Truecrypt's PBA - an antiforensic installation question

[stap0510]

Just to make sure no kind of digital forensics can be performed on my post-encrypted drive I've been thinking of the following:

- I'm using Windows XP, which ofcourse became totally personalized over time.
- Making an image of the drive with DriveSnap to be written to another drive
- I'm doing this by removing the hard drive from my computer
- connecting it to another computer, as a second drive
- making an image from the secondary hard drive to the primary hard drive
- and returning the drive to the original computer/laptop
- Format (not quick) the drive in NTFS and/or perform Secure Erase
- Re-install Windows XP up to the point where you can install Truecrypt and Virtual CD-software for verification.
- I perform system-encryption with PBA on my entire drive with password XYZ

- Restoring the image of the drive with DriveSnap that was written to the other drive
- I'm doing this by removing the hard drive from my computer
- connecting it to another computer, as a second drive
- mounting the (system-encrypted) drive with TrueCrypt
- restoring the image from the primary hard drive to the secondary hard drive
- and returning the secondary drive to the original computer/laptop

It is by now ofcourse completely clean from any cleartext data from the previous Windows-setup.

I could ofcourse rebuild Windows from the bottom up by re-installing all the programs and alot of (sometimes) minor settings.
But I'm hoping I can create a shortcut for myself by working with an image in this case.

But my question is if this particular procedure would mess up with TrueCrypt, since I'm restoring a setup within TC's PBA-environment that has been manipulated with a newer setup and also new encyption-key/salt/header in TC?

[dantz]

That's an interesting approach, but it sounds like a lot of work for what amounts to a simple freespace wipe. I'm also not too sure whether or not your methodology would succeed, as I've never heard of anyone restoring an OS image via the "mount without preboot authentication" feature. You don't want to overwrite Track 0, and I'm not familiar with the capabilities of DriveSnap. If you can get it to work, please let us know. However, my recommendation is not to bother. TC can already securely wipe an entire partition or disk when you perform in-place system encryption, so you don't need to do a separate wipe.

Quote:

It is by now ofcourse completely clean from any cleartext data from the previous Windows-setup.

I'm a bit confused by this statement. Are you saying that you expect your methodology to do more than merely clean up freespace? If so, please explain.

[stap0510]

My goal is the regain the exact system that I had pre-FDE.
You see, a couple of my computers are now running for many years.
Through those years I've customized these machines alot with my personal settings and don't want to loose all that after FDE.

BUT, I do want to create an extra basis on which any form of digital forensic will be rendered useless. We are talking about an hard drive that is 5 to 3 years old.

So in the end I want to return the image of the original pre-FDE system to the drive within TC's FDE-environment.

I now have done a test last week, which failed at the return of the image.
So now I'm going repeat that test but now with an image that comes from a post-FDE image.
Re do the whole re-install stuff with TC in the end.
And then I'll see if returning the image will now work.

I hope that it is clear with what I mean by all this.

[LockBox]

I would suggest...

1. First removing the Truecrypt system encryption and PBA.

2. Do whatever you need to do regarding wiping, malware sweeping, registry cleaning, etc. Whether that's done on the same computer or not - it will achieve the same results. (Ideally, of course, a clean install is preferred, but you don't seem to want to do that).

3. Once your system is clean and sanitized to your liking, image the drive w/out Truecrypt.

4. Put the image on a TC encrypted external drive for safe keeping and put it away.

5. Re-install Truecrypt system encryption to your system.