TrueCrypt hidden volumes detectable?

Continued from thread:
https://www.wilderssecurity.com/showthread.php?t=300401
(the thread is apparently closed due to age)

I dont get the conflict in that thread.
Here is the situation as I understand it (please correct me if I'm wrong).

Suppose I have a 1TB drive on which to create the hidden volume.
The outer "standard" volume creation first writes random data to the whole of the 1TB drive, as a way of securely wiping the drive.
The data files (say 20GB) to the standard volume are then written normally.
So, the outer volume when mounted shows 20GB used, 1TB drive.

The hidden volume is written to the unused space on the 1Tb drive, but without the hidden volume password, this hidden data is indistinguishable from the first random wipe data that was written.
If you select write protection and give the wrong password, it is indistinguishable from the situation where you do NOT have a hidden volume, and have just the standard volume.


If the adversary has not had access to your HDD before, the only way the adversary can figure out that you have a hidden partition is if you tell him.


+++Caveat: unless programs have written things into temp files in non-hidden partition during last use.

 

Hi,

I wrote TCHunt and TCHead. Part of the old thread you referenced has screen shots of my software.

Based on my experience working with TrueCrypt volumes, I have not seen a difference between volumes that contain hidden volumes and ones that do not. TCHunt does not differentiate, it cannot. This is a common question. So common, in fact, that I placed it in the TCHunt FAQ. The only way to tell for certain that a hidden volume exists (based on my experience) is to provide the hidden volume password and attempt decryption using that password.

Anything is possible, but I have not seen or heard of a way to detect hidden TC volumes or to differentiate them from standard volumes that do not contain hidden ones. And without proof of this showing how to do so, I would say it's just unfounded conspiracy theory, nothing more than that.

Hope this helps.

 

If your adversary is able to obtain the password to your outer volume then they can analyze the various characteristics of the volume and its data, including most importantly the data's layout on disk. Based on those findings the likelihood of a hidden volume's existence can sometimes be determined, although it's much easier to rule it out than to show that it's there and you'll never have 100% certainty. However, many situations do not require 100%.

 

Bruce Schneier did some research on it

Latter on he mentions that:

So while it may not be possible to break it cryptographically without FDE you are leaking it's presents back into the system(s) you mount it on.

I don't find them usefully. I mean a normal encrypted volume can not be proven different from psuedo-random noise so all you have to do is say you previously wiped the hard drive because you were going to sell it. (I have done it and it works; at least in Canadian courts). I think they are over kill.

 

Experience like this ^ is what makes Wilders the best. Thanks for the post. I overkill everything...256bit pass phrase, WITH a Key File on a dongle

PD

 

x942, considering your experience with encrypted systems, would you be so kind to help me out on this subject, please?

Thank you

 

Same here. My passwords are at minimum 60 chars. most are at the 70+ point. This basically means that my passwords are so long there are more permutations (possible combinations) than a 256-Bit key. Use key files all the time too. Most are stored on another encrypted drive with a different password.

 

What happens if the key file gets corrupted? I keep key files on encrypted volumes too.

I was intending to copy the key files to minimize possibility of corruption but then I remembered that when choosing the key file TC says something like (paraphrasing): "Please note that only the path will be remembered and not the file itself". Would a copy of the key file on a different location work?

 

Not sure where that quote is from. But I know TC uses the first 1MB of the file:

As per their documentation


So provided the first 1MB remain intact you are fine. I would say not to back up the key file as that would lessen security but if you feel better doing so store them on a second encrypted device (flash drive or so). I have never had issues with keyfiles even one I used for 3 years. So I think the issue is mute as long as you are careful where you store them. I use an external USB drive for them the Drive itself is encrypted.

If it does become corrupt you can NOT access the container unless you can recreate the keyfile. Presumably you use a random file made with TC's keyfile generator or by other means. In which case you can NOT recreate it.

 

Hmmm, my truecrypt has a 64 char password limitation

 

Keyfiles are indeed recognized and used no matter where they are. Just because they are in, for instance, the sys32 folder at set-up, doesn't mean it has to stay there. They can be moved on to a flash drive, backed up on to secure cloud storage, downloaded and used from another computer completely. I know, because I do it all the time.

 

I was refering to my passwords in general. I use the maximum aloud length. So truecrypt all of them are 64 chars. PGP I have a 70 Char password and my Linux Laptop with LUKS FDE has a 100 Character password (I know part of it and my Yubikey is set with a static key with the remainder of it; it's somewhat a two-factor scheme). I use keyfiles and two-factor authentication where-ever possible.