Not saying I believe; just reporting the news.

{QUOTE-> We recently started analyzing encrypted files, and found a method for detecting headerless encrypted data. Sure, it looks random, but not really. There actually is a pattern to it. You have to know how to extract that pattern. We just released version 2.23 of File Investigator TOOLS. This version detects TrueCrypt Dynamic files as well as most any other headerless encrypted file, as far as we have seen so far. Feel free to try the tool and see if you can find an encrypted file that it can’t identify. <-QUOTE}



http://www.forensicinnovations.com/blog/?p=7 (http://www.forensicinnovations.com/blog/?p=7)

Nothing new.....What do you actually think an investigator is going to think a 1 to 250+ GB file is? Random Data? Just think about it, why would anyone have a file over a Gig just sitting on their machine for?

{QUOTE-> Nothing new.....What do you actually think an investigator is going to think a 1 to 250+ GB file is? Random Data? Just think about it, why would anyone have a file over a Gig just sitting on their machine for? <-QUOTE}

It's not just detectable as an encrypted file, but detectable as a TrueCrypt file. Kinda. It's really no big deal as it can't be proven to be a TC file, it is simply a random file with certain characteristics of a TrueCrypt file (the whole TCHunt thing which is no header, files divisible by 512, etc.).

Why it's there on your drive is of no consequence and no response is even required. Maybe a corrupted ISO? Result could be a file full of random noise. There's all kinds of answers to the question, but again, none is necessary.

The key to remember is this: Plausible deniability is all about legal deniability. That is still maintained and Truecrypt is still as reliable as ever, and it certainly doesn't give an attacker a leg up on decrypting the volume. TrueCrypt is solid.

The idea is that these tools make it easier to locate TrueCrypt containers. Sure, they can't explicitly say "This is a TrueCrypt container" but that doesn't mean the tool is useless.

If an investigative authority already has a list of passwords you use, there's no harm in them trying those passwords to decrypt the files containing random data you have.

Additionally, a very large number of users wouldn't bother creating files with random data in them to throw off investigators. Most of the time, any file with completely random data in it could be assumed to be possible encrypted data. We shouldn't assume that everyone who uses encrypted containers knows what they're doing :)

As Warlockz alluded to, the bigger the file, the less likely it is to be "random" data. You could possibly try and pass it off as a file generated for the purposes of entropy as part of a project or soemthing like that but it'd still draw attention.

{QUOTE-> Nothing new.....What do you actually think an investigator is going to think a 1 to 250+ GB file is? Random Data? Just think about it, why would anyone have a file over a Gig just sitting on their machine for? <-QUOTE}

I think most people that are hiding their media collection would need a container that large, but what about someone that has one document to encrypt and uses a 1MB container that previously hid well deep in the operating system?
This group is saying they have a tool that could sniff that file out.
Again, not saying I believe it to be effective though..at least until I test it this weekend.

How does this discovery impact entire system encryption under TrueCrypt? I've read a lot of discussion regarding how this discovery relates to TrueCrypt encrypted containers; however, I'm also curious to hear thoughts on entire system and drive encryption. Thanks.

{QUOTE-> How does this discovery impact entire system encryption under TrueCrypt? I've read a lot of discussion regarding how this discovery relates to TrueCrypt encrypted containers; however, I'm also curious to hear thoughts on entire system and drive encryption. Thanks. <-QUOTE}

When you boot your machine it asks for a password/keyfiles, but I guess it might if your using a Hidden Volume!

It's made clear by the developers of this tool that, just like TCHunt, it's only effective in finding suspicious containers (files without headers and all that).

{QUOTE-> We recently started analyzing encrypted files, and found a method for detecting headerless encrypted data. <-QUOTE}
LOL detecting headerless encrypted data is nothing new. This is just another guy/company that reinvented the wheel.

{QUOTE-> How does this discovery impact entire system encryption under TrueCrypt? I've read a lot of discussion regarding how this discovery relates to TrueCrypt encrypted containers; however, I'm also curious to hear thoughts on entire system and drive encryption. Thanks. <-QUOTE}

Re: system encryption, this isn't really applicable because the tool searches for files. With Truecrypt whole disk encryption, one can customize the login screen so it reads "disk error" with a blinking cursor, or whatever misleading statement to throw off a potential intruder. You would just type in your password where the blinking cursor is. However, there are still ways of examining the boot record to tell Truecrypt is installed..it would just serve as an added layer of deterrence.

{QUOTE-> Re: system encryption, this isn't really applicable because the tool searches for files. With Truecrypt whole disk encryption, one can customize the login screen so it reads "disk error" with a blinking cursor, or whatever misleading statement to throw off a potential intruder. You would just type in your password where the blinking cursor is. However, there are still ways of examining the boot record to tell Truecrypt is installed..it would just serve as an added layer of deterrence. <-QUOTE}

Exactly. The mere knowledge that TrueCrypt is on a system doesn't lessen the security of the application. It's like a bank safe, just because you get somebody to take you to the back room and you get to see the actual safe doesn't mean you are now somehow any closer to being able to crack the safe.

TCHunt can also detect Truecrypt files, or so they claim, and it is freeware.

TCHunt:
-http://16systems.com/TCHunt/index.php

I have TrueCrypt installed on my computer. I have no reason to think that anyone would ever look, but if they saw it installed and saw a truecrypt file, I am pretty sure that they would at least consider that it may be a truecrypt file. But what difference would it make?

You wouldn't need much to find my TrueCrypt file. It's a 4G file in my TrueCrypt folder. LOL.

As long as nobody can decrypt your container, Who cares if can be found? What does it Matter?

What if you zipped it? Would it still show? Of course if it's large that wouldn't work.

{QUOTE-> As long as nobody can decrypt your container, Who cares if can be found? What does it Matter? <-QUOTE}

Yes it does matter in some countries, in the UK you can be sent to prison for refusing to reveal your password to encrypted data to the authorities.

{QUOTE-> Yes it does matter in some countries, in the UK you can be sent to prison for refusing to reveal your password to encrypted data to the authorities. <-QUOTE}

They aren't there here in the States - YET!!

I use PGP free and have several files encrypted. Nothing the Oxygen Thieves in Washington would care about.

Still, if they came and demanded my password, I'd refuse just to annoy them. Let them take the computer and try to get the 25 digit password, small and capital letters, symbols, numbers. How long would it take? Let them earn their pay.

{QUOTE-> I have TrueCrypt installed on my computer. I have no reason to think that anyone would ever look, but if they saw it installed and saw a truecrypt file, I am pretty sure that they would at least consider that it may be a truecrypt file. But what difference would it make? <-QUOTE}
I had a ISP tec rep come to the house to dianoise some trouble in the line, I have Truecrypt and Tor installed. The Tech wouldn't say anything in front of me, but when he got back to the truck he differently could and would call in and say I think he is trying to hide something he's got Tor and Truecrypt on his computer. To prevent that scenario from happening I deleted the programs till he left the house.

{QUOTE-> I had a ISP tec rep come to the house to dianoise some trouble in the line, I have Truecrypt and Tor installed. The Tech wouldn't say anything in front of me, but when he got back to the truck he differently could and would call in and say I think he is trying to hide something he's got Tor and Truecrypt on his computer. To prevent that scenario from happening I deleted the programs till he left the house. <-QUOTE}

Well that is just based on your assumption that your ISP tech is going to judge you.

There are more important issues re whether this tool can verify a Truecrypt container or not e.g. if evidence can prove that it is an encrypted container, can you be jailed for not revealing its contents?