Detecting Truecrypt...
 
Notifications
Clear all

Detecting Truecrypt Volume in EnCase

14 Posts
10 Users
0 Likes
2,521 Views
 iDan
(@idan)
Posts: 8
Active Member
Topic starter
 

I've been given a university assingment to extract a series of .jpg files from an image. We have been told there is a Truecrypt hidden somewhere on the image.

I'm fairly new to EnCase 6 and I was wondering if somebody could point in the right direction.

Thanks thanks,
iDan

 
Posted : 24/01/2013 9:46 pm
(@twjolson)
Posts: 417
Honorable Member
 

What have you tried?

The forums aren't really here to do your homework for you, so if you want help you are going to have to give us more info than that.

 
Posted : 24/01/2013 10:19 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm fairly new to EnCase 6…

I can help you quite easily, but the instructions won't have anything to do with EnCase…so it might not be that easy for you.

 
Posted : 24/01/2013 10:47 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Entropy, file length, sector boundary

 
Posted : 25/01/2013 3:02 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

…or check the Registry for access to an encrypted volume, map that to the user and date/time, and then compare that to documents/files opened…

 
Posted : 25/01/2013 3:04 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

You also need to consider if it is a Truecrypt file within the file system, or a volume outside of visible file systems.
For example do the visible partitions on the disk actually fill up the disk?

Another technique is to check file signatures for all the files on the disk. For example you might find a file with the file name xxxxx.jpg, but the internals of the file aren't a JPG at all.

As per keydet89's comment, I don't know how to do this in EnCase as I don't use EnCase.

 
Posted : 25/01/2013 3:22 am
(@section2600)
Posts: 2
New Member
 

I've been given a university assingment to extract a series of .jpg files from an image. We have been told there is a Truecrypt hidden somewhere on the image.

What OS is the image file? Knowing this will help in looking for information about Truecrypt.

 
Posted : 25/01/2013 3:59 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Just to point out the obvious - TrueCrypt volumes can have the ".tc" extension, so check for that in the first instance. Low hanging fruit, etc.

 
Posted : 25/01/2013 1:01 pm
 gmkk
(@gmkk)
Posts: 13
Active Member
 

iDan,

Since you're using EnCase, you may want to try 2 EnScripts created by Simon Key (Guidance Software)

1) TrueCrypt File Locator v3.1 - This script is designed to locate TrueCrypt container files in circumstances where one or more such files are believed to exist, and one or more likely passwords are known, but the location of the file(s) themselves cannot be determined.
https://support.guidancesoftware.com/forum/downloads.php?do=file&id=964

2) Encrypted Data Finder v2.4 - This EnScript tries to identify encrypted data on the basis that such data is usually highly random in nature.
https://support.guidancesoftware.com/forum/downloads.php?do=file&id=873

You may also try to calculate the entropy for each file on the image. If normalized entropy (reduced to 0.0..1.0 range) is close to 1.0 then it's either encrypted file (regardless of type of encryption), compressed file (you can easily check if that's the case, e.g. by signature analysis) or something like /dev/random dump. You may skip all files with entropy far below 1.0, as it's very likely that such files are not encrypted.

Good luck!

Greg

 
Posted : 25/01/2013 3:13 pm
 iDan
(@idan)
Posts: 8
Active Member
Topic starter
 

Thank you all for your replies.

I'm unable to download those enscripts because i am using Encase with a university lisence, so i don;t have access to the guidance software forum.

It's a Windows XP OS. I found truecrypt setup files in unallocated space which has lead me to believe there is a truecrypt volume of some sort.

 
Posted : 25/01/2013 3:46 pm
Page 1 / 2
Share: