Professional Documents
Culture Documents
It works by creating encrypted volume files that are mounted as logical drives, each with a drive
letter. Due to a restriction of the operating system, volumes can only be mounted by a user with
administrative permissions unless the TrueCrypt software has first been fully installed by an
administrator.
The program comes with an in-depth manual in PDF format, but some of its key features are:
1.
2.
Allows the user to transparently read/write data to the encrypted volume once mounted
3.
Encrypted data is decrypted on-the-fly, so an encrypted volume file that is open at the
time of a system crash will not be compromised
4.
5.
Volume header key (derived from password/phrase used to encrypt master key) and
master key derived using SHA-1 or RIPEMD-160 hash algorithms
6.
Can create a hidden encrypted volume within the unallocated space of a parent
encrypted volume; each volume can have its own passphrase thus allowing for plausible
deniability
7.
Traveler Disk Setup configures volume files for mounting from removable media on any
Windows NT-based system without pre-installing any software
8.
Full command-line usage allowing for quiet/stealth operation, leaving minimal footprint
on host system
9.
Encrypted volume files have no detectable file signature/header; are not bound to use the
registered file extension .tc
From a users perspective, the benefits of using this particularly effective software are
self-evident.
We will use the software to demonstrate the options open to an examiner when contemplating
the identification/examination of encrypted data.
The following screenshots show the successful creation of a 50-megabyte, FAT, encrypted volume
file using TrueCrypt. Note the presence of the random pool data (used as part of the key
generation process), the header, and master keys.
Encryption Software
Examination of installed software and shortcut links (on the Desktop, Start Menu, and Send To
folders of each user and under the All Users profile folder) is a good way to triage a target system
for installed encryption software.
The volume driver allows the system to mount the encrypted volume file as a drive and then
handles the process of reading/writing data to it, decrypting/encrypting it in the process.
This registry entry will be created whenever a TrueCrypt volume is mounted on current
Windows operating systems. This applies even if the volume and system driver were on a
removable disk and the software hadnt been installed on the system drive. The registry entry
would, in that case, point to the TrueCrypt driver on the removable disk.
It used to be the case that if a TrueCrypt volume was mounted in stealth mode, the volume driver
registry entry would be removed when the volume was dismounted. However this is no longer the
case the registry entry is removed regardless of the mode of operation. The only exception to this is
where TrueCrypt has been fully installed by an administrator of the computer in question. This is
necessary where non-administrative users need to use the TrueCrypt software.
Regardless of whether the driver registry entry has been deleted post-operation, its still likely to
be found in the unallocated space of the registry hive file or in unallocated clusters on disk as a
result of paged memory operations.
In addition to the volume driver registry entry, one other registry entry is created that cannot be
removed by TrueCrypt because registry permissions do not permit it; only the system account has
the permissions necessary to accomplish this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRUECRYPT
Note that if user history is saved, TrueCrypt version 4.0 and later saves this data in a separate file
(same location as mentioned previously) called History.xml.
Prior to version 4, TrueCrypt would not create user configuration/history registry settings if
stealth mode was enabled. Under version 4 and later, TrueCrypt will always create an
Application Data\TrueCrypt folder, even if stealth mode is used. However the general
configuration file will only be saved if the full TrueCrypt GUI is used.
In addition to searching for files and registry entries, the examiner also has the option of using
hash analysis to identify known encryption software, including software that uses steganography
to hide encrypted data within other files typically picture and audio files
Hashsets for such software are available through the Hashkeeper user group
(http://groups.yahoo.com/group/hashkeeper/); theyre also contained within the hashsets
produced by the National Software Reference Library (NSRL - http://www.nsrl.nist.gov/).
Another approach is to search for keywords commonly associated with encryption software.
Operating systems often have built-in encryption functionality, so its not unusual for such
searches to reveal a large number of hits. Examining the location of the hits (using the option to
tag the files associated with the hits under the Search Hits tab) can sometimes, however, help to
identify encryption software that was previously overlooked.
Encrypted Files
As in the case of TrueCrypt, we have seen that the configuration data (registry or otherwise)
created by encryption software may identify the encrypted data created or accessed by that
software.
Even if this is not the case, we can use our knowledge of identified software, undertaking further
research where necessary, to identify encrypted files or data on a target system.
The default extension for TrueCrypt files is .tc, and provided that the TrueCrypt software has
been installed on a system, the file extension will be registered in the Windows Registry under
two subkeys of the Classes key located in the SOFTWARE hive file.
TrueCrypt files with a .tc extension are obviously quite easy to find.
Some files, Microsoft Word documents and ZIP files for instance, may contain encrypted data
that may not be evident until the file is opened either by EnCase software (EnCase) or
externally.
For example the following screenshot shows a ZIP file viewed within EnCase.
Having discussed all of the previous options, what action can the examiner take with respect to
those encrypted files that cannot be located through program information, link files, file
extension, or content?
Unfortunately TrueCrypt has the potential to fit all of these criteria. As already stated TrueCrypt
is open source, so the structure of its volume files is no secret.
Offset Size
(bytes (bytes Encrypted
)
)
?
Description
0
64
68
70
64
4
2
2
No
Yes
Yes
Yes
72
76
84
92
100
256
288
512
4
8
8
8
156
Var.
Var.
Var.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Salt
ASCII string TRUE
Volume header format version
Minimum program version required to open
the volume
CRC-32 checksum of the (decrypted) bytes 256-511
Volume creation time
Header creation/modification time
Reserved (set to zero)
Currently unused
Secondary key (LRW mode)
Master key(s)
Data area (actual volume contents)
Its clear that with the exception of the first 64 bytes the entire volume is encrypted.
The first 64 bytes make up a random value called a salt. A salt is used to make life difficult for
any person who wants to crack an encrypted file.
The structure of a TrueCrypt volume makes life very difficult for the examiner because it contains
no plaintext data that can help identify it.
Even the TrueCrypt software itself cannot identify a TrueCrypt volume without the correct
passphrase. Entering an incorrect passphrase will result in the following dialog box.
If the examiner is lucky, there may be something unusual about the file that draws their attention.
One example of this is the size of the file. TrueCrypt volumes are mounted as logical disks, so
they are usually substantial in size.
Another more-advanced option is the identification of encrypted data by its binary structure.
Most encryption algorithms create data that, in addition to being encrypted, is highly random
across its entire length. If the data contained within a file is highly random then theres a
good chance that its encrypted.