how some softwares can detect a truecrypt volume?

Discussion in 'privacy technology' started by tom1876, Jan 4, 2014.

Thread Status:
Not open for further replies.
  1. tom1876

    tom1876 Registered Member

    Joined:
    Jan 4, 2014
    Posts:
    15
    Location:
    England
    if truecrypt encrypted data appears just random data then how some softwares can detect it as truecrypt encrypted data?

    and how to prevent this?

    for example:
    passware kit forensic from lostpassword can detect my truecrypt file container as a file encrypted by truecrypt.I havent tried it on encrypted partitions yet.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    The only things that make a Truecrypt volume unique are:

    All TrueCrypt files have a size that is a multiple of 512.

    Data appears completely random. (passes chi-square distribution test)

    No recognizable file header.
    If there is a header (like jpeg or word doc) it can't be mounted by Truecrypt.

    I've wondered what would happen if you artificially appended some random data to the end to mess up the 512 thing. I think TC would still mount it since it only reads the end of the file if trying to recover the backup header.
    Wouldn't stop a serious NSA search though. They would see a file full of random data and assume it was encrypted. No other reason for it to exist.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.