TrueCrypt and Spybot: A Forensic Exploration

As long as they are useful and useful in computer forensic environments, many packages have been discussed throughout the course. I decided to write about encryption and spyware protection. Specifically, I will explain TrueCrypt and Spybot - Search and Discard. TrueCrypt is a free disk encryption package. It is also open source and independent developers can legally change / modify and / or extend software at their sole discretion as long as they comply with all terms and conditions applicable to TrueCrypt license .

An active research area in the digital forensic community is to find ways to detect hidden TrueCrypt volumes. In most methods, rather than detecting the presence of hidden volumes themselves, we infer the existence through traditional forensic remnants. For example, Mac and Windows systems typically have a file or registry entry that contains a cache list of installed volume names. This list contains the names of TrueCrypt volumes, including standard volumes and hidden volumes. If the user specified the name of the hidden volume, it will be displayed in this list. If investigators can judge for some reason that there are two TrueCrypt volume names and there is only one TrueCrypt device, it is inferred that there is a hidden volume. A way to guess the existence of hidden volumes (at least on some Windows systems) is also listed in "Detecting summarized encrypted volumes" (Hargreaves & Chivers).

One of the most interesting features of TrueCrypt - and definitely one of the most controversial features - is called a reasonable denial if the user is forced to invert the password of the encrypted volume . When a user creates a TrueCrypt volume, the user chooses whether to create a standard volume or create a hidden volume. The standard volume has a single password, but the hidden volume is created in the standard volume and uses the second password. Since random data is always stored in the unallocated (empty) space of the TrueCrypt volume as shown in Figure 23, it is not possible to distinguish hidden encrypted volume from available space of standard volume.

VeraCrypt is the successor to widely used TrueCrypt disk encryption software. Last year, anonymous developers behind TrueCrypt gave up wondering about it. Under the assumption that TrueCrypt is no longer safe, we will start a fundraising activity to check TrueCrypt (branch to VeraCrypt). Results were not confirmed, but several problems were found in VeraCrypt. Several new problems and some old problems were found. Not all problems can be solved. A security company decided to eavesdrop on a message sent to a pager. Since all of these are not encrypted, eavesdropping is easy. For four months, the researchers used 54 dollars of hardware to capture 54 million pages. They found many interesting things, but the most interesting thing was the nuclear power plant alarm they found in several states. For example,