As you probably know, when creating an encrypted Truecrypt file you do not need to specify the associated Truecrypt file extension (.tc) this can be simply left blank or you could use a .iso or anything else you like.
If this TC encrypted file is then burned to a CD-R and the CD-R taken for forensic analysis, would it be possible to determine what encryption program was used?
I believe this is impossible since it simply looks like random data when viewed with WinHex and there are no identifying headers.
With access to the computer maybe it can be found out, but in this scenario there is no computer, only a CD-R with a big 650MB file.
1) Would it be possible to proof that the file is an encrypted file?
2) Would it be possible to pin down what software has been used for encryption? (with no access to the computer, only the CD-R)
I believe this is impossible since it simply looks like random data when viewed with WinHex and there are no identifying headers.
If this is the case, would that then not answer your questions?
Put it this way I give you a 32-character string "ed076287532e86365e841e92bfc50d8c" and ask you to tell me if it was encrypted and how. Could you? If you Google'd it, you'd see I MD-5'ed "Hello World!" (if I encrypted it at all … and didn't give you a random set of 32 characters). Then again, MD-2/4/5 and RIPEMD are all 128-bit algorithms, so I could have given you strings passed through any of those encryption functions.
And yeah, you can normalize outputs to note continuity and generate heuristics … but you might want a solution before the sun runs out of fuel.
Keydet's correct. Gobbledygook is all you've got. No luck.
1) Would it be possible to proof that the file is an encrypted file?
Who are you going to convince? (There's no such thing as an absolute proof, except in mathematics and other artifical situations.)
Try the article 'Using Entropy Analysis to Find Encrypted and Packed Malware' from IEEE Security & Privacy, 2007. It suggests that well-encrypted files can be identified as such by examining the entropy of the files. (I'm fairly sure you can find it on the 'net.)
2) Would it be possible to pin down what software has been used for encryption? (with no access to the computer, only the CD-R)
Are you asking about a theoretical possibility, or are you asking for a piece of software that does it for you?
It may be possible, but with standard encryption methods (i.e. all software produce the same result), it would rely on finding software-specific characteristics. There probably are such to find, but I don't know if anyone has researched the issue. Except NSA and similar organizations who does this for a living, probably.
Also be mindful of how you frame your question to yourself and others. Anything is possible. However we deal with probability. This might seem nit picky at first but your mindset when approaching a challenge can have a large effect on how you derive results.
1) Would it be possible to proof that the file is an encrypted file?
I am reminded of the Sherlock Holmes quote
“When you have eliminated all which is impossible, then whatever remains, however improbable, must be the truth.”
Prove? No, however, you could establish a statistical likelihood using such things as entropy analysis (mentioned, above). There are a couple of downloadable programs to do this. However, as noted elsewhere, (and implied by my reference to Holmes), if all that you have is the file, with no other context, encryption would be only one of many possibilities.
2) Would it be possible to pin down what software has been used for encryption? (with no access to the computer, only the CD-R)
Not likely. Worse, you probably wouldn't be able to say, for certain, which encryption algorithm was used although, assuming that you had established to a reasonable degree of certainty that the file was encrypted, entropy analysis could help to determine the strength of the algorithm.
Aside from the philosophical debate some encryption programs create a container with a header that would tip you off. Truecrypt does not do this in any recent version.
Thank you everyone for the responses, actually I was looking at another thread on this forum and came accross TCHunt
http//
Quoting their FAQ
"Q. Why write a program such as TCHunt?
A. To demonstrate that while TrueCrypt volumes may be indistinguishable from random data created in one specific fashion that the volumes themselves can be easily identified because the fashion in which they are created is rather unique. Many TrueCrypt users insist that their volumes are undetectable. We hope TCHunt will convince them otherwise, before the learn this fact the hard way. Most importantly, never claim that an encrypted volume with a mp3 file extension (or whatever) is a corrupt file, etc. While that explanation may seem plausible to an average person, it will not stand up to forensic or legal scrutiny. No form of corruption will look like AES encrypted data. It's not possible"
I have not tested TCHunt but it looks like a possible tool to be used for finding what if Truecrypt was used to encrypt a determined file.
I like it. Sounds like problem solving at it's finest!
Take a look at
I am not familiar with them, but they compare themselves to TCHunt.
Let us know if you test it out, and how the two compares!