±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 13
Overall: 26773
Visitors: 88

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Detecting Truecrypt Volume in EnCase

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Detecting Truecrypt Volume in EnCase

Post Posted: Fri Jan 25, 2013 3:01 am

Just to point out the obvious - TrueCrypt volumes can have the ".tc" extension, so check for that in the first instance. Low hanging fruit, etc.  

Chris_Ed
Senior Member
 
 
  

Re: Detecting Truecrypt Volume in EnCase

Post Posted: Fri Jan 25, 2013 5:13 am

iDan,

Since you're using EnCase, you may want to try 2 EnScripts created by Simon Key (Guidance Software):

1) TrueCrypt File Locator v3.1 - This script is designed to locate TrueCrypt container files in circumstances where one or more such files are believed to exist, and one or more likely passwords are known, but the location of the file(s) themselves cannot be determined.
support.guidancesoftwa...ile&id=964

2) Encrypted Data Finder v2.4 - This EnScript tries to identify encrypted data on the basis that such data is usually highly random in nature.
support.guidancesoftwa...ile&id=873

You may also try to calculate the entropy for each file on the image. If normalized entropy (reduced to 0.0..1.0 range) is close to 1.0 then it's either encrypted file (regardless of type of encryption), compressed file (you can easily check if that's the case, e.g. by signature analysis) or something like /dev/random dump. You may skip all files with entropy far below 1.0, as it's very likely that such files are not encrypted.

Good luck!

Greg  

gmkk
Member
 
 
  

Re: Detecting Truecrypt Volume in EnCase

Post Posted: Fri Jan 25, 2013 5:46 am

Thank you all for your replies.

I'm unable to download those enscripts because i am using Encase with a university lisence, so i don;t have access to the guidance software forum.

It's a Windows XP OS. I found truecrypt setup files in unallocated space which has lead me to believe there is a truecrypt volume of some sort.  

iDan
Newbie
 
 
  

Re: Detecting Truecrypt Volume in EnCase

Post Posted: Sun Jan 27, 2013 3:30 pm

here is the easy way: Recursive file listing, look for the biggest files. those are most likely encrypted containers! =) i find it to really be that easy in most cases. when you think about it, its not very practical to have a 5MB container, so containers tend to have large file sizes.

also, look for files where the created and modified dates are the same that fit into the above pattern. In my testing, the last modified date time will NOT be modified as a TC container is used. your mileage may vary.

theres no way to definitively KNOW its a TC container, or if they are using a hidden container inside, without the keys.

from there you have to look at things like the registry, TC config file, lnk files, etc. to show what is going in and out of a TC.

as others have mentioned, if the TC container is on an external drive, things like the registry, lnk files etc become even more important.

I just did a big case where it was all TC related.


You may also want to look at 3rd party $logfile parsers (assuming you are seeing NTFS) as it can show a TON of info related to files being moved, renamed, etc which may point to things going into a TC volume. Ive had great luck with ANJP by David Cohen and crew.

look for a file called configuration.xml as thats what TC uses to remember settings. it looks like this:

<?xml version="1.0" encoding="utf-8"?>
<TrueCrypt>
<configuration>
<config key="OpenExplorerWindowAfterMount">0</config>
<config key="UseDifferentTrayIconIfVolumesMounted">1</config>
<config key="SaveVolumeHistory">0</config>

and so on.

The most useful entry (IMO) is:

<config key="LastSelectedDrive">R:</config>

and the meaning should be obvious. With that info, the lnk file and registry stuff becomes a lot more clear.

since its XP, did you check restore points for more data that can point to TC?  

EricZimmerman
Senior Member
 
 
  

Re: Detecting Truecrypt Volume in EnCase

Post Posted: Sun Jan 27, 2013 3:47 pm

Just for reference purposes concerning Truecrypt, I have referred to TCHunt in the Directory of data recovery tools being compiled at my blog www.trewmte.blogspot.c...ools.html. The entries are NOT for advertising purposes as I do not accept paid advertising on my blog or click advertising but to generate information for practitioners. I have nearly completed all weblinks which should be finalised fairly soon.

If anyone thinks there is a tool missing from the list then please let me. Thanks.
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup 

trewmte
Senior Member
 
 
  

Re: Detecting Truecrypt Volume in EnCase

Post Posted: Sun Jan 27, 2013 9:18 pm

Thank you for all your replies.

I was able to find an abnormally large .mp3 file which turned out to be a TrueCrypt container. I used the same password used for the system password to decrypt the volume.  

iDan
Newbie
 
 
  

Re: Detecting Truecrypt Volume in EnCase

Post Posted: Sun Jan 27, 2013 10:28 pm

BOOM! works every time! =)  

EricZimmerman
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 2 of 2
Go to page Previous  1, 2