TrueCrypt hidden volumes detectable?

[Kanker]

Hello Gentlemen,

Is it possible for an analyst to detect the presence of a hidden volume on a Truecrypt-protected USB key? The little bit of research I've done so far has revealed wildly conflicting opinions on this question. Some insist no, others say that it is possible.

Your thoughts?

[J_L]

I think they may suspect the space of your container/drive, but not necessarily notice that it's a hidden volume.

[x942]

Quote:

Originally Posted by Kanker

Hello Gentlemen,

Is it possible for an analyst to detect the presence of a hidden volume on a Truecrypt-protected USB key? The little bit of research I've done so far has revealed wildly conflicting opinions on this question. Some insist no, others say that it is possible.

Your thoughts?

It depends:
If you check the box that says "protect hidden volume from being overwritten" then when the outer volume is mounted it will only show up as the size of the out volume. (I.E 6 GB volume 3 GB outer and 3GB hidden you would see the out volume as 3GB only) This would be suspicious as the entire drive/file shows 6GB. This mode is only supposed to be used when place files on the outer volume for plausible deniability.

Now when forced to reveal the volume ideally you would NOT check that box and hence it would show as 6GB (the files size) in the event the attacker writes a file to test the actual size is true they overwrite the hidden volume destroying your data.

A well versed attacker would also force you to check that box and (somewhat) ruin the plausible deniability. You could of course have an excuse prepared for it.

It's not a huge whole but none-the-less don't rely on it against a sophisticated attacker. A much better defence would be an attempt at wiping it (or just the header) before they can force you to open it.

[chiraldude]

Checking the "protect hidden volume" does nothing if you don't supply both passwords. TC won't mount either volume until you supply both passwords if the box is checked.

It is impossible to prove a hidden volume but only if you follow the Truecrypt guidelines to the letter. Only if your system has never been out of your control can you be sure hidden data is hidden. If someone can make multiple copies of your disk between times you use the hidden volume they can prove it exists.

[Cutting_Edgetech]

Quote:

Originally Posted by chiraldude

Checking the "protect hidden volume" does nothing if you don't supply both passwords. TC won't mount either volume until you supply both passwords if the box is checked.

That makes no sense if you have to enter both passwords to mount either volume. If your forced to give up the password by any means then the other person will know there is a hidden volume when you have to give them two passwords. Also, if you have to enter both passwords then how do you keep the hidden volume from mounting? I will have to play around with TC myself, and see what happens since I have never used a hidden volume.

[Cutting_Edgetech]

I believe it would be obvious of the presence of a hidden volume if you encrypted a large volume or drive like 1TB, and it was only reading as something like 700GB when mounted. This is only an example. It would not have to be anywhere close to 1TB. It could be a much smaller volume. Does anyone believe i'm wrong? Could someone conjure up a believable story to the person forcing you to mount the volume as to what happened to the other 300GB's of the 1TB.

[x942]

Quote:

Originally Posted by chiraldude

Checking the "protect hidden volume" does nothing if you don't supply both passwords. TC won't mount either volume until you supply both passwords if the box is checked.

It is impossible to prove a hidden volume but only if you follow the Truecrypt guidelines to the letter. Only if your system has never been out of your control can you be sure hidden data is hidden. If someone can make multiple copies of your disk between times you use the hidden volume they can prove it exists.

While you are right that you need both passwords for the option to be checked (protect hidden volume). The potential vulnerability still exists. A well versed attacker my force you to check the box and enter the password there too, (easy enough just say there isn't one).
As I said though if that is checked it reveals the outer volumes real size and not the size of the drive/file.

[chiraldude]

Quote:

As I said though if that [protection] is checked it reveals the outer volumes real size and not the size of the drive/file.

There would be no point in having a hidden volume if that were true. The size of the hidden volume is stored in the header of the hidden volume. Without the password to the hidden volume there is no way of knowing where the hidden volume starts. If you check protection and leave the hidden volume password blank and give the correct outer password, Truecrypt give an incorrect password error. Volume protection does nothing unless you supply both passwords correctly.

[Kanker]

While I sincerely appreciate the reponses, this is exactly the kind of inconsistent feedback I've received on other forums.

Bottom line is this: If is is possible to prove the existence of a hidden volume then plausible deniability does not exist, and I can go to jail for refusing to provide American customs personnel with two passwords for my encrypted USB drive. It doesnt matter if they can never read the files. Only that they can prove that the hidden volume exists.

[chiraldude]

Plausible deniability is a tricky subject for sure. The only way you can have confidence in it is to really understand the details of how a hidden volume works with the encryption. You will never achieve the level of understanding you need by asking questions on a forum. In the case of Truecrypt, you must STUDY (not read) the manual. If you understand the details of volume headers and how they are embedded in the inner and outer volumes you will be able to answer your own questions about hidden volumes and other encryption issues.
Even when you understand the fundamentals you are still not done. Next you need to evaluate the type of threat you are protecting agents. You need to make some assumptions about the methods your adversary is willing and/or able to employ to get your data.
Dealing with mafia, corrupt officials, prying roommates, etc. require totally different strategies on your part.

In the case of you needing to prove the hidden volume does not exist, some people create a small hidden volume and leave it empty. If prompted by an official, they enter both passwords to reveal the hidden volume and prove that it is empty.
Again, if you study the TC manual you will find that a customs official that has never had access to your data before cannot prove the hidden volume exists unless you provide both passwords.

[Warlockz]

Quote:

Originally Posted by Kanker

While I sincerely appreciate the reponses, this is exactly the kind of inconsistent feedback I've received on other forums.

Bottom line is this: If is is possible to prove the existence of a hidden volume then plausible deniability does not exist, and I can go to jail for refusing to provide American customs personnel with two passwords for my encrypted USB drive. It doesnt matter if they can never read the files. Only that they can prove that the hidden volume exists.

IMO the best place to find your answer is on a Computer Forensics Forum.

[x942]

Quote:

Originally Posted by chiraldude

There would be no point in having a hidden volume if that were true. The size of the hidden volume is stored in the header of the hidden volume. Without the password to the hidden volume there is no way of knowing where the hidden volume starts. If you check protection and leave the hidden volume password blank and give the correct outer password, Truecrypt give an incorrect password error. Volume protection does nothing unless you supply both passwords correctly.

That's pretty much what I said:

Quote:

While you are right that you need both passwords for the option to be checked (protect hidden volume)...

All I said is that if that option is check (and in theory you could be forced to check it) it SOMEWHAT ruins the deniable plausibility. though you can always lie about why the file size is greater than the volume size. The real issues lie with-in the fact that an attacker may force you to reveal a hidden drive that doesn't exist as you can not prove it doesn't exist.

[x942]

Quote:

Originally Posted by Kanker

While I sincerely appreciate the reponses, this is exactly the kind of inconsistent feedback I've received on other forums.

Bottom line is this: If is is possible to prove the existence of a hidden volume then plausible deniability does not exist, and I can go to jail for refusing to provide American customs personnel with two passwords for my encrypted USB drive. It doesnt matter if they can never read the files. Only that they can prove that the hidden volume exists.

If this is your worry I would invest in an IronKey. I just got one and love it. Best thing to do is place a TC container on it and e-mail the (encrypted) keyfiles to yourself. They can't attack an IronKey as it will self-destruct

[Cutting_Edgetech]

Are they worth the cost? They are expensive. I mean could you buy a good quality USB thumb drive, and then install some other good free software to accomplish the same thing?

[CloneRanger]

@ Kanker

I havn't encrypted my HD or USB, but i have tested TC on folders/files.

You could try TCHunt-1.5-en.exe http://16s.us/TCHunt & see if if detects anything. It successfully finds my 3 volumes on my HD.

[tateu]

Quote:

Originally Posted by x942

While you are right that you need both passwords for the option to be checked (protect hidden volume). The potential vulnerability still exists. A well versed attacker my force you to check the box and enter the password there too, (easy enough just say there isn't one).
As I said though if that is checked it reveals the outer volumes real size and not the size of the drive/file.

The original question was whether or not the existence of a TrueCrypt hidden volume can be proven just by analyzing a TrueCrypt volume. If an attacker can force you to enter the hidden volume password...well, then that will obviously prove that a hidden volume exists but that has nothing to do with the checkbox for "Protect hidden volume..." In fact, it has nothing to do specifically with TrueCrypt at all. If an attacker can force you to do anything he wants, then you've already lost everything regardless of what software/hardware you use.

Quote:

Originally Posted by x942

All I said is that if that option is check (and in theory you could be forced to check it) it SOMEWHAT ruins the deniable plausibility. though you can always lie about why the file size is greater than the volume size. The real issues lie with-in the fact that an attacker may force you to reveal a hidden drive that doesn't exist as you can not prove it doesn't exist.

Again, same answer as above, "if you can be forced to do whatever your attacker wants..."

If you check that box but do not enter the hidden volume password, the standard volume will not mount. If you check that box and enter the wrong hidden volume password, the standard volume will not mount. If you check that box and do not even have a hidden volume, the standard volume still will not mount. The act of checking or not checking that box does not prove anything.

If you mount the standard volume without checking that box, the volume properties show the full size of the volume so the file size will be the same as the volume size.

[x942]

Quote:

Originally Posted by tateu

The original question was whether or not the existence of a TrueCrypt hidden volume can be proven just by analyzing a TrueCrypt volume. If an attacker can force you to enter the hidden volume password...well, then that will obviously prove that a hidden volume exists but that has nothing to do with the checkbox for "Protect hidden volume..." In fact, it has nothing to do specifically with TrueCrypt at all. If an attacker can force you to do anything he wants, then you've already lost everything regardless of what software/hardware you use.


Again, same answer as above, "if you can be forced to do whatever your attacker wants..."

If you check that box but do not enter the hidden volume password, the standard volume will not mount. If you check that box and enter the wrong hidden volume password, the standard volume will not mount. If you check that box and do not even have a hidden volume, the standard volume still will not mount. The act of checking or not checking that box does not prove anything.

If you mount the standard volume without checking that box, the volume properties show the full size of the volume so the file size will be the same as the volume size.

Let me clarify: All I ment to say is that if a volume is mounted with "protection" enabled than it gives away the existence of the hidden volume. I also said it is a VERY small problem but could be used against you in some cases.

Quote:

Are they worth the cost? They are expensive. I mean could you buy a good quality USB thumb drive, and then install some other good free software to accomplish the same thing?

It is well worth it. If you haven't already you should check it out here: www.ironkey.com the run down is this:

- Always on AES-256 BIT CBC encryption hardware based
- Encryption keys stored in a CryptoChip (basically a CPU just for encrpytion keys and generating them)
- Crypto Chip is covered with electron shielding to preventing electron microscopes from analyzing it.
- Keys never leave the device so Cold Boot and other attacks can't work.
- Inside is filled with epoxy making it water proof (far above miliatary specs) and tamper proof (you are more likely to damage it trying to break in.
-Any attempt at opening it or entering the password wrong 10 times self-destructs the drive. This wipes out the keys and data than causes a NSA Wear-Level over the drive effectively rendering it and the cryptochip disabled forever and no data can ever be recovered.

Working in the private sector I know a lot of people that stand by them including military persons. The US military is even a huge buyer of them.

BUT this doesn't mean it is right for you or others on this forum. If you don't need a drive that is this secure (FIPS-140 level 3 ) Than a normal TrueCrypt encrypted drive will do fine. I need the FIPS level 3 certification for work not to mention as it is basically impossible to image the data I have very little to worry about.

Quote:

@ Kanker

I havn't encrypted my HD or USB, but i have tested TC on folders/files.

You could try TCHunt-1.5-en.exe http://16s.us/TCHunt & see if if detects anything. It successfully finds my 3 volumes on my HD.

Just to point this out: TCHunt just looks for random data. download "DummyFile Creator" and create a dummy file with random data and it WILL detect it. TCHunt only works if the only random files are TC volumes. Easy way to fool it is plant a crap load of dummy random files. I believe schneier wrote up on this too.

[StillAlive]

There are also
Encrypted Disk Detector http://www.jadsoftware.com/go/?page_id=167
and
TCDiscover https://code.google.com/p/tcdiscover/downloads/list

[Kanker]

After reading all this I have to say that I'm not willing to invest all the time required (and I lack the expertise) to make certain my hidden TC volume is totally safe from detection - so I need to find another solution for transporting or transmitting sensitive data.

Thanks again.

[x942]

Quote:

Originally Posted by Kanker

After reading all this I have to say that I'm not willing to invest all the time required (and I lack the expertise) to make certain my hidden TC volume is totally safe from detection - so I need to find another solution for transporting or transmitting sensitive data.

Thanks again.

How big are the containers? You could always use Steg hide and put them in an image for safe keeping. Steghide has never been cracked or found detectable so it may be a good solution.

Another Is to encrypt an entire flash drive or external hdd use that along with FDE so no data leaks can occur. Someone looks at you flash drive claim you just wiped it securely before leaving.

[dantz]

Quote:

Originally Posted by Kanker

After reading all this I have to say that I'm not willing to invest all the time required (and I lack the expertise) to make certain my hidden TC volume is totally safe from detection - so I need to find another solution for transporting or transmitting sensitive data.

Thanks again.

I'm surprised to hear such an intelligent comment. Most users just plunge right in without realizing how difficult it is to truly hide data from a knowledgeable adversary.