±Forensic Focus Partners
±Your Account

![]() |
![]() |
![]() |
![]() |
±Latest Articles
±Latest Videos
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Very nice
though, if I may, there is a "main" link missing:
How (with what tool) is user going to calculate the entropy and get the example diagram (so that he/she can identify likely targets)?
That is "Shannon" Entropy, right?
Something *like* entropie?
github.com/dupgit/entropie
with -b 512
or
deadhacker.com/2007/05...ary-files/
or binwalk?
github.com/ReFirmLabs/...wiki/Usage
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
Ah, that section is just explaining what is happening. You don't need to do any identification yourself the script takes care of all of that for you. It does the entropy calculations and finds the likely places for headers itself. I'll add some words to explain that a little better.
Yup. Again I'll add that when I get a moment.
Yes, binwalk is an amazing tool. Truly fantastic.
My personal favourite for visualising entropy is PortEx (https://github.com/katjahahn/PortEx) it's designed for executables but it'll make a nice diagram of basically anything.
Example image from the GitHub here: camo.githubusercontent...4f2e706e67
Added those comments now, thank you. If you have any other comments or corrections let me know. You can even do a pull request if you are feeling adventurous, although that is a lot of effort. I was thinking of linking to an existing tutorial about calculating and visualising the entropy if you happen to know of a good existing one?
I've not written the guide for this one but if you fancy a challenge here's the next image. It is a FAT volume that once contained a container, it was reformatted FAT, and a number of pictures copied on to it. This overwrote the header at the start of the container. The password is 'password' again.
raw.githubusercontent....ample2.zip
I need to make pytruecrypt a pip package so it's easier to install though.
If you can extract this space into a smaller file you can still run hunt.py against it to find, hopefully, your missing TrueCrypt header. If you do what jaclaz suggested in one of your other threads and extract a few gb around where the sections of unallocated space are.
This thread: www.forensicfocus.com/...c/start=7/
The high/low entropy all happens without any effort from you and it's what I would run first for sure. It'll work on sections of the image just as well as the whole image.
You can try the brute force option but it will be extremely slow. Try it on that 30mb test file first and you'll see how slow it is.
You can just run hunt.py against the whole 2TB image, but I feel like it may crash as it's currently holding all the entropy information in memory. The entropy calculations will take an age too.
Given that you think your missing containers are well over 2GB the hunt.py command would be:
hunt.py <your image> <your password> --chain=4000000
EDIT: Also a quick note, if your password has a space in it this won't work. I'll need to update the script.
Anyone got a bot to find deleted truecrypt container header?
Page Previous 1, 2, 3, 4, 5, 6 Next-
jaclaz - Senior Member
Re: Anyone got a bot to find deleted truecrypt container hea
- 4144414DIt's a bit rough as I put it together on the train but this guide along with some sample data should help you understand how to use hunt.
github.com/4144414D/py...es/hunt.md
Very nice

By looking for sections of continuous high entropy we can target the likely locations of TrueCrypt headers. By checking the sectors around 27701 and 48476 we are able to check a small number of sectors as every check will take some time, particularly on VeraCrypt headers.
How (with what tool) is user going to calculate the entropy and get the example diagram (so that he/she can identify likely targets)?
That is "Shannon" Entropy, right?
Something *like* entropie?
github.com/dupgit/entropie
with -b 512

or
deadhacker.com/2007/05...ary-files/
or binwalk?
github.com/ReFirmLabs/...wiki/Usage
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
4144414D - Member
Re: Anyone got a bot to find deleted truecrypt container hea
- jaclaz
How (with what tool) is user going to calculate the entropy and get the example diagram (so that he/she can identify likely targets)?
Ah, that section is just explaining what is happening. You don't need to do any identification yourself the script takes care of all of that for you. It does the entropy calculations and finds the likely places for headers itself. I'll add some words to explain that a little better.
- jaclaz
That is "Shannon" Entropy, right?
Yup. Again I'll add that when I get a moment.
- jaclaz
Something *like* entropie?
github.com/dupgit/entropie
with -b 512![]()
or
deadhacker.com/2007/05...ary-files/
or binwalk?
github.com/ReFirmLabs/...wiki/Usage
Yes, binwalk is an amazing tool. Truly fantastic.
My personal favourite for visualising entropy is PortEx (https://github.com/katjahahn/PortEx) it's designed for executables but it'll make a nice diagram of basically anything.
Example image from the GitHub here: camo.githubusercontent...4f2e706e67
-
jaclaz - Senior Member
Re: Anyone got a bot to find deleted truecrypt container hea
Thanks 
That is clear now, still if you could describe how exactly you managed to create the graphic, it would be useful (notwithstanding the buiilt-in autodetect capabilities of your nice script).
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -

That is clear now, still if you could describe how exactly you managed to create the graphic, it would be useful (notwithstanding the buiilt-in autodetect capabilities of your nice script).
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
4144414D - Member
Re: Anyone got a bot to find deleted truecrypt container hea
- jaclazThat is clear now, still if you could describe how exactly you managed to create the graphic, it would be useful (notwithstanding the buiilt-in autodetect capabilities of your nice script).
Added those comments now, thank you. If you have any other comments or corrections let me know. You can even do a pull request if you are feeling adventurous, although that is a lot of effort. I was thinking of linking to an existing tutorial about calculating and visualising the entropy if you happen to know of a good existing one?
I've not written the guide for this one but if you fancy a challenge here's the next image. It is a FAT volume that once contained a container, it was reformatted FAT, and a number of pictures copied on to it. This overwrote the header at the start of the container. The password is 'password' again.
raw.githubusercontent....ample2.zip
I need to make pytruecrypt a pip package so it's easier to install though.
-
loonaluna - Member
Re: Anyone got a bot to find deleted truecrypt container hea
Hey thanks for your tutorials. I've installed it all and got it running and it does exactly what it shows in the tutorial, with your example file. I have a chunk of material I need to look into though, so high and low entropy is not an option for me, so I think I need to do a brute force instead of a chain. I know how to extract this chunk into a smaller file, but I'll still have to do a brute force of each sector (or hex kb of this sector or whatever it's called), until I cover the entirety of the free space that I suspect is involved here. Do I do this with dump.py instead of python.py instead, and if so how?
-
4144414D - Member
Re: Anyone got a bot to find deleted truecrypt container hea
- loonalunaI know how to extract this chunk into a smaller file, but I'll still have to do a brute force of each sector.
If you can extract this space into a smaller file you can still run hunt.py against it to find, hopefully, your missing TrueCrypt header. If you do what jaclaz suggested in one of your other threads and extract a few gb around where the sections of unallocated space are.
This thread: www.forensicfocus.com/...c/start=7/
The high/low entropy all happens without any effort from you and it's what I would run first for sure. It'll work on sections of the image just as well as the whole image.
You can try the brute force option but it will be extremely slow. Try it on that 30mb test file first and you'll see how slow it is.
You can just run hunt.py against the whole 2TB image, but I feel like it may crash as it's currently holding all the entropy information in memory. The entropy calculations will take an age too.
Given that you think your missing containers are well over 2GB the hunt.py command would be:
hunt.py <your image> <your password> --chain=4000000
EDIT: Also a quick note, if your password has a space in it this won't work. I'll need to update the script.
-
loonaluna - Member
Re: Anyone got a bot to find deleted truecrypt container hea
Ah ok I misread the chain concept as something that differentiated suspiciously obscure space typical of truecrypt from typically boring text files with little entropy. That's why I put a test container I made through the same script, didn't get much of anything at all, and thought I needed a brute instead. But of course I hadn't changed chain=256 to chain=4 million, so that's why the headers didn't show up probably. By the way, what is the reason why chain=4000000 when the file is 2GB?