and recover data off of it. Can I decrypt the drive WITHOUT IT BEING PLUGGED INTO THE LAPTOP THAT I USED TO INITIALLY ENCRYPT THE DRIVE? That's my question.
- user1984103 almost 12 years
  
  @Blakeg08 Pull it out and try it... and then come back and answer your question below so that others looking for the answer can find it easily. Some quick googling suggests that this is easy to do: Removing Encryption
- Ramhound almost 12 years
  
  @Blakeg08 - Of course you can.
- Moab almost 12 years
  
  Install truecrypt on the host PC, mount the drive and enter the encryption keys....serverfault.com/questions/46336/…
Ramhound almost 12 years

" I still don't know how to decrypt a mounted drive. "- Your solution is doing EXACTLY that.
BERNARDO over 6 years

I'll try this out. Thank you. In a few minutes, I'll give you feedback. But headers are fake-able, or aren't they? Regards.
BERNARDO over 6 years

I've edited my post, maybe you can help. Thank you for your time. Regards.
David over 6 years

Issue is not due to nginx or apache, its the way the setup is. Based on what you have explained, I think you want to send the request to a filter and on filter send the request back. If this is the case, then you need to tag every request you already processed so it dont end up in a loop. Here is what you need to do to make this functional, for every request you process in filter.example.com, add a header to identify this request is already processed and in filter.example.com add a checker to see if that header is present, if yes you dont need to process the request again