Header swapping to help conceal data exits

Discussion in 'encryption problems' started by Palancar, Mar 16, 2016.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I was bored so I decided to do something publicly that has been possible for a some time privately using modified code. Due to VeraCrypt making this option public the thought came to me that “stealth” can get a small add on for off premises archives, or more advanced users with higher threat models.

    For many this wouldn't be worth the time, but trust me if done correctly it can add stealth and plausible deniability to your overall scheme. If you are just starting out there is almost no extra time involved, its only if you are considering a re-do where the time question becomes a consideration.

    I have confirmed this works perfectly using all public binaries for TrueCrypt and VeraCrypt, since BOTH programs are required to employ this tactic. There is nothing about this approach which weakens any security process and the ONLY downside is “operator error”.

    What I set out to accomplish is employ full device/partition based external drives, and in my case most are stored off premises in multiple locations. Due to limited control over multiple physical locations I need to be ready for an adversary to present one of those drives to me demanding I open them. With that in mind I need an encryption scheme that offers a DECOY I can present while hiding my valuable and personally threatening data. I love LUKS and we can argue the law all day long. In reality I'ld rather present a nice decoy than fight my 5th amendment stuff refusing to open LUKS when it is my friends' locations where these archives are stored. Each location has one 2 TB external with a small accompanying flash containing a TC portable folder on it. That little flash allows the external to be opened on any windows computer (assuming you know the correct 40+ character password).

    Lets get to it.

    First I forensically clean the 2 TB external drive and then I create a device encrypted volume with NO format using TrueCrypt. Now I open the volume and decide to format it using ExFat, which Windows will do for you and TC will not interfere. I have tons of research and papers on the ExFat filesystem. It is non-logging and will allow files beyond 4GB which was a problem for Fat32 users over the years. There are tons of major corporations and huge archival “units” that employ ExFat for numerous reasons, mostly over NTFS. The filesystem is the subject of another thread. Lets move on.

    The volume you just created is the same and just as secure as any other TC device based volume. You will create several copies of the volume header backup. Small and easy takes seconds to create one, but in this case you will be using them instead of storing them just in case. Next, the same as any other decoy volume, you will load it up with seemingly critical important data. Since it is stored off premises it can be old data just so long as it appears VERY important to protect ----- plausible need!

    Close the volume and make sure you have TC header backups (multiple). Exit TC and startup VeraCrypt. As a simple test open the volume with VC in TC mode and verify the files are intact and the volume shows ExFat as the filesystem ---- it will! Now close it and then use the VC volume tools to change either the password or algo, etc.... which will cause VC to convert the volume header to a VC volume header. I would recommend adding a custom PIM during the process to harden your new header. Don't panic this is easy. Once this is done you now have a VC volume header and can open the volume using VC. Go ahead and open it and you'll see the files are intact and again still the ExFat filesystem. Next, we create a hidden volume inside the outer/decoy volume. You can select any filesystem you want and most of you will use NTFS on your large drives. Remember long and strong passwords with PIM are the “hardest” for an adversary. Now load/fill your hidden volume with all your critically important private data and close the volume. CRITICAL step is that you again make multiple volume header backups because these are going to be used not just “spare tire” backups.

    Now you have 2 TB of encrypted data with a solid hidden volume inside! You also have 2 header backups created by TrueCrypt and 2 header backups created by VeraCrypt. Lastly to complete backup needs for security, we create a simple MBR backup of the external device ----- this is for safe keeping in case something gets hosed.

    Now comes the concealment step. Open TC and restore the TC volume header backup to the external drive. You crazy Palancar? Nope its safe to do. Go ahead and restore it. Now open the volume using TC and you will see the decoy files are intact and all appears like a normal ExFat filesystem archive. Don't mess around in there because you can't employ hidden volume protection now! I'll explain later. Close it and place it in the small storage bag with the TC portable flash drive and its ready for off premises.

    So what does this accomplish? A couple of things. There is NO evidence that VC was ever used on this drive because it now fully depicts and is a TC only device encrypted volume ----------- even if you were to open it for an adversary. The accompanying small flash, which likely would be considered a KEY for the device reflects ONLY TC ever being used. The flash “key” shows TC is used to open the device (TC Portable). I am going to assume that anyone considering this approach is familiar with TC Portable and how easily it is used. I hesitate to mention this (could confuse a newbie) but the decoy volume (using TC) can be setup to require a keyfile along with a password, which could conveniently be placed on this little flash too. That would lend credence to TC as the only software to open the volume. If you go that route make sure to backup the keyfile and save it in case someone loses the little flash drive.

    Still show me the value? TC does not understand ExFat and anyone using this filesystem CANNOT have a hidden volume inside. There are scores of papers written on the value of the ExFat filesystem. Many TC users employ filesystems of various linux flavors, which also work great within the volumes TC creates. They are secure and safe but they also don't allow for hidden volumes because TC doesn't speak their language.

    Picture this and see if it describes any need for you. You have a decoy computer running Windows with TC on it and no evidence or trail showing any VeraCrypt use. The TC portable flash I described can be used anywhere and it only has TC on it.

    So if you are in a position where no adversary can demonstrate you have used VeraCrypt then this configuration adds deniability IMO.

    Obviously, when you want to use the hidden volume you would simply write the VC volume header back to the drive (30 seconds). Then back to the TC header on the way to storage.

    Just a small addition depending upon your comfort with denying any VC familiarity.
     
    Last edited: Mar 16, 2016
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    If an off premises drive gets nabbed an adversary might just commence brute forcing to gain access. In this case there is NO header for the hidden volume and there would be nothing but random characters in the slot where the hidden header would be. In other words they would be brute forcing random data with no successful outcome.


    Another note: you can quickly perform this task by creating a 50 mb test volume on your desktop and do the whole thing in under 10 minutes. Play with it before going to 2 TB!
     
    Last edited: Mar 16, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.