HackFest Series: TrueCrypt is Now Detectable
Technomage
technomage.hawke at gmail.com
Fri May 1 01:46:01 MST 2009
Lisa Kachold wrote:
> TrueCrypt is now Detectable <http://www.forensicinnovations.com/blog/?p=7>
>
>
"Sorry Charley!" not quite so fast. I have checked the tool as detailed
on the site above and even tried a few tests.
the results were inconclusive at best. the tool (as described) could not
reliably tell the difference between a
real encrypted volume (using truecrypt) and actual random data (as
generated by /dev/urandom).
The encrypted file volume was 1 GB and the 3 other random files were
also 1 GB and a known commercial
product was used for creating a 5th (mac's filevault). the tool clearly
stipulated that the filevault volume
was encrypted (it has headers) but none of the other 4 were detectable.
as an aside, I have been messing with encrypted file systems now for
several months. I have found that both ccrypt
(for file encryption) and truecrypt seem to work best for their specific
purposes (and don't cost a mint).
Now, as for forensic innovations.. have they posted any of their testing
criteria, any procedures they used,
type of hardware, base OS, etc? I saw no mention of that and further
digging has resulted in a null return.
Now, if a company like encase or ftk or paraben had done some tests like
this, there'd be reams of documentation
(such as publications, white papers, additional instructions in their
product manuals, etc). I have seen none of this so far.
I will be calling a representative at FTK in the morning and running
this across their desk.
More information about the PLUG-discuss
mailing list