Hi, does anyone here have any tips on how to find an encrypted file that's been hidden?
I'm not great with computers and I've been told to look for 'padding' and to look into truecrypt hidden volumes but I didn't really understand the truecrypt site that well and I'm not sure how to identify padding or what exactly it is. Any help would be appreciated.
There are lots of places and methods to hide files. Enough that whole books could be written on the topic.
If you aren't great with computers, then it is time to call in a professional.
Is this as a student assignment, or part of your work or are you from a Law enforcement agency?
I always thought that an "essential" part of the whole truecrypt thingy was "plausible deniability" with hidden volumes
http//
http//
I.e. the idea (at least in theory) is that a truecrypt volume is made of seemingly random bytes, no matter if it does contain an inner hidden volume or not.
Maybe with more info we can give a hint, if it's a "student" question, maybe there is a "simple" solution.
jaclaz
I.e. the idea (at least in theory) is that a truecrypt volume is made of seemingly random bytes, no matter if it does contain an inner hidden volume or not.
jaclaz
Actually the randomness makes it easier to identify as most files do not have completely random bytes. There are tools which make use of this to identify encrypted files.
The plausible deniability I thought came round due to the hidden volume having two passwords and the normal volume password could be given with the hidden volume remaining hidden. I know some research was done into identifying this using different versions of the encrypted volume from shadow copies.
Actually the randomness makes it easier to identify as most files do not have completely random bytes. There are tools which make use of this to identify encrypted files.
The plausible deniability I thought came round due to the hidden volume having two passwords and the normal volume password could be given with the hidden volume remaining hidden.
Yep, but in the specific example (hidden volume inside Truecrypt container), when you create a Truecrypt container it is filled by "seemingly random" bytes anyway.
When you create the hidden volume in it, it will also contain "seemingly random" bytes.
No way "at first sight" (and not even at a second one) to determine if the hidden volume exists or not, but the idea is obviously that of being able to stop the guy with the $5 wrench 😯
http//www.forensicfocus.com/Forums/viewtopic/p=6567638/#6567638
from hitting you.
I know some research was done into identifying this using different versions of the encrypted volume from shadow copies.
Sure, but we need to have some more details of the actual situation of the OP, I am pretty sure that *everything* can be found, given enough time and the apporpriate mehtod, but there may be specific "simpler" solutions.
jaclaz
Fair point, at a glance it is pretty hard to do anything.
I like the $5 wrench idea, though you could just keep hitting him with it until he admits there is a second volume and if there isn't, you'd already bought the wrench anyways, so nothing lost )
Ok for more info about the situation, basically, a close friend of mine is pretty great with computers. He's hidden a file and bet that I couldn't find it because "the most I could do was right click", he doubts anyone I ask will be able to help, and since I "wouldn't know what to google" I probably couldn't figure it using the internet.
Tbh I thought all he'd done was make it "hidden" you know? So I thought just selecting "show hidden folders" would be enough to find it. But apparently it's encrypted and hidden pretty well.
He ended up giving me couple of folders (so I stopped going on his computer chance I got) and its somewhere inside in them. Some folders contain more folders and there are different kinds of files within them including text files, pictures, a ziped folder, and html files . There's not really *that* much to go through so if you have a "do this thing to every file" method I'll probably use it, regardless of how tedious it it.
I would then exclude filesystem level tricks.
The word that you "wouldn't know to google for" 😯 is most likely "steganography".
jaclaz
armstrong,
If the"bet [is] that [you] couldn't find it […] using the internet", may I suggest you zip up the file and make it available to us?
The "using the internet" does not preclude letting others play with it - as long as it is through the Internet.
What is the prize that you win? At least if we win it for you, we can gloat about it.
Can we have the betting party's first name? Say "Bob" - and this could be the "Bob Challenge"?