Wednesday, 23 December 2009

Quick and Nasty overview of finding TrueCrypt volumes

Quick and Nasty overview of finding TrueCrypt volumes

Registry analysis should be conducted on the system for the HDD Image. This can help determine if the images have the following characteristics that allow for an analysis of the partitions that can be utilised to determine the existence of a hidden partition:

  • RAM Slack Fragments exist on the main drive images.
  • Registry calls to other drives exist.
  • Correct Defragmentation processes have not been followed to the specifications required by TrueCrypt.
  • System artefacts for the TrueCrypt Drives – such as ones mapped as “P”, “Q”, and “Z” .

Tests of the Entropy of both a bitwise and bytewise stream need to be conducted and mapped, where Entropy is the relative randomness of a given data unit.

When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). An analysis of the pagefile on the image may uncover artefacts of a TrueCrypt volume. TrueCrypt can be configured to use two (2) separate passwords. The first will open an encrypted but obvious volume. The second is used for a hidden volume that is designed to remain undetected if the first password becomes known to a third party.

Opening the TrueCrypt partition further allows for the analysis of the partition (if you get an outer password). This can provide evidence that can demonstrate a hidden partition has been created within the outer partition:

· System artefacts and registry entries may point to this drive. The volume serial numbers are unique in the system registry.

· System artefacts for the TrueCrypt Drives mapped registry may be recovered.

System Registry, logs and other artefacts can be been found that demonstrate the existence of other TrueCrypt partitions/drives in addition to those which have been admitted in most instances.

· Each TrueCrypt partition leaves a unique serial number in the registry of the system it is mounted on. The “fingerprints” associated with the decrypted drives (those for which a password has been supplied) do not match all the uncovered fingerprints when a hidden drive exists.

· An example of such a system artefact is displayed in Figure 1.


Figure 1 TrueCrypt Drive Artefacts

Figure 1 is displaying the unique serial number of one of the TrueCrypt drives used on the computer system of a system with a Hidden TC partition. This information conclusively demonstrates that a TrueCrypt drive was successfully mounted on the computer system rather than having been cancelled prior to being created.

As the cancellation of the drive format and creation process does not allow the drive to be mounted in the computer system, any system artefact in the systems registry conclusively proves that the drive has not only been mounted, but that it has been successfully created and used.

A reconstruction of the hard drive into a virtual machine will allow for the extraction of TrueCrypt data from the host.

NTFS is a journaling file system. When TrueCrypt is used with NTFS, remnants of files are left on the drive. This is evidence of a further encrypted hidden volume.

Creating TC Partitions and testing for them

Creating a TrueCrypt Volume

The following stages document the process to create a TrueCrypt volume without a hidden partition.

To create a TrueCrypt Volume, the process starts with running TrueCrypt and selecting “Create Volume”


When this button is selected, the “TrueCrypt Volume Creation Wizard” starts.


To create a partition, the “Create a volume within a non-system partition/device” option is selected and the “next” button is selected.


At this point, two (2) options are presented:

· Standard TrueCrypt Volume

· Hidden TrueCrypt Volume

In the event that option 1 (Standard TrueCrypt Volume) was selected, the following process would be used to create an encrypted volume partition.


The partition options may be displayed using the “select option” tab.


When a partition is selected, the user is next prompted to select an encryption option.


When a volume partition is being created, the size cannot be configured within TrueCrypt as the entire partition is encrypted.


The next stage involves adding the password that will be used to access the partition.


A short password will create a warning message as follows.


The partition is then ready to be encrypted.


Selecting the “format” button will start the creation of the encrypted partition. This will result in a warning message, which having been selected will start the format and encryption process.


The format will then begin.


If this process is allowed to complete, the following message will be displayed.


Following which the “volume Create” Page is displayed.


At this point the Volume has been created and May be accessed.


Selecting the partition allows it to be mapped to a drive.


Selecting “mount” will display the password function screen. In this case there is no hidden password.


The following screen displays the successfully mounted partition.


When this partition is mounted, it may be accessed normally.


The fragmentation and entropy analysis of the drive are reminiscent of a mounted TrueCrypt file. An analysis of the entropy of the mounted partition captured using “dd” to an image file results in an entropy value that is significantly less (statistically) that that which is found when an encrypted partition exists.


In this event, there is no evidence of a hidden partition as one was not created.

The entropy of the unmounted and encrypted file is found to equal a value of 8 bits of random information for every 8 bits in the data file.


The entropy distribution of the unmounted file displays as expected for an encrypted.

Interrupting the creation of a TrueCrypt Volume

The following stages document the process to create a TrueCrypt volume without a hidden partition in the event that the format and encryption process has been terminated (as has been asserted).

Again, the process starts with the creation of a TrueCrypt Volume, the process starts with running TrueCrypt and selecting “Create Volume”.


When this button is selected, the “TrueCrypt Volume Creation Wizard” starts.


To create a partition (such as the partition on the HDD analysed), the “Create a volume within a non-system partition/device” option is selected and the “next” button is selected.


At this point, two (2) options are presented:

Standard TrueCrypt Volume

Hidden TrueCrypt Volume

In the event that option 2 (Hidden TrueCrypt Volume) was selected, the following process would be used to create an encrypted volume partition.


As the format is occurring, the abort button could be selected.


This results in a failed and incomplete format.


When an attempt is made to mount the incomplete volume using the volume password where the format was incomplete, the program errors stating that the partition is not a TrueCrypt volume. In the event that a format has run for a sufficient amount of time to create the format header such that it can be mounted, the drive will mount successfully and be available as a drive.




The entropy distribution of a true TC partition matches that which would occur when a partition has been successfully encrypted. Where the format and encryption process has been interrupted, the entropy distribution varies significantly from that where the process has completed.


Where the entropy of a TC partition is significantly correlated to a completed TrueCrypt drive, we see no breaks within the file segments.

Additionally, registry artefacts have been uncovered. These entries only occur when a drive has been successfully mounted. This is clear evidence supporting both the creation and mounting of a TrueCrypt partition. This cannot occur if the drive creation process has been interrupted.

Creating a TrueCrypt Hidden Volume

The following stages document the process to create a TrueCrypt volume without a hidden partition.

To create a TrueCrypt Volume, the process starts with running TrueCrypt and selecting “Create Volume”


When this button is selected, the “TrueCrypt Volume Creation Wizard” starts.


To create a partition, the “Create a volume within a non-system partition/device” option is selected and the “next” button is selected.


At this point, two (2) options are presented:

Standard TrueCrypt Volume

Hidden TrueCrypt Volume

In the event that option 2 (Hidden TrueCrypt Volume) was selected, the following process would be used to create an encrypted volume partition.

The options are to create both the primary and hidden files at once (normal mode) or to add a hidden partition to an existing partition (direct mode).


At this stage the process is the same for either option and progresses as for either a normal or hidden partition.


First the “Outer partition” is created.


This is the unhidden partition and is visible. This partition is designed to offer plausible deniability to the existence of a Hidden drive if all the condition for TrueCrypt have been satisfied completely.


Again, the outer volume partition may not be modified.


And it is then necessary to add the password to the outer volume. This password is designed to be handed over in the event that the device has been seized such that the owner can attempt to claim that no information exists on the drive.


The drive is then configured with an outer partition that is used for creating an alibi in order to not disclose an internal partition password.


The next phase involves the creation of an inner volume. This is a hidden volume designed such that the creator can deny having any information within the seized drive.


The hidden volume options are selected.


The hidden volume can be created up to a size nearly as large as the outer volume.


In the event that a large volume size is selected, a warning is displayed.


A second “hidden” password is then selected.


If the precepts of TrueCrypt have been followed exactly, the creator of the encrypted volume is able to now hand over the outer password and deny having created the inner hidden volume. Most TC partitions do not meet the requirements for a hidden partition to function (even without further analysis):

The system may have saved registry artefacts

The volume could have been formatted using the wrong format type

Link files and journal entries can point to the TrueCrypt volume

Log files demonstrate the mounting and use of the TrueCrypt drive volume

The inner volume is now formatted and created.


At this point a warning notices is displayed stating that the drive volume is ready for use, and that as long as the preconditions have ALL been met, it should be difficult to prove the existence of the hidden volume.


The completion screen is displayed.


To mount the hidden partition, the second password is used when mounting a drive in TrueCrypt.


The hidden drive is now mounted. Alternatively, the outer volume may be mounted either without the hidden password.


Which mounts the outer drive.


Or the “Mount Options” button may be selected using the hidden password in order to mount the outer volume without damaging the information contained within a hidden inner volume.


This mounts the outer volume with the encrypted and hidden inner volume being protected.


When this process occurs, the entropy distribution differs from that of where the outer drive was not created.


As does the per sector entropy distribution which can be seen to be distributed evenly within the volume.


A TC volume conforms in all material ways to a completed “outer” volume where a hidden volume has been created. The addition of system artefacts in the system registry and logs will further support this assertion.

Where an existence of system artefacts from a TrueCrypt volume that has been mounted can be determined, there are only two probable conclusions:

  • The hidden TrueCrypt volume was created and remains on the drive. In this case the Hidden Partition is unavailable without a second password.
  • A Hidden TrueCrypt volume was created, but subsequently has been destroyed.

It could be possible to validate is the second option was true if the second password was supplied. This would enable the mounting of the hidden volume if damage was minimal or the extraction of the key for validation otherwise.


Where the entropy distribution on the TC volume is distributed evenly across the partition of the HDD tested, it is evident that the encryption of the drive occurred successfully. If the format and encryption process was interrupted as was asserted, the entropy distribution of the drive would not display this pattern.

Encrypted Partitions

A TrueCrypt hidden partition of approximately 35 Gb in size is contained in the image displayed in the figure below.

One of the features that TrueCrypt is touts is that of plausible deniability. This feature relies on the assumption that an encrypted volume cannot be distinguished from random data. The entropy distribution (as displayed in the image below) demonstrates that this is not the case; that is, TrueCrypt does not provide plausible deniability in this regard. The entropy distribution of a TC encrypted drive is greater than that or compressed or even normal pseudo-random functions.

Plausible deniability can be referred to as a property of the ideal model; the realized model aims to retain this property. The fact that it doesn't is a distinguisher, because it demonstrates a difference between the ideal model and realized model. TrueCrypt has achieved a level of near perfect entropy. This is displayed in the image below from sections 43 to 59 on the x-axis. The other high entropy sections are related to the known TrueCrypt image called “recipes”.


Entropy is a measure of the randomness on the drive. Normal data has an entropy value between 1.0 and 7.85. Any value greater than a 7.85 is related to an encryption process (including PRNG’s).

The entropy of the hidden drive section used in this paper is 8.000000. The likelihood of this level of entropy occurring naturally is less than one chance in 100 billion. Entropy calculations where conducted using both a bit stream (an analysis of the 0 and 1 values) and a byte wise analysis (this is a character analysis as is included in the Appendix). This process demonstrates an encrypted partition exists. When coupled with other evidence, this tips the balance of probability towards the existence of a TC volume. The strong evidence of encryption (due to the exceedingly high entropy values) needs to be coupled with the other evidence that can be found on a system.

The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. This process is time consuming and if a strong password is used, may exceed the life of the analyst. TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). A request to supply any files that may be a keyfile (such as a 1024k file on a USB stick) has been made.

Previous versions of encrypted containers can commonly be detected where the TC volume is created in a journaling filesystems (NTFS). By tracking any changes that occur within the free space of the outer container it may be possible to detect presence of a hidden container in the image being analysed.

Standard entropy calculations for a TrueCrypt drive have a narrow range with a low standard deviation (as can be seen in the histogram below.


In the experiments, the section of the hidden image related to the hidden partition displayed a larger than expected entropy range when compared over differing slice sizes (this is the size of the information compared at an instance to calculate entropy).


These factors provide strong evidence for the existence of a hidden partition. The alternative is that other encrypted data sources could have been used to create the high entropy segments.

The boxplot below displays the entropy distributions of the section that the hidden (1) volume may be found compared against a distribution of empty space (2) from a TrueCrypt partition with no hidden volume.


The requirement to protect the data contained within the hidden volume gives “slices” that display distinctly different patterns to that of a partition without a hidden volume. Although the average value remains the same, Equality of Variances testing will demonstrate significant variations.


Anonymous said...

With regards to your point about Truecrypt leaving unique serial numbers within the registry for successfully mounted drives; I believe this to be incorrect, Truecrypt leaves, as can be seen in figure 1, 'TrueCryptVolume' appended with the letter the volume was mounted to. There is no way to tell whether the mounted drive was a hidden drive, an outer container of a hidden drive or simply a fully encrypted partition/drive.

Craig S Wright said...

"'TrueCryptVolume' appended with the letter the volume was mounted to."
You know it is a TC volume. The Volume field is distinct - this is not the value "TrueCryptN"

"There is no way to tell whether the mounted drive was a hidden drive, an outer container of a hidden drive or simply a fully encrypted partition/drive."
You have knowledge of the TC volumes. You know it was either an inner or an outer. The difference of a complete "fully encrypted partition/drive" can be determined from one with an inner/outer (with the password).

So you can make probabilistic determinations.

Anonymous said...

From my quick analysis of the data held in the registry the volume id appears to be sequentially generated by Truecrypt with the tag of TrueCryptVolumeX. A new volume ID appears to be generated every time a volume is mounted, hence the difference in volume IDs only proves that volumes have been mounted/unmounted more than once. This doesn't really indicate anything about the nature of the volume as indeed it could be the same volume mounted several times or different volumes mounted at the same/different times. As far as I am aware there is no specific information on when the volumes where mounted/dismounted (although a more forensic analysis may be able to uncover this information) and in any case a hidden volume cannot be mounted at the same time as its container or outer volume.

Hence this is in no way a reliable indication of the number of unique volumes or indeed the nature of said volumes.

This said my analysis was not thorough and indications on the amount/nature of volumes mounted may yet be attainable in some situations

Craig S Wright said...

As stated "Quick and Nasty"

The supposed forensic methods do exist. I will get to publishing something.

I have planned something for SANS - but I have not had a good deal of spare time and other research has come first.

I will not promise anything quick in publishing as paid work comes first but I shall get to it.

Anonymous said...

I have a question, how do you tell if the volume that was mounted, was a usb stick, removable dvd drive, a smart phone, tablet, or other network drives. Not to mention when having a multi reader card you have a number of drives mapped and remapped based on drive letter availability.

Today users have many devices that connect, for example its popular to have encrypted thumb drives, and to mount cd/dvd/blue ray images.

I would guess the more the devices and the longer the time, the more random the data will be, or will only show that there was all these drives mounted and unmounted.

Anonymous said...

Another thought came:
create 2 or 3 TC files with hidden volumes.

now one is largest, has outer and hidden, then place another TC file into that previous hidden file.

I am guessing that now your factor has gone through the roof, along with placing other TC files as decoys.

This method of parallel and serial placement of TC files (volumes) will give anyone a headache

Craig Wright said...

To Anon (15 May),
You are confusing artifact analysis with entropy analysis.

The process looks at the drive image. It does not look to what it is (USB, HDD etc) but analyses the existing opened TC image. The issue is that you "can" be made to unlock a TC image.

Inside there may be a separate image. This is supposedly not able to be determined. That is not always true.

An issue remains that you could have a pair of hidden drives and have one inside another, but it will not fill the space and will look strange. Next, you can say it is an anomaly, but if the entropy looks as if it was something else? If you say you forgot the password will it really be lost?


Anonymous said...

you spelled artifacts wrong, doctor