TrueCrypt

TrueCrypt is free, open-source software that can currently be found at http://www.truecrypt.org.

It works by creating encrypted volume files that are mounted as logical drives, each with a drive
letter. Due to a restriction of the operating system, volumes can only be mounted by a user with
administrative permissions unless the TrueCrypt software has first been fully installed by an
administrator.
The program comes with an in-depth manual in PDF format, but some of its key features are:
1.

Ability to create FAT and NTFS formatted volume files

2.

Allows the user to transparently read/write data to the encrypted volume once mounted

3.

Encrypted data is decrypted on-the-fly, so an encrypted volume file that is open at the
time of a system crash will not be compromised

4.

Can implement all mainstream symmetric encryption algorithms, including Blowfish

and AES-256

5.

Volume header key (derived from password/phrase used to encrypt master key) and
master key derived using SHA-1 or RIPEMD-160 hash algorithms

6.

Can create a hidden encrypted volume within the unallocated space of a parent
encrypted volume; each volume can have its own passphrase thus allowing for plausible
deniability

7.

Traveler Disk Setup configures volume files for mounting from removable media on any
Windows NT-based system without pre-installing any software

8.

Full command-line usage allowing for quiet/stealth operation, leaving minimal footprint
on host system

9.

Encrypted volume files have no detectable file signature/header; are not bound to use the
registered file extension .tc

From a users perspective, the benefits of using this particularly effective software are
self-evident.
We will use the software to demonstrate the options open to an examiner when contemplating
the identification/examination of encrypted data.
The following screenshots show the successful creation of a 50-megabyte, FAT, encrypted volume
file using TrueCrypt. Note the presence of the random pool data (used as part of the key
generation process), the header, and master keys.

Figure 7-5 Formatting created volume with FAT

Figure 7-6 Screenshots showing creation of TrueCrypt volume

IDENTIFYING ENCRYPTED DATA

There are a number of approaches to identifying encrypted data on a target disk.

Encryption Software
Examination of installed software and shortcut links (on the Desktop, Start Menu, and Send To
folders of each user and under the All Users profile folder) is a good way to triage a target system
for installed encryption software.

Figure 7-7 Identifying the TrueCrypt program folder

It is particularly important not to neglect the Windows Registry. For instance TrueCrypt, even in
quiet/stealth mode, has to create registry entries for it to function properly. This is the same for
most if not all encryption software that supports encrypted volumes.
The subsequent screenshot shows the reference to the TrueCrypt volume driver, truecrypt.sys, in
the services\TrueCrypt subkey of the control set that was last active on the target machine.

Figure 7-8 The TrueCrypt volume driver registry setting

The volume driver allows the system to mount the encrypted volume file as a drive and then
handles the process of reading/writing data to it, decrypting/encrypting it in the process.

This registry entry will be created whenever a TrueCrypt volume is mounted on current
Windows operating systems. This applies even if the volume and system driver were on a
removable disk and the software hadnt been installed on the system drive. The registry entry
would, in that case, point to the TrueCrypt driver on the removable disk.
It used to be the case that if a TrueCrypt volume was mounted in stealth mode, the volume driver
registry entry would be removed when the volume was dismounted. However this is no longer the
case the registry entry is removed regardless of the mode of operation. The only exception to this is
where TrueCrypt has been fully installed by an administrator of the computer in question. This is
necessary where non-administrative users need to use the TrueCrypt software.

Regardless of whether the driver registry entry has been deleted post-operation, its still likely to
be found in the unallocated space of the registry hive file or in unallocated clusters on disk as a
result of paged memory operations.
In addition to the volume driver registry entry, one other registry entry is created that cannot be
removed by TrueCrypt because registry permissions do not permit it; only the system account has
the permissions necessary to accomplish this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRUECRYPT

This registry entry is shown in the following screenshot.

Figure 7-9 The TrueCrypt Enum registry setting

Like most programs TrueCrypt can maintain a history of encrypted volume files that have been
opened. Prior to TrueCrypt version 4, this information was created in the NTUSER.DAT file of
each user who had used the TrueCrypt software. This changed with TrueCrypt version 4.0 user
configuration data is now stored in a file called Configuration.xml located in the
\Application Data\TrueCrypt subfolder of the users user profile folder. In this example,
we mounted the ntuser.dat of the Bob account.

Figure 7-10 NTUSER.DAT registry entries created by TrueCrypt

3.1a

Figure 7-11 TrueCrypt v4.2 XML configuration file viewed using

Internet Explorer

Note that if user history is saved, TrueCrypt version 4.0 and later saves this data in a separate file
(same location as mentioned previously) called History.xml.

Figure 7-12 Contents of the TrueCrypt History xml file

Prior to version 4, TrueCrypt would not create user configuration/history registry settings if
stealth mode was enabled. Under version 4 and later, TrueCrypt will always create an
Application Data\TrueCrypt folder, even if stealth mode is used. However the general
configuration file will only be saved if the full TrueCrypt GUI is used.
In addition to searching for files and registry entries, the examiner also has the option of using
hash analysis to identify known encryption software, including software that uses steganography
to hide encrypted data within other files typically picture and audio files
Hashsets for such software are available through the Hashkeeper user group
(http://groups.yahoo.com/group/hashkeeper/); theyre also contained within the hashsets
produced by the National Software Reference Library (NSRL - http://www.nsrl.nist.gov/).

Another approach is to search for keywords commonly associated with encryption software.
Operating systems often have built-in encryption functionality, so its not unusual for such
searches to reveal a large number of hits. Examining the location of the hits (using the option to
tag the files associated with the hits under the Search Hits tab) can sometimes, however, help to
identify encryption software that was previously overlooked.

Encrypted Files
As in the case of TrueCrypt, we have seen that the configuration data (registry or otherwise)
created by encryption software may identify the encrypted data created or accessed by that
software.
Even if this is not the case, we can use our knowledge of identified software, undertaking further
research where necessary, to identify encrypted files or data on a target system.
The default extension for TrueCrypt files is .tc, and provided that the TrueCrypt software has
been installed on a system, the file extension will be registered in the Windows Registry under
two subkeys of the Classes key located in the SOFTWARE hive file.

Figure 7-13 File extension shows associated TrueCrypt volume

Figure 7-14 File extension registry entries for TrueCrypt.tc files

TrueCrypt files with a .tc extension are obviously quite easy to find.

Figure 7-15 TrueCrypt volume identified by file extension

Double-clicking on a file with a .tc extension will in this case start the TrueCrypt application
automatically, and a shortcut link to the file will be created in the relevant users Recent folder in
their user profile.

Figure 7-16 Shortcut link file to TrueCrypt volume

However TrueCrypt, by default, does not prompt the user to create encrypted volume files with
any particular extension. An extension will only be used if the user specifically asks for it.
Where encrypted files cannot be identified by extension, we have to use other means to try and
identify them.
One way of doing this could be to use registry data or other configuration data, as in the case of
TrueCrypt (if saving file history is enabled).

Some files, Microsoft Word documents and ZIP files for instance, may contain encrypted data

that may not be evident until the file is opened either by EnCase software (EnCase) or
externally.
For example the following screenshot shows a ZIP file viewed within EnCase.

Figure 7-18 Mounted ZIP file containing encrypted data

Amongst other things, EnCase uses the Description column to indicate that, in this case, every
file in the ZIP file is encrypted. The Protected column is populated as a result of running the
Evidence Processor and selecting the Protected File Analysis option.
EnCase uses the same method to identify those files encrypted with the Encrypting File
System (EFS).

Figure 7-19 EFS files shown in EnCase

Having discussed all of the previous options, what action can the examiner take with respect to
those encrypted files that cannot be located through program information, link files, file

extension, or content?
Unfortunately TrueCrypt has the potential to fit all of these criteria. As already stated TrueCrypt
is open source, so the structure of its volume files is no secret.

Offset Size
(bytes (bytes Encrypted
)
)
?
Description
0
64
68
70

64
4
2
2

No
Yes
Yes
Yes

72
76
84
92
100
256
288
512

4
8
8
8
156
Var.
Var.
Var.

Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes

Salt
ASCII string TRUE
Volume header format version
Minimum program version required to open
the volume
CRC-32 checksum of the (decrypted) bytes 256-511
Volume creation time
Header creation/modification time
Reserved (set to zero)
Currently unused
Secondary key (LRW mode)
Master key(s)
Data area (actual volume contents)

Figure 7-20 The TrueCrypt volume format

Its clear that with the exception of the first 64 bytes the entire volume is encrypted.
The first 64 bytes make up a random value called a salt. A salt is used to make life difficult for
any person who wants to crack an encrypted file.
The structure of a TrueCrypt volume makes life very difficult for the examiner because it contains
no plaintext data that can help identify it.
Even the TrueCrypt software itself cannot identify a TrueCrypt volume without the correct
passphrase. Entering an incorrect passphrase will result in the following dialog box.

Figure 7-21 TrueCrypt error message

If the examiner is lucky, there may be something unusual about the file that draws their attention.
One example of this is the size of the file. TrueCrypt volumes are mounted as logical disks, so
they are usually substantial in size.
Another more-advanced option is the identification of encrypted data by its binary structure.
Most encryption algorithms create data that, in addition to being encrypted, is highly random
across its entire length. If the data contained within a file is highly random then theres a
good chance that its encrypted.