Finding hidden encr...
 
Notifications
Clear all

Finding hidden encrypted files  

Page 1 / 2
  RSS
armstrong
(@armstrong)
New Member

Hi, does anyone here have any tips on how to find an encrypted file that's been hidden?

I'm not great with computers and I've been told to look for 'padding' and to look into truecrypt hidden volumes but I didn't really understand the truecrypt site that well and I'm not sure how to identify padding or what exactly it is. Any help would be appreciated.

Quote
Posted : 23/06/2013 9:25 am
Passmark
(@passmark)
Active Member

There are lots of places and methods to hide files. Enough that whole books could be written on the topic.

If you aren't great with computers, then it is time to call in a professional.

ReplyQuote
Posted : 24/06/2013 11:06 am
minime2k9
(@minime2k9)
Active Member

Is this as a student assignment, or part of your work or are you from a Law enforcement agency?

ReplyQuote
Posted : 24/06/2013 12:50 pm
jaclaz
(@jaclaz)
Community Legend

I always thought that an "essential" part of the whole truecrypt thingy was "plausible deniability" with hidden volumes
http//www.truecrypt.org/docs/plausible-deniability
http//www.truecrypt.org/docs/hidden-volume

I.e. the idea (at least in theory) is that a truecrypt volume is made of seemingly random bytes, no matter if it does contain an inner hidden volume or not.

Maybe with more info we can give a hint, if it's a "student" question, maybe there is a "simple" solution.

jaclaz

ReplyQuote
Posted : 24/06/2013 4:08 pm
minime2k9
(@minime2k9)
Active Member

I.e. the idea (at least in theory) is that a truecrypt volume is made of seemingly random bytes, no matter if it does contain an inner hidden volume or not.

jaclaz

Actually the randomness makes it easier to identify as most files do not have completely random bytes. There are tools which make use of this to identify encrypted files.

The plausible deniability I thought came round due to the hidden volume having two passwords and the normal volume password could be given with the hidden volume remaining hidden. I know some research was done into identifying this using different versions of the encrypted volume from shadow copies.

ReplyQuote
Posted : 24/06/2013 4:45 pm
jaclaz
(@jaclaz)
Community Legend

Actually the randomness makes it easier to identify as most files do not have completely random bytes. There are tools which make use of this to identify encrypted files.
The plausible deniability I thought came round due to the hidden volume having two passwords and the normal volume password could be given with the hidden volume remaining hidden.

Yep, but in the specific example (hidden volume inside Truecrypt container), when you create a Truecrypt container it is filled by "seemingly random" bytes anyway.
When you create the hidden volume in it, it will also contain "seemingly random" bytes.
No way "at first sight" (and not even at a second one) to determine if the hidden volume exists or not, but the idea is obviously that of being able to stop the guy with the $5 wrench 😯
http//www.forensicfocus.com/Forums/viewtopic/p=6567638/#6567638
from hitting you.

I know some research was done into identifying this using different versions of the encrypted volume from shadow copies.

Sure, but we need to have some more details of the actual situation of the OP, I am pretty sure that *everything* can be found, given enough time and the apporpriate mehtod, but there may be specific "simpler" solutions.

jaclaz

ReplyQuote
Posted : 24/06/2013 5:34 pm
minime2k9
(@minime2k9)
Active Member

Fair point, at a glance it is pretty hard to do anything.

I like the $5 wrench idea, though you could just keep hitting him with it until he admits there is a second volume and if there isn't, you'd already bought the wrench anyways, so nothing lost )

ReplyQuote
Posted : 24/06/2013 6:04 pm
armstrong
(@armstrong)
New Member

Ok for more info about the situation, basically, a close friend of mine is pretty great with computers. He's hidden a file and bet that I couldn't find it because "the most I could do was right click", he doubts anyone I ask will be able to help, and since I "wouldn't know what to google" I probably couldn't figure it using the internet.

Tbh I thought all he'd done was make it "hidden" you know? So I thought just selecting "show hidden folders" would be enough to find it. But apparently it's encrypted and hidden pretty well.

He ended up giving me couple of folders (so I stopped going on his computer chance I got) and its somewhere inside in them. Some folders contain more folders and there are different kinds of files within them including text files, pictures, a ziped folder, and html files . There's not really *that* much to go through so if you have a "do this thing to every file" method I'll probably use it, regardless of how tedious it it.

ReplyQuote
Posted : 24/06/2013 8:30 pm
jaclaz
(@jaclaz)
Community Legend

I would then exclude filesystem level tricks.

The word that you "wouldn't know to google for" 😯 is most likely "steganography".

jaclaz

ReplyQuote
Posted : 24/06/2013 8:49 pm
jhup
 jhup
(@jhup)
Community Legend

armstrong,

If the"bet [is] that [you] couldn't find it […] using the internet", may I suggest you zip up the file and make it available to us?

The "using the internet" does not preclude letting others play with it - as long as it is through the Internet.

What is the prize that you win? At least if we win it for you, we can gloat about it.

Can we have the betting party's first name? Say "Bob" - and this could be the "Bob Challenge"?

ReplyQuote
Posted : 24/06/2013 9:54 pm
TuckerHST
(@tuckerhst)
Active Member

What is the prize that you win?

I hope it's a $5 wrench!

ReplyQuote
Posted : 25/06/2013 2:58 am
jhup
 jhup
(@jhup)
Community Legend

Like this? Although, this one is $10.93.

ReplyQuote
Posted : 25/06/2013 6:53 pm
jaclaz
(@jaclaz)
Community Legend

Like this? Although, this one is $10.93.

Well, to be worth the time, I guess one of these (beryllium copper) would be more attractive
http//www.ngkmetals.com/index.cfm/m/62/fuseaction/store6products.productDetail/productID/417/merchantId/0/departmentId/0/categoryId/1/Adjustable-End-Wrench

If you miss the head of the guy and hit (say) a metal scaffolding, you won't risk to generate a spark and initiate a fire.

Safety first. wink

jaclaz

ReplyQuote
Posted : 25/06/2013 7:01 pm
Bulldawg
(@bulldawg)
Active Member

Like this? Although, this one is $10.93.

That is a fancy wrench.

Any chance the file is just hidden and not encrypted at all?

In addition to view hidden files, you can set Explorer to show you system files.

Another way to find a hidden file is use FTK Imager (free) to view the filesystem. FTK Imager will let you see all the files that exist on the filesystem, including some that Windows Explorer will keep hidden from you.

If it is encrypted, one low-tech method for finding encrypted file containers (like TrueCrypt) is to look for files that are larger than they should be. A 2GB picture is very odd.

ReplyQuote
Posted : 25/06/2013 7:03 pm
chroberts39
(@chroberts39)
New Member

Quick and brutal would be file signature analysis and exclude matches, then WinHex or 010 Editor (cheap and good) have histogram or entropy analysis, a true crypt file has no signature and the entropy should be perfectly level (even spread of hex values).

With regards to the hidden container within true crypt, provided you follow the advice given on their site, it has absolute plausible deniability. If you do find what you think may be a true crypt container (you can create ones as small as 1KB) try and find a backup or one in SVI and perform a hash block analysis on both. This can at least give an indication of the size of the outer or hidden container and can nullify the defence of 'it is random data as part of disk wiping processes.

If you suspect steganography, again pursue the backup/svi/MRU lists.

Otherwise, buy a wrench.

Happy hunting.

ReplyQuote
Posted : 27/06/2013 4:52 am
Page 1 / 2
Share: