True Crypt Search?

There is an Encrypted Data Finder EnScript that scans files and reports back those with an entropy above a certain level you set.

Is that in the regular EnCase 6x? I'll have to look for that when I get home. Although I do know for a fact the suspect used Encase & my teacher said their is a container on the system, just need to find it..lol.

Rich2005, do you have a copy of that script you can send me? Is it an enpack file or do we have access to the source?

Thanks

Are their any True Crypt Enscripts out there?

There is also a Truecrypt File Locator script. You give it a password (or password list) and it will recurse through a folder and attempt to mount your suspected containers.

I don't right now (moved companies recently), I might have a backup somewhere.
Actually, I just checked for you, its on the EnCase boards
https://support.guidancesoftware.com/forum/attachment.php?attachmentid=876&d=1196179923
(I believe it works in v6 from memory)

I have recently located what appear to be unicode records in unallocated clusters detailing the full path of files stored in a mounted truecrypt container. The records looked something like this from memory
\D.E.V.I.C.E.\.T.R.U.E.C.R.Y.P.T.V.O.L.U.M.E.X.\.M.Y.B.A.D.S.T.U.F.F.\.M.Y.B.A.D.S.T.U.F.F…M.P.G.

Worth searching for.

I have recently located what appear to be unicode records in unallocated clusters detailing the full path of files stored in a mounted truecrypt container. The records looked something like this from memory
\D.E.V.I.C.E.\.T.R.U.E.C.R.Y.P.T.V.O.L.U.M.E.X.\.M.Y.B.A.D.S.T.U.F.F.\.M.Y.B.A.D.S.T.U.F.F…M.P.G.

Worth searching for.

I have recently located what appear to be unicode records in unallocated clusters detailing the full path of files stored in a mounted truecrypt container. The records looked something like this from memory
\D.E.V.I.C.E.\.T.R.U.E.C.R.Y.P.T.V.O.L.U.M.E.X.\.M.Y.B.A.D.S.T.U.F.F.\.M.Y.B.A.D.S.T.U.F.F…M.P.G.

Worth searching for.

NTFS folder style artefact? Thanks for that info, quite interesting stuff. I've always found TC to be very good at cleaning up after itself but it looks like this artefact was created by the OS… I wonder if TC nukes the relevant shellbags as well…

Yes they do appear to be NTSF artefacts and I found a bunch of them that were quite incriminating as they existed alongside similar artefacts showing the same file names but located in a path that included a user profile name that matched the suspect. If I ever get the time I will investugate more as to their provenance, for now their content is enough.

TChunt.
http//16s.us/TCHunt/
———-
Q. TCHunt found all of my encrypted volumes. How does it work?

A. TCHunt searches for four (4) file attributes. This is all TCHunt does

1. The suspect file size modulo 512 must equal zero.
2. The suspect file size is at least 19 KB in size (although in practice this is set to 5 MB).
3. The suspect file contents pass a chi-square distribution test.
4. The suspect file must not contain a common file header.

As an alternative, try FI TOOLS (http//www.ForensicInnovations.com/fitools.html). It's free to try, and has a higher accuracy than TCHunt. Only step #4 (above) is in common between these two products. As an added bonus, it will also identify 4,000 other file types by their contents.

Rob

I think I have identified that the unicode data 'D.E.V.I.C.E.\.T.R.U.E.C.R.Y.P.T.V.O.L.U.M.E.X.\.M.Y.B.A.D.S.T.U.F.F.\.M.Y.B.A.D.S.T.U.F.F…M.P.G.' originated from IEXPLORE prefetch data.