If a TrueCrypt file container is mounted with the read-only option in Windows XP, can this be relied upon as forensically sound. We are unable to use a hardware write blocker to protect the partition which contains the file container.
I assume that if any write attempts are made to the encrypted file container will cause total corruption of the volume and when mounted as read only; it would be similar to using a software write blocker.
I would say that nothing could be relied upon as being forensically sound until you test it yourself.
My idea for you would be to
1) Make a couple copies of your truecrypt container to other media. Hash them. Verify Hash against original…
If you have no hardware write-blocker to use against your original media, boot up a machine with Helix, attach (not mount) your drive and do a DD/DCFLDD image of your media and extract the container post imaging using EnCase or whatever tools you have…
2) Mount one copy up as read-only in Windows and do a portion of your analysis, dismount, hash the container. Verify hash against original…
or 3) Mount up as read-only in a Windows virtual machine, do a portion of your analysis, dismount, hash the container. Verify hash against original..
This should give you a good idea of whether or not you messing with the file is making any changes. Obviously, dont do any of your testing against the original file, but have a couple copies handy to try out your analysis.
Thanks for the response. I was just told to mount it read-only in Windows in the end as the client was desperate for the data.
I will carry out some tests on a TC volume however and see what I get.
Can you put the container on a drive connected to USB, write block that (hardware or software, your trusted method), then mount it? As long as you are working from a copy you can hash it after analysis and if it matches the original you are good.
TrueCrypt claims that all data is access via RAM memory and that no data will be changed. But as mentioned above the only reliable way to know would be to test.
I like the recommedation above. I always use a trusted source when write blocking is critial. I generally go with a hardware and software combo.
We have developed a software for write blocking usb devices. You can dowload it for free here http//
I also think it may be available on this site as "USB Write Blocker".
Gary Torgersen
Document Solutions, Inc.