Join Us!

Notifications
Clear all

Encrypted Volume  

  RSS
workneverends
(@workneverends)
Junior Member

I have a CP case where the suspect put all his pics in an truecrypt encrypted volume. He gave us the password and I was able to mount it in Truecrypt and see what was within it. How do I get the volume into encase to hash the pictures in there and work within this volume in encase?

Thanks for all who provide input.

Quote
Posted : 15/05/2009 12:34 am
schlecht
(@schlecht)
Junior Member

I would copy the files from the Truecrypt volume, import them into Encase and hash them….all while keeping a copious log detailing/showing what and why you were doing it.

ReplyQuote
Posted : 15/05/2009 12:52 am
markg43
(@markg43)
Member

This post assumes that when you open the volume with Truecrypt that it mounts on the OS as a windows drive letter. You did not specify.

Use EnCase or FTK Imager, load the LOGICAL volume (drive letter) as the source input.

Now image that logical volume to an image file, dd or E01.

Work Encase from there.

Mark

ReplyQuote
Posted : 15/05/2009 1:34 am
watcher
(@watcher)
Member

I have a CP case where the suspect put all his pics in an truecrypt encrypted volume. He gave us the password and I was able to mount it in Truecrypt and see what was within it. …

Don't forget that Truecrypt supports a hidden volume such that a different password gives completely different content.

One would assume that a fake secondary volume would not contain incriminating files.

ReplyQuote
Posted : 16/05/2009 2:44 am
jim123
(@jim123)
New Member

I concur with the above reply. Trucrypt needs two passwords. If I was your man I would give one password to some dodgy files (half lie as a deception) where as the second password is the one you want.

Hope this is of some help?

ReplyQuote
Posted : 17/05/2009 12:37 pm
kovar
(@kovar)
Senior Member

Greetings,

TrueCrypt only needs one password per volume. However, you can create a hidden volume within a TrueCrypt volume. The hidden volume is hard but no longer impossible to detect and it requires its own password. Here's the link to the article describing the detection, and a tool to do so

http//www.forensicinnovations.com/blog/?p=7

-David

ReplyQuote
Posted : 17/05/2009 8:53 pm
thefuf
(@thefuf)
Active Member

The hidden volume is hard but no longer impossible to detect and it requires its own password. Here's the link to the article describing the detection, and a tool to do so

This tool detects files that contain "random" data (= encrypted headerless data), it cannot detect hidden volumes since they are created in the free space of the outer volume.

From TC doc

free space on any TrueCrypt volume is always filled with random data when the volume is created

So, every TC container has "random" data in unallocated space.

ReplyQuote
Posted : 17/05/2009 10:26 pm
workneverends
(@workneverends)
Junior Member

You guys are right…there may be a hidden volume. But this criminal wasn't the brightest because there are enough incriminating images on this volume that he gave me the password to.

I still can't figure out how to get it into Encase as a volume. I tried doing what MarkG said but Encase is not letting me add that logical drive. Also I don't want to just import the pictures in there because I want the volume information and everything in Encase so the defense can't argue I just imported in random pictures.

Anybody else know the best way to do this?

ReplyQuote
Posted : 18/05/2009 7:16 pm
CdtDelta
(@cdtdelta)
Active Member

So EnCase isn't allowing you to add it as a local device? Is it giving you an error when you try to add it? If the volume has been assigned a drive letter you should be able to add it to EnCase.

Tom

ReplyQuote
Posted : 18/05/2009 7:21 pm
thefuf
(@thefuf)
Active Member

Did you try FTK Imager?

ReplyQuote
Posted : 18/05/2009 7:22 pm
Share: