±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34837
New Yesterday: 1 Visitors: 126

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Truecrypt

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Truecrypt

Post Posted: Tue May 26, 2009 8:38 pm

Is there any way to tell in Encase if there is a hidden truecrypt volume? If so how?  

workneverends
Member
 
 
  

Re: Truecrypt

Post Posted: Tue May 26, 2009 9:39 pm

With respect to what, exactly?

Are you asking if, given an image, you can tell if there is a TrueCrypt volume somewhere within the partition? From what I've seen, the answer is most likely no.

Or are you asking if there is any way to tell, via an image, if someone on the system accessed a Truecrypt volume, then the answer is yes, it is possible.  

keydet89
Senior Member
 
 
  

Re: Truecrypt

Post Posted: Tue May 26, 2009 9:40 pm

Have you tried Encrypted Disk Detector?

http://www.jadsoftware.com/home/edd.htm  

douglasbrush
Senior Member
 
 
  

Re: Truecrypt

Post Posted: Wed May 27, 2009 1:43 pm

I have an image of a hard drive- with a file with extension .tc and I cracked one password but was wondering how do I know if there is or isnt a hidden volume within that volume.  

workneverends
Member
 
 
  

Re: Truecrypt

Post Posted: Wed May 27, 2009 6:09 pm

To my knowledge, the hidden internal volume's header has no distinguishable format, and the free space of the volume is initialized with random data -- just so it's impossible to tell.

Now, if I remember correctly, the hidden volume header is always stored in the same place (the 3rd from last block in the filesystem, maybe?). If a file occupies that space, or there's identifiable data there, then there's no hidden volume.  

indur
Senior Member
 
 
  

Re: Truecrypt

Post Posted: Wed May 27, 2009 6:24 pm

- workneverends
I have an image of a hard drive- with a file with extension .tc and I cracked one password but was wondering how do I know if there is or isnt a hidden volume within that volume.


Why would someone put an encrypted volume on the system, but not access it? Check the Registry for access to a TrueCrypt volume.  

keydet89
Senior Member
 
 
  

Re: Truecrypt

Post Posted: Wed May 27, 2009 7:19 pm

Check volume serial numbers from LNK files with volume serial number inside the filesystem of TrueCrypt container. You can also search for the data itself, not hidden container - there are many cases of data leaks from cryptocontainers, especially on Vista.  

thefuf
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next