Free Essay

Volatility Truecrypt

In:

Submitted By sargerob
Words 915
Pages 4
One of the disclosed pitfalls of TrueCrypt disk encryption is that the master keys must remain in RAM in order to provide fully transparent encryption. In other words, if master keys were allowed to be flushed to disk, the design would suffer in terms of security (writing plain-text keys to more permanent storage) and performance. This is a risk that suspects have to live with, and one that law enforcement and government investigators can capitalize on.

The default encryption scheme is AES in XTS mode. In XTS mode, primary and secondary 256-bit keys are concatenated together to form one 512-bit (64 bytes) master key. An advantage you gain right off the bat is that patterns in AES keys can be distinguished from other seemingly random blocks of data. This is how tools like aeskeyfind and bulk_extractor locate the keys in memory dumps, packet captures, etc. In most cases, extracting the keys from RAM is as easy as this:

$ ./aeskeyfind Win8SP0x86.raw f12bffe602366806d453b3b290f89429 e6f5e6511496b3db550cc4a00a4bdb1b
4d81111573a789169fce790f4f13a7bd
a2cde593dd1023d89851049b8474b9a0
269493cfc103ee4ac7cb4dea937abb9b
4d81111573a789169fce790f4f13a7bd
4d81111573a789169fce790f4f13a7bd
269493cfc103ee4ac7cb4dea937abb9b
4d81111573a789169fce790f4f13a7bd
0f2eb916e673c76b359a932ef2b81a4b
7a9df9a5589f1d85fb2dfc62471764ef47d00f35890f1884d87c3a10d9eb5bf4
e786793c9da3574f63965803a909b8ef40b140b43be062850d5bb95d75273e41
Keyfind progress: 100%

Several keys were identified, but only the two final ones in red are 256-bits (the others are 128-bit keys). Thus, you can bet by combining the two 256-bit keys, you'll have your 512-bit master AES key. That's all pretty straightforward and has been documented in quite a few places - one of my favorites being Michael Weissbacher's blog.

The problem is - what if suspects change the default AES encryption scheme? TrueCrypt also supports Twofish, Serpent, and combinations thereof (AES-Twofish, AES-Twofish-Serpent). Furthermore, it supports modes other than XTS, such as LWR, CBC, outer CBC, and Inner CBC (though many of the CBCs are either deprecated or not recommended).

What do you do if a suspect uses non-default encryption schemes or modes? You can't find Twofish or Serpent keys with tools designed to scan for AES keys -- that just doesn't work. As pointed out by one of our Twitter followers (@brnocrist), a tool by Carsten Maartmann-Moe named Interrogate could be of use here (as could several commercial implementations from Elcomsoft or Passware).

Another challenge that investigators face, in the case of file-based containers, is figuring out which file on the suspect's hard disk serves as the container. If you don't know that, then having the master keys is only as useful as finding the key to a house but having no idea where the house is.

To address these issues, I wrote several new Volatility plugins. The truecryptsummary plugin gives you a detailed description of all TrueCrypt related artifacts in a given memory dump. Here's how it appears on a test system running 64-bit Windows 2012.

$ python vol.py -f WIN-QBTA4959AO9.raw --profile=Win2012SP0x64 truecryptsummary
Volatility Foundation Volatility Framework 2.3.1 (T)

Process TrueCrypt.exe at 0xfffffa801af43980 pid 2096
Kernel Module truecrypt.sys at 0xfffff88009200000 - 0xfffff88009241000
Symbolic Link Volume{52b24c47-eb79-11e2-93eb-000c29e29398} -> \Device\TrueCryptVolumeZ mounted 2013-10-11 03:51:08 UTC+0000
Symbolic Link Volume{52b24c50-eb79-11e2-93eb-000c29e29398} -> \Device\TrueCryptVolumeR mounted 2013-10-11 03:55:13 UTC+0000
File Object \Device\TrueCryptVolumeR\$Directory at 0x7c2f7070
File Object \Device\TrueCryptVolumeR\$LogFile at 0x7c39d750
File Object \Device\TrueCryptVolumeR\$MftMirr at 0x7c67cd40
File Object \Device\TrueCryptVolumeR\$Mft at 0x7cf05230
File Object \Device\TrueCryptVolumeR\$Directory at 0x7cf50330
File Object \Device\TrueCryptVolumeR\$BitMap at 0x7cfa7a00
File Object \Device\TrueCryptVolumeR\Chats\Logs\bertha.xml at 0x7cdf4a00
Driver \Driver\truecrypt at 0x7c9c0530 range 0xfffff88009200000 - 0xfffff88009241000
Device TrueCryptVolumeR at 0xfffffa801b4be080 type FILE_DEVICE_DISK
Container Path: \Device\Harddisk1\Partition1
Device TrueCrypt at 0xfffffa801ae3f500 type FILE_DEVICE_UNKNOWN

Among other things, you can see that the TrueCrypt volume was mounted on the suspect system on October 11th 2013. Furthermore, the path to the container is \Device\Harddisk1\Partition1, because in this case, the container was an entire partition (a USB thumb drive). If we were dealing with a file-based container as previously mentioned, the output would show the full path on disk to the file.

Perhaps even more exciting than all that is the fact that, despite the partition being fully encrypted, once its mounted, any files accessed on the volume become cached by the Windows Cache Manager per normal -- which means the dumpfiles plugin can help you recover them in plain text. Yes, this includes the $Mft, $MftMirr, $Directory, and other NTFS meta-data files, which are decrypted immediately when mounting the volume. In fact, even if values that lead us to the master keys are swapped to disk, or if TrueCrypt (or other disk encryption suites like PGP or BitLocker) begin using algorithms without predictable/detectable keys, you can still recover all or part of any files accessed while the volume was mounted based on the fact that the Windows OS itself will cache the file contents (remember, the encryption is transparent to the OS, so it caches files from encrypted volumes in the same way as it always does).

After running a plugin such as truecryptsummary, you should have no doubts as to whether TrueCrypt was installed and in use, and which files or partitions are your targets. You can then run the truecryptmaster plugin which performs nothing short of magic.

$ python vol.py -f WIN-QBTA4.raw --profile=Win2012SP0x64 truecryptmaster -D .
Volatility Foundation Volatility Framework 2.3.1 (T)

Container: \Device\Harddisk1\Partition1
Hidden Volume: No
Read Only: No
Disk Length: 7743733760 (bytes)
Host Length: 7743995904 (bytes)
Encryption Algorithm: SERPENT
Mode: XTS
Master Key
0xfffffa8018eb71a8 bbe1dc7a8e87e9f1f7eef37e6bb30a25 ...z.......~k..%
0xfffffa8018eb71b8 90b8948fefee425e5105054e3258b1a7 ......B^Q..N2X..
0xfffffa8018eb71c8 a76c5e96d67892335008a8c60d09fb69 .l^..x.3P......i
0xfffffa8018eb71d8 efb0b5fc759d44ec8c057fbc94ec3cc9 ....u.D.......

Similar Documents

Premium Essay

Beta Case

...1) Using Excel’s standard deviations function to calculate the variability of the stock returns of California REIT, Brown Group, and the Vanguard Index 500. Standard Deviation Vanguard 500 4.61% California REIT 9.23% Brown Group 8.17% Brown Group and California REIT stock returns both have large variability compared to the Vanguard 500. Brown Groups variability is substantially larger that of the Vanguard 500, and California REIT variability is even larger as it is double that of the Vanguard 500. While both Brown Group, and California REIT are more risky then the Vanguard 500, California REIT is the most risking of all as the variability of the stock return is the largest of the three. 2) To compare the two portfolio options Beta is offering portfolio 1 containing 99% of equity funds invested in Vanguard 500, and 1% in California REIT, and portfolio 2 containing 99% Vanguard 500, and 1% in Brown Group. Using Excel function’s to find standard deviations and Excel functions to find covariance. First we calculated the monthly return of portfoilio1, and portfolio 2. After doing that we used Excel function standard deviation to find the variance of each portfolio. Standard Deviation Portfolio 1 4.57% Portfolio 2 4.61% Looking at the two portfolios it is apparent that the portfolio containing Brown Group is riskier, because it adds more variability to the portfolio. This contradicts the answer in question...

Words: 575 - Pages: 3

Free Essay

Homework3

...0.1 = 0.05379/0.1 = 0.5379 N(d1) = 0.70467695 d2 = 0.5379 – 10%*√1 = 0.5379 – 0.1 = 0.4379 N(d2) = 0.66927061 e-rcT = e-0.04879*1 = 0.952381 C0 = 50*0.70467695 – 50*0.952381*0.66927061 = 35.2338475 – 31.8700306 = 3.3638 2. Solve the value of the above one-year American call using CBOE Options Toolbox [pic] 3. Noting the Greek values: How will the call value change for a. 1% change in interest rate [pic] b. $1 increases in the stock price [pic] c. Reduction of one-day in maturity [pic] 4. All options are European and the stock does not pay a dividend. Which option is relatively more expensive? Explain. (Hint: Compute implied volatility). a. S = $50, C (X=$60) =$14 [pic] b. S = $50, C (X=$65) =$10 [pic] Option (a) is relatively more expensive because the higher Implied...

Words: 257 - Pages: 2

Free Essay

The Life Life

...O N R E G A R D I N G F O R W A R D - L O O K I N G S T A T E M E N T S , R I S K S A N D A S S U M P T I O N S This MD&A includes “forward-looking information” within the meaning of applicable securities laws and assumptions concerning, among other things our business, its operations and its financial performance and condition approved by management on the date of this MD&A. This forward-looking information and these assumptions include, but are not limited to, statements with respect to our objectives and strategies to achieve those objectives, as well as statements with respect to our beliefs, plans, expectations, anticipations, estimates or intentions. This forward-looking information also includes, but is not limited to, guidance and forecasts relating to revenue, adjusted operating profit, property, plant and equipment expenditures, cash income tax payments, free cash flow, dividend payments, expected growth in subscribers and the services to which they subscribe, the cost of acquiring subscribers and the deployment of new services, and all other statements that are not historical facts. The words “could”, “expect”, “may”, “anticipate”, “assume”, “believe”, “intend”, “estimate”, “plan”, “project”, “guidance”, and similar expressions are intended to identify statements containing forward-looking information, although not all forward-looking statements include such words. Conclusions, forecasts and projections set out in forward-looking information...

Words: 476 - Pages: 2

Premium Essay

Kataby

...Ibrahim Nasser Khatatbeh May, 2013 Q1: Explain how the option pricing formula developed by black and scholes can be used for common stock and bond valuation. Include in your discussion the consequences of using variance applied over the option instead of actual variance. Its generally known that Black and Scholes model became a standard in option pricing methods , with almost everything from corporate liabilities and debt instruments can be viewed as option (except some complicated instruments), we can modify the fundamental formula in order to fit the specifications of the instrument that will be valued. An argument done by Black and Scholes which was based on the past proposition of Miller and Modigliani a well as assuming some ideal conditions, States that value of the firm is a sum of total value of debt plus the total value of common stock. As well as the fact that in the absence of taxes, the value of the firm is independent of its leverage and the change of debt has no effect on the firm value. V = E + Dm V: value of the firm. E: shareholders right (common stock values). Dm: market value of the debt. As the above equation impose that Equity (common stock values) can be viewed as a call option on the firm value (due to the shareholders limited liability and with consideration that firm debt can be represent as a zero-coupon bond), where exercising the option means that equity holders buy the firm at the face value of debt (which is in this case will be...

Words: 1396 - Pages: 6

Premium Essay

Article Rebuttal

...Article Rebuttal BCOM/275 1/27/2014 Article Rebuttal “A well-regulated militia, being necessary to the security of a free state, the right of the people to keep and bear arms, shall not be infringed” (U.S. Const., am 2). Since the ratification of the Bill of Rights, including the Second Amendment in 1791, our right to bear arms has been under attack. This article rebuttal will focus on an USA Today article titled “Epidemic: Guns kill twice as many kids as cancer does.” This article attempts to use biased statistics to provoke demand for further restrictions against our second amendment right. In the article, the author provides some staggering statistics which he uses to substantiate the claim “guns kill”. Here are a few; “guns still kill twice as many children and young people than cancer, five times as many than heart disease and fifteen times more than infection, according to the New England Journal of Medicine.” The article goes on to state “in 2010, 15,576 children and teenagers were injured by firearms – three times more than the number of U.S. soldiers injured in the war in Afghanistan, according to the defense fund.” On the surface, these statistics are alarming. Beyond the statistics, the article makes the claim “guns kill”. The remainder of this rebuttal will put into perspective the statistical claims on gun related deaths among youth, as well, debunk the implication “guns kill”. First, let’s place a level of perspective on the statistical...

Words: 733 - Pages: 3

Premium Essay

Crisis Period Forecast Evaluation of the Dcc-Garch Model

...for their invaluable direction, patience, and guidance throughout this entire process. Abstract The goal of this paper is to investigate the forecasting ability of the Dynamic Conditional Correlation Generalized Autoregressive Conditional Heteroskedasticity (DCC-GARCH). We estimate the DCC’s forecasting ability relative to unconditional volatility in three equity-based crashes: the S&L Crisis, the Dot-Com Boom/Crash, and the recent Credit Crisis. The assets we use are the S&P 500 index, 10-Year US Treasury bonds, Moody’s A Industrial bonds, and the Dollar/Yen exchange rate. Our results suggest that the choice of asset pair may be a determining factor in the forecasting ability of the DCC-GARCH model. I. Introduction Many of today’s key financial applications, including asset pricing, capital allocation, risk management, and portfolio hedging, are heavily dependent on accurate estimates and well-founded forecasts of asset return volatility and correlation between assets. Although volatility and correlation forecasting are both important, however, existing literature has dealt more closely with the performance of volatility models – only very recently has the issue of correlation estimation and forecasting begun to receive extensive investigation and analysis. The goal of this paper is to extend research that has been undertaken regarding the forecasting ability of one specific correlation model, the Dynamic...

Words: 7879 - Pages: 32

Premium Essay

Mcaleer and Medeiros (Econometric Reviews)

...Taylor & Francis Group, LLC ISSN: 0747-4938 print/1532-4168 online DOI: 10.1080/07474930701853509 REALIZED VOLATILITY: A REVIEW Michael McAleer1 and Marcelo C. Medeiros2 2 School of Economics and Commerce, University of Western Australia Department of Economics, Pontifical Catholic University of Rio de Janeiro, Rio de Janeiro, Brasil 1 Downloaded At: 15:53 5 September 2008 This article reviews the exciting and rapidly expanding literature on realized volatility. After presenting a general univariate framework for estimating realized volatilities, a simple discrete time model is presented in order to motivate the main results. A continuous time specification provides the theoretical foundation for the main results in this literature. Cases with and without microstructure noise are considered, and it is shown how microstructure noise can cause severe problems in terms of consistent estimation of the daily realized volatility. Independent and dependent noise processes are examined. The most important methods for providing consistent estimators are presented, and a critical exposition of different techniques is given. The finite sample properties are discussed in comparison with their asymptotic properties. A multivariate model is presented to discuss estimation of the realized covariances. Various issues relating to modelling and forecasting realized volatilities are considered. The main empirical findings using univariate and multivariate methods are summarized. Keywords...

Words: 14399 - Pages: 58

Premium Essay

Essay

...Course Hero has millions of student submitted documents similar to the one below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support. Ernst 1. & whinney never issued an audit opinion on the financial statements of ZZZZ Best; however, Ernst & Whinney did issue a review report on the companys quarterly statements for the three months ending July 31, 1986. How does a review differ from an audit, particularly in terms of the level of assurance implied by the auditors report ? Ernst & Whinney resigned as ZZZZ Bests auditor on June 2, 1987, following a series of disturbing events that caused the firm to question the integrity of M inkow and his associates. First, Ernst & Whinney was alarmed by a Los Angeles Times article in mid-May 1987 that revealed Minkow had been i nvolved in a string of credit card forgeries as a teenager. Second, on May 28, 1987, ZZZZ Best issued a press release, without consulting or notifying Ernst & Whinney, that reported record profits and revenues. The purpose of this press release was to restore in vestors confidence in the companyconfidence t hat had been shaken by the damaging Los Angeles Times story. Third, and most important, on May 29, Ernst & Whinney auditors discovered evidence supporting allegations made several weeks earlier by a third party informant t hat ZZZZ Bests insurance restoration business was fictitious. The informant had contacted Ernst & Whinney in April 1987 and asked for $25...

Words: 325 - Pages: 2

Premium Essay

Implied Volatility

...yield to maturity as risk-free rate. Data are from Yahoo Finance. 2) Calculating preliminary statistics Using the data, the daily log return was calculated Daily log return = ln (△close pricei+1/close pricei) We assumed that the stock price follows Geometric Brownian Motion with constant mean[pic] and standard deviation[pic]. Therefore, the return of the stock was assumed to be normally distributed with mean [pic] and standard deviation [pic]. So we picked up n-days samples of stock prices and estimated the annualized volatility as follows. Next, we calculated the recent historical volatility. Here, n denotes the number of observations (business day), Si denotes the stock price at the end of the i-th interval (i=0, 1, … , n), [pic] denotes the length of the time interval in years (For daily observations, 1/252(business day)) [pic][pic][pic] [pic] = [pic] Estimated daily volatility S = 0.01042889 Estimated annualized volatility [pic] = 0.1655535 Continuous dividend yield (calculated from the notification) q = 0.028 (Dividend payment= $0.57/share...

Words: 2321 - Pages: 10

Free Essay

Unmanned Aerospace

...INTRODUCTION a new business model. We do accept that the degree of change in the aerospace industrial system may be less evident at the technological pinnacle of this world — the high performance UCAV. But, even here, there are likely to be challenges to conventional attitudes and processes. We further conclude that despite movement on the collabo- rative front, Europe could still struggle to make headway in the market unless industry is able to embrace the new ways of doing business implied by the UAS transformation. This includes the need to encourage new entrants as well as adopting a full systems approach to the market, offering an integrated package of hardware and services to a range of civil and military customers. In this respect, the paper urges the rapid adoption and implementation of the June 2013 EU Roadmap for the integration of UAS operations into European airspace. The Revolution in Military Affairs — these days often known as military transformation — with its emphasis on network centric warfare and exotic weapons systems, has threat- ened a comparable revolution in defence industrial affairs. The proposition is that the fundamental changes in defence technology implied by military transformation will challenge the existing structure of defence companies, encourage new entrants and new combinations of players, especially from the wider civilian high technology community to enter the defence business. Yet a...

Words: 343 - Pages: 2

Free Essay

A Novel Simple but Empirically Consistent Model for Stock Price and Option Pricing

...model for stock price dynamics and option pricing, which not only has the same analyticity as log-normal and Black-Scholes model, but can also capture and explain all the main puzzles and phenomenons arising from empirical stock and option markets which log-normal and Black-Scholes model fail to explain. In addition, this model and its parameters have clear economic interpretations. Large sample empirical calibration and tests are performed and show strong empirical consistency with our model’s assumption and implication. Immediate applications on risk management, equity and option evaluation and trading, etc are also presented. Keywords: Nonlinear model, Random walk, Stock price, Option pricing, Default risk, Realized volatility, Local volatility, Volatility skew, EGARCH. This paper is self-funded and self-motivated. The author is currently working as a quantitative analyst at J.P. Morgan Chase & Co. All errors belong to the author. Email: henry.na.pang@jpmchase.com or hdpang@gmail.com. ∗ 1 Electronic copy available at: http://ssrn.com/abstract=1374688 2 Huadong(Henry) Pang/J.P. Morgan Chase & Co. 1. Introduction The well-known log-normal model for stock price was first proposed by Louis Bachelier (1870-1946) and published in his doctoral thesis at 1900. His “theory of speculation” (Theorie de la Speculation, see Bachelier(1900)) was discounted by none other than Henri Poincare, observing that “Mr. Bachelier has evidenced an original and precise mind [but]...

Words: 7582 - Pages: 31

Free Essay

Wolfgang Iser's the Act of Reading: Implied Reader

...Wolfgang Iser’s The Act of Reading: Implied Reader Wolfgang Iser’s The Act of Reading presents a list of the various types of readers possible when it comes to interpreting literary text. These readers have different interpretations of the text. These interpretations are affected by how the author appeals to each of the readers, either through the text itself or through the beliefs that the reader brings to the text. One reader Iser focuses on is the implied reader. After carefully examining what an implied reader is, Iser’s main assumptions about this role are easily noticeable. Iser’s implied reader allows the text to be broken down in such a way that the structured effects of a text can be described. Also, the implied reader allows for all predispositions to be mentioned so the text can achieve its meaning effectively. In fact, Iser says it best when he writes the implied reader “embodies all those predispositions necessary for a literary work to exercise its effect.” An implied reader is a part of the text. And this part is extremely imperative to the text. Iser himself states that this implied reader concept “designates a network of response- inviting structures, which impel the reader to grasp the text.” In other words, the implied reader is a backbone to a person reading the text. Without the implied reader, the text will have no sufficient value present. Iser’s implied reader also has structured acts which help...

Words: 852 - Pages: 4

Premium Essay

Mortgage Crises

...Market Volatility: Measures and Results Gary E. Mullins, Ph.D. University of Wisconsin - Stevens Point |   | IntroductionVirtually everyone who is interested in financial markets seems to agree on two things: that markets are now more volatile than ever, and that volatility causes many problems.  Let's look at some recent and not-so-recent articles concerning volatility.   This week turned out to be slower than expected on the IPO  market, as intense volatility on U.S. exchanges prompted many companies to put off much-anticipated debuts.  I am writing to you today to address my concerns about trading in a fast market, a current issue of extreme importance to me. I want to give you my perspective and let you know the steps we at Schwab are taking to support investors during this time of market volatility.  In recent months, there has been a marked increase in price volatility and volume in many stocks, particularly of companies that sell products or services via the Internet (Internet issuers).  In the above quotes, there are two implicit assumptions: that volatility is higher now than it has been in the past, and that this volatility is somehow bad.  In the first article, it assumes that (obviously) increased volatility has caused firms to delay their Initial Public Offerings (IPO's).  Next, Schwab believes that investors need special support because of the high volatility inherent in today's market.  Finally, Barrett appears to be more concerned about volatility for Internet...

Words: 3263 - Pages: 14

Free Essay

Dynamics

...(2002) 45–60 INSTITUTE O F PHYSICS PUBLISHING RE S E A R C H PA P E R quant.iop.org Dynamics of implied volatility surfaces Rama Cont1,3 and Jos´ da Fonseca2 e Centre de Math´ matiques Appliqu´ es, Ecole Polytechnique, F-91128 e e Palaiseau, France 2 Ecole Superieure d’Ingenierie Leonard de Vinci, F-92916 Paris La D´ fense, e France E-mail: Rama.Cont@polytechnique.fr and jose.da fonseca@devinci.fr Received 20 September 2001 Published 4 February 2002 Online at stacks.iop.org/Quant/2/45 1 Abstract The prices of index options at a given date are usually represented via the corresponding implied volatility surface, presenting skew/smile features and term structure which several models have attempted to reproduce. However, the implied volatility surface also changes dynamically over time in a way that is not taken into account by current modelling approaches, giving rise to ‘Vega’ risk in option portfolios. Using time series of option prices on the SP500 and FTSE indices, we study the deformation of this surface and show that it may be represented as a randomly fluctuating surface driven by a small number of orthogonal random factors. We identify and interpret the shape of each of these factors, study their dynamics and their correlation with the underlying index. Our approach is based on a Karhunen–Lo` ve e decomposition of the daily variations of implied volatilities obtained from market data. A simple factor model compatible with the empirical observations is proposed. We...

Words: 11290 - Pages: 46

Premium Essay

Paper1

...The Black–Scholes /ˌblæk ˈʃoʊlz/[1] or Black–Scholes–Merton model is a mathematical model of a financial market containing certain derivative investment instruments. From the model, one can deduce the Black–Scholes formula, which gives a theoretical estimate of the price of European-style options. The formula led to a boom in options trading and legitimised scientifically the activities of the Chicago Board Options Exchange and other options markets around the world.[2] lt is widely used, although often with adjustments and corrections, by options market participants.[3]:751 Many empirical tests have shown that the Black–Scholes price is "fairly close" to the observed prices, although there are well-known discrepancies such as the "option smile".[3]:770–771 The Black–Scholes was first published by Fischer Black and Myron Scholes in their 1973 paper, "The Pricing of Options and Corporate Liabilities", published in the Journal of Political Economy. They derived a stochastic partial differential equation, now called the Black–Scholes equation, which estimates the price of the option over time. The key idea behind the model is to hedge the option by buying and selling the underlying asset in just the right way, and consequently "eliminate risk". This hedge is called delta hedging and is the basis of more complicated hedging strategies such as those engaged in by investment banks and hedge funds. The hedge implies that there is a unique price for the option and this is given by the...

Words: 472 - Pages: 2