I created a TC travelers mode container on the 31/7/08

I use it every day and save new data to it all the time.

But when I look at the 4GB TC data file, the time stamp still says, 31/7/08

Does anyone know why it doesn't update the timestamp?

The Configuration.xml file which is in the same folder, that time and date updates each day, so why not the 4GB TV data container?

Because you have TC configured to preserve the timestamps.

{QUOTE-> Because you have TC configured to preserve the timestamps. <-QUOTE}

Ahhh ok.

I looked at the options and found "preserve timestamps of file containers", and when I tried to disable it, it said: "Warning, if timestamps are not preserved, plausible deniability may be adversely affected!"

Could you please explain that to me in basic layman terms?

What exactly does "plausible deniability may be adversely affected!" mean?

And why is it such a bad thing for it to give a WARNING!

Thanks

If you preserve the timestamps the timestamp is made when the file container is made not last accessed. The containter could have been accessed 3 years ago when you made this like you said, even though you really access it yesterday thats what they call plausible deniability.

{QUOTE-> If you preserve the timestamps the timestamp is made when the file container is made not last accessed. The containter could have been accessed 3 years ago when you made this like you said, even though you really access it yesterday thats what they call plausible deniability. <-QUOTE}

So why the WARNING message if I disable it? Why does it matter if the timestamp gets updated to whenever I access it and write to it?

Is the reason in case someone stole my laptop and because the timestamp is old, that they won't think it contains any valuable current data? Is it to fool them?

{QUOTE-> So why the WARNING message if I disable it? Why does it matter if the timestamp gets updated to whenever I access it and write to it?

Is the reason in case someone stole my laptop and because the timestamp is old, that they won't think it contains any valuable current data? Is it to fool them? <-QUOTE}
No it is more like say your employer catches you looking at some encrypted folder on your laptop, you can tell him/her you last accessed the file 3 years ago (and old files or whatever) and getting your laptop stolen with sensitive files on it is a good reason to have a container anyway.

{QUOTE-> No it is more like say your employer catches you looking at some encrypted folder on your laptop, you can tell him/her you last accessed the file 3 years ago (and old files or whatever) and getting your laptop stolen with sensitive files on it is a good reason to have a container anyway. <-QUOTE}

Yeah, I love my TC container. I run everything in it. And in it I run portableapps, so there is no personal data on my windows.

So I can disable the timestamp and it won't corrupt or harm my container?

{QUOTE-> Yeah, I love my TC container. I run everything in it. And in it I run portableapps, so there is no personal data on my windows.

So I can disable the timestamp and it won't corrupt or harm my container? <-QUOTE}


I found this section of TC's site quite interesting (please excuse the length, it all feeds in):

{QUOTE-> Plausible Deniability

In case an adversary forces you to reveal your password, TrueCrypt provides and supports two kinds of plausible deniability:

1. Hidden volumes (for more information, see the section Hidden Volume).

2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted. However, note that for system encryption, the first drive track contains the (unencrypted) TrueCrypt Boot Loader, which can be easily identified as such (for more information, see the chapter System Encryption). In such cases, plausible deniability can be achieved by creating a hidden operating system (see the section Hidden Operating System).


TrueCrypt containers (file-hosted volumes) can have any file extension you like (for example, .raw, .iso, .img, .dat, .rnd, .tc) or they can have no file extension at all. TrueCrypt ignores file extensions. If you need plausible deniability, make sure your TrueCrypt volumes do not have the .tc file extension (this file extension is officially associated with TrueCrypt).

When formatting a hard disk partition as a TrueCrypt volume, the partition table (including the partition type) is never modified (no TrueCrypt “signature" or “ID" is written to the partition table).

Whenever TrueCrypt accesses a file-hosted volume (e.g., when dismounting, attempting to mount, changing or attempting to change the password, creating a hidden volume within it, etc.) or a keyfile, it preserves the timestamp of the container/keyfile (i.e., date and time that the container/keyfile was last accessed* or last modified), unless this behavior is disabled in the preferences.

* Note that if you use the Windows 'File Properties' tool to view a container/keyfile timestamp (e.g., by right-clicking the container/keyfile and selecting 'Properties'), you will alter the date and time that the container/keyfile was last accessed. Also note that if you view thumbnails of files in the Windows file selector (for instance, when selecting a container or keyfile in the Thumbnail file selector mode), Windows may modify the timestamps of the files (date and time that the files were last accessed). <-QUOTE}

I'm not sure about disabling the timestamp not harming your container, but if it can be inadvertently modified by other means as suggested, it doesn't sound like it could harm it to me.


{QUOTE-> So why the WARNING message if I disable it? Why does it matter if the timestamp gets updated to whenever I access it and write to it? <-QUOTE}

My guess re: the importance of preserving the original timestamp, is so that an adversary pays little or no attention to the container file, as the timestamp would suggest to them that you haven't accessed that ~.dat (assuming you changed the container's extension to ~.dat) file recently/for a great period of time, so it can't be of particular importance to you (or pertinent to their digging). Adversary xyz then potentially ignores the file.

I can only assume it would be compared with all other discoverable data...scattered word docs, images, folders & so on that were most recently accessed... So I suppose the more 'decoys'/suspicious/interesting looking files that then exist, the better the chances of your container file's non-discovery.

I removed the time stamp and it running the same without any problem.

{QUOTE-> My guess re: the importance of preserving the original timestamp, is so that an adversary pays little or no attention to the container file, as the timestamp would suggest to them that you haven't accessed that ~.dat (assuming you changed the container's extension to ~.dat) file recently/for a great period of time, so it can't be of particular importance to you (or pertinent to their digging). Adversary xyz then potentially ignores the file.

I can only assume it would be compared with all other discoverable data...scattered word docs, images, folders & so on that were most recently accessed... So I suppose the more 'decoys'/suspicious/interesting looking files that then exist, the better the chances of your container file's non-discovery. <-QUOTE}
Anyone familiar with TrueCrypt's capabilities will not be fooled by this type of grade-school subterfuge. Most encrypted data stands out like a sore thumb when you actually look for it. Any large, unrecognizable file containing extremely high-quality random data is very likely to be an encrypted file, no matter what filename, extension or timestamp is attached. The best you can do is try to hide it within wiped data, but even that technique is full of pitfalls and is difficult to do properly.

{QUOTE-> Anyone familiar with TrueCrypt's capabilities will not be fooled by this type of grade-school subterfuge. <-QUOTE}
There's alot different types of encription software outthere, Keepass password safe encrypts its database with twofish or AES (128 bits/256 bits). You could hide several documents in Keepass's database. Keywallet also encrypts it's datrabase...with BlowFish, I never tryed it though, not everybody is familiar with truecrypt. I mean non-Computer Forensics people or your average computer user.

{QUOTE-> Anyone familiar with TrueCrypt's capabilities will not be fooled by this type of grade-school subterfuge. Most encrypted data stands out like a sore thumb when you actually look for it. Any large, unrecognizable file containing extremely high-quality random data is very likely to be an encrypted file, no matter what filename, extension or timestamp is attached. The best you can do is try to hide it within wiped data, but even that technique is full of pitfalls and is difficult to do properly. <-QUOTE}

Hi Dantz,

I think you might be missing the point. The key word is "plausible." It's not that others don't know of the capability or understand what all you can or cannot do with Truecrypt. However, it gives you plausible deniability - meaning they cannot prove that the containers were used yesterday. While I agree that on the surface it looks "grade-school" it's all about not the actual features, and whether anybody knows of these things, it's that it offers the plausible deniability that cannot be proved. Just because you "can" do something doesn't neccesasrily mean you "have" done something. That's the thinking - it's more for legal purposes than anything else.

I'm all for people using encryption, as it's an extremely effective way to protect your data. However, when users try to take things a step farther by attempting to hide the fact that they are using encryption they are generally wading into waters that are far deeper than they have imagined. Thanks to programs like TrueCrypt, using strong and effective encryption is extremely easy to do. However, hiding the fact that you are using encryption is practically impossible, and most of the schemes that I have seen to date are not at all plausible to a knowledgeable person with a healthy degree of skepticism.

I also feel that the term "plausible deniability" is widely misused and misunderstood. In most cases it should be replaced with something along the lines of "appears to be highly suspicious but would probably be impossible to prove in a court of law". Is this what most people are trying to achieve when they attempt to hide their use of encryption? I don't think so, as they obviously don't want to attract attention or suspicion of any sort. In my experience, most users are truly attempting to hide their use of encryption from all comers, and are not merely attempting to protect themselves from future legal proceedings. What they don't realize is how difficult that task can be and how many pitfalls exist.

Without going into great and interminable detail about all of the various ways to hide or disguise data and all of the various techniques for discovering hidden or disguised data, my advice for most users would be to either use encryption openly, or not at all.