can a specific type of search or specific software do a scan to locate unmounted encrypted volumes from a hard drive??
This might help?
http//
I believe EDD discovers mounted volumes on live machines. CryptHunter is a similar tool (although I should confess I like EDD better). One of the techniques used by many "live" volume encryption identification tools is to identify drive letter assignments that don't correspond to physical devices - hence the reason they only identify mounted volumes. There are other tests they do too in order to identify what type of encryption is in use (e.g. bit locker, truecrypt, etc.)
If you are looking for unmounted TrueCrypt encrypted volumes on disk images, you could try the TCDiscover python script. http//
I haven't looked into this, but I know that there should be registry clues that you could look into. For instance when you insert a TrueCrypt encrypted USB, it gets assigned a drive letter and this shows up in the Registry and can be associated with the USB via the USBSTOR key. Then when TrueCrypt mounts it a new drive letter is assigned, and this can also be traced back to the same USBSTOR key. A colleague has seen this in a case. You also of course have the volume encryption application related Registry keys that show up.
You may perhaps be able to find Registry artefacts associated with mounting encrypted volumes from files on a HD. Ask me again some time later this summer - it's now on my project list. D
(Is that you Kemar? You guys should come up and visit again - the temperature was a warm -20C the other night… ) )
Yup eric, nice to hear from u, and im grateful to alistairfay's answer but my issue is that i have almost 10 tB of data, the main computer's registry showed the that truecrypt and pgp are installed and a truecrypt volume has been mounted, however searching the hard disks i am lost as to what to search for. crypthunter and EDD wont work, ill try ur suggestion however and expect a million more questions from me!!!
Yup eric, nice to hear from u, and im grateful to alistairfay's answer but my issue is that i have almost 10 tB of data, the main computer's registry showed the that truecrypt and pgp are installed and a truecrypt volume has been mounted, however searching the hard disks i am lost as to what to search for. crypthunter and EDD wont work, ill try ur suggestion however and expect a million more questions from me!!!
A starting point would be to order all files in your data set by size, from largest to smallest. See a large (perhaps several GB) file which doesn't behave as you expect? That'll be a good candidate for an encrypted volume.
FYI. I sent a suggestion to PassWare to see if they could perhaps incorporate a scan functionality to locate unmounted volumes in disk images or on media. They've passed the suggestion on to their developers. Their tool already has TrueCrypt and BitLocker cracking functionality; I figured it would be nice for it to be able to locate encrypted volume files as well.
@jonathan, i already attempted sorting by size, however all large files seem normal, their sigs were verified all verified. It leaves me to wonder if the volume even exists on any of the seized items.
Thanks eric, i'll still continue researching and keep in touch
all large files seem normal, their sigs were verified all verified
An encrypted container could be constructed with a file signature matching a common type the file signature is only the first few (and possibly last few) bytes of the file, after all.
Using steganography (or combining steganography with encryption) you could even hide a volume within a file which for all intents and purposes is a working file of a type matching to the signature.
Whether either of these options is probable is another matter…
ok, so in a case of steg and encryption what are your best suggestions??
ok, so in a case of steg and encryption what are your best suggestions??
StegAlyzer is probably the best tool in that case.