I have a CP case where the suspect put all his pics in an truecrypt encrypted volume. He gave us the password and I was able to mount it in Truecrypt and see what was within it. How do I get the volume into encase to hash the pictures in there and work within this volume in encase?
Thanks for all who provide input.
I would copy the files from the Truecrypt volume, import them into Encase and hash them….all while keeping a copious log detailing/showing what and why you were doing it.
This post assumes that when you open the volume with Truecrypt that it mounts on the OS as a windows drive letter. You did not specify.
Use EnCase or FTK Imager, load the LOGICAL volume (drive letter) as the source input.
Now image that logical volume to an image file, dd or E01.
Work Encase from there.
I have a CP case where the suspect put all his pics in an truecrypt encrypted volume. He gave us the password and I was able to mount it in Truecrypt and see what was within it. …
Don't forget that Truecrypt supports a hidden volume such that a different password gives completely different content.
One would assume that a fake secondary volume would not contain incriminating files.
I concur with the above reply. Trucrypt needs two passwords. If I was your man I would give one password to some dodgy files (half lie as a deception) where as the second password is the one you want.
Hope this is of some help?
TrueCrypt only needs one password per volume. However, you can create a hidden volume within a TrueCrypt volume. The hidden volume is hard but no longer impossible to detect and it requires its own password. Here's the link to the article describing the detection, and a tool to do so
The hidden volume is hard but no longer impossible to detect and it requires its own password. Here's the link to the article describing the detection, and a tool to do so
This tool detects files that contain "random" data (= encrypted headerless data), it cannot detect hidden volumes since they are created in the free space of the outer volume.
From TC doc
free space on any TrueCrypt volume is always filled with random data when the volume is created
So, every TC container has "random" data in unallocated space.
You guys are right…there may be a hidden volume. But this criminal wasn't the brightest because there are enough incriminating images on this volume that he gave me the password to.
I still can't figure out how to get it into Encase as a volume. I tried doing what MarkG said but Encase is not letting me add that logical drive. Also I don't want to just import the pictures in there because I want the volume information and everything in Encase so the defense can't argue I just imported in random pictures.
Anybody else know the best way to do this?
So EnCase isn't allowing you to add it as a local device? Is it giving you an error when you try to add it? If the volume has been assigned a drive letter you should be able to add it to EnCase.
Did you try FTK Imager?