Discrepancy Found in TrueCrypt v5.1a

Hey all. I was just working with some files trying to clear stuff out and I found a discrepancy with two copies of TrueCrypt v5.1a. Both were downloaded months apart, the first was downloaded during its initial release, along with the PGP verification that was provided by TrueCrypt.

A couple weeks ago I downloaded another copy of v5.1a (After the release of v6.0) as I wanted to test something and couldn't find the original archive that I had downloaded. This second download is .12MB larger. I downloaded the associated PGP verification, which also verified as accurate.

The PGP verifications don't work with each other, just the version that was downloaded at the same time (two different signatures obviously).

Anyone notice mid-term changes in TC applications before? Are they updating it without actually releasing new version numbers? I can't ask on the TC forum because it is still down over a week later.

For comparisons, here are a couple hashes from the files:
TrueCrypt v5.1a Install dated 15MAR08, 2,585KB
MD5: 0b02b6a8b9437f8968cbe8719722079b
SHA512: 3200e65995dc655c29b06f3ee363c16591e9526f219fc3a8531d9b76b2cbe72e4a35d3136a74292a79aa2decd9c7a530be066b6d3f12f94f094d8712c70441d2

TrueCrypt v5.1a Install dated 3AUG08, 2,696KB
MD5: 9f2c390917d60aa2f729516cd1a6818f
SHA512: be80093e9946654320e6689fae149779df45fba4959d7b7ff2d70503b0ef84ea750b08b12bd0f02924c2c1a81ff7fdf66f672817125bd959998ffe9c66f8e857

 

Hi KookyMan

Interesting find, well done !!

I have just checked an old version I have of Truecrypt 5.1a

Downloaded 18 March 2008.

SHA 512:
3200e65995dc655c29b06f3ee363c16591e9526f219fc3a8531d9b76b2cbe72e4a35d3136a74292a79aa2decd9c7a530be066b6d3f12f94f094d8712c70441d2

So our Truecrypt 5.1a both match as of March 2008.

Since both releases you have are PGP sighed I would have to assume that they did indeed update 5.1a without updating the version number.

 

Just fired up my VM. I found the first (if multiple) differences between 5.1a-original and 5.1a-new. The new 5.1a during installation wants to disable the page file as v6.0 does, but the old 5.1a does not.

The question is, why this change? Trying to fix a problem in an old version that they didn't want to admit to? The fact that they made the change, and any other changes, without acknowledging it bothers me.

I can't wait for the TC forums to come back up to put this out there.

Actually, this also creates a new problem. The source code was never released for this version of TrueCrypt. You can only get access to the source code of the current version, and if they changed 5.1a when they moved it into the "old" releases, you can no longer access the source code of the new modified version.

 

Who knows what's going on with Truecrypt lately, I'm growing ever more cautionary about them honestly. The vulnerability thing is bad, but that kind of thing happens, tech changes every single day and what was once an "impossible to foil" security measure eventually gets foiled. That's progress for you. The forums though, yeesh, they've been ugly for a while IMHO, and, eh, I don't know, it's getting a little fishy.

 

Hello,
What exactly did "get foiled?"
Ugly forums does not mean something is fishy, either.
Mrk

 

I asked someone who is involved with TrueCrypt quite closely as he had in the past developed two add-ons for it to take a look.

According to him, the installers for 4.3a and 5.1a have both been changed in the recent past. They are almost identical with v6.x's installer which disables the pagefile now by default (user selectable option.) They also updated the included license file. The program itself, as well as the driver files, remain identical with their pre-6.0 selves.

In his words, "In my opinion they have just polished the license and the installer to be up to date."

So it appears that things are still kosher, but I wish they would have made some sort of indication that the installer was changed.

 

The issue of TrueCrypt silently changing binaries within the same release has occurred before. Here is a site that attempts to track TC releases and collect discrepancies such as this:

http://16systems.com/TCHunt/old_TC_versions/

 

interesting note

thansk for passing that along since i been using 5a for a good long while from first release but not recent one.

 

Followed that link, and they are claiming to have a program that can find TrueCrypt containers. I'd love to know how, considering a TC file is only pure random data for the most part, and there is nothing that isn't encrypted. (Not counting system encryption.)

I'd love to try it out and test the effectiveness of it.

 

I'm guessing it begins with a process of elimination by excluding all file types with known, identifiable headers or other identifiable characteristics, followed by a random data analysis of the remaining unidentifiable files. Files containing nothing but high-quality random data would be put on the suspects list. I guess you'd also have to set some size boundaries so you wouldn't end up analyzing every file on the drive. It sounds like a fun project!

 

The thing is, you'd still only end up with a list of 'Suspects'. There is no way at to actually say that a given file is a TrueCrypt container. They even have a file in the file list that infers that they are capable of detecting a hidden container. *Shrug I guess we'll learn more when its out.

 

It should be noted the company behind the software in that link is 16 Systems. They are the ones with the "Great Zero Challenge" where they have offered a reward to any professional data recovery company can recover anything from a modern hard drive simply overwritten once with all zeros.

Link to Great Zero Challenge info is here - http://16systems.com/zero/index.html

 

I decided to research them just a little bit. Talk about an annonymous group.

Domain Name Information is :

Administrative Contact:
Admin, DNS
16 Systems, LLC
P.O. Box 356
Blacksburg, Virginia 24063
United States
5405774781 Fax --

The Phone Number doesn't show up in the reverse lookup I checked (not to say it isn't in something).

The entire claim to fame for this group/company/etc is a program called Find_SSN which searches a hard drives files looking for social security and credit card numbers. They even admit that there can be false positives and false negatives in the results of the program.

If they have a similar disclaimer on their TC Container Detector, "This program will find your TrueCrypt Containers. There may be false positives or false negatives in the results." (In other words, it may miss some that are there, or say things that really arn't containers are.. How useful is that?)

 

To be fair, their other claim to fame is what I wrote about in the post just above yours. Slashdot 3 months ago:
http://hardware.slashdot.org/article.pl?sid=08/09/06/189248

Also, their Find_SSN program is a security program to run on your own computer to make sure you don't have any SSN's or credit card numbers in clear text in any documents on your computer. It's actually a very great tool as it found my SSN in a letter to my health insurance company. I keep all my data inside a TC volume anyway, but most people don't and this software makes for a good scan. Could it be used for nefarious purposes? Yes, just like about anything else - example: the knife that cuts your beef on the plate can cut a throat; that doesn't make knives "bad".

 

I use a utility called USBDLM. It's a service level program that manages USB drives. It can identify TrueCrypt devices and can be scripted to perform actions on them when connected.

http://www.uwe-sieber.de/usbdlm_e.html

 

Management of USB and other external devices that assign drive letters can all be configured to allow/disallow Truecrypt mounting. But it's based on enterprise management and has nothing to do with "snooping out" Truecrypt containers, partitions, etc. In other words, this is no big deal.

 

I just noticed that they have an alpha version of TCHunt available. I tried it and it worked. It's limited to files between 15 and 100 MB. It found a sparse truecrypt volume I made. The ent program reports the same volume as being non-random (0.01 on chi-squared test). Weird. I wonder how they are doing this?

 

Are there any other companies that will create a folder like truecrypt? I know axcrypt will encrypt a file, but it won't create a container.

 

I'm wondering if it searches for all 'random' data files. This is interesting, I might actually be compelled to visit the TC forums (I've avoided it since they went a little overkill on rule/fanboism) and see if they are talking about it.

 

Interesting they are at fashioning something of this nature but nonetheless i would like to see if it can zero in and identify a true crypt container lodged within RETURNIL's Virtual Partition.

I've been experimenting with different methods of concealing only to see exactly what third party tools or programs can surface supposedly hidden data areas for a change of pace from running down malware all the time. LoL

I D/L'd the alpha and will try it later although i don't expect much from it because of course a TC container lying openly anywhere on a windows system is easy to detect. The acid test will be when that tool gets improved to see if it can delve deeper like i mentioned which i highly doubt, so begs to wonder what this project is just for fun or what.

 

Someone mentioned in the TC forums (which seem to be down, now) that TC containers have size a multiple of 512, and that TCHunt uses that.

The thread was closed by a moderator, and I started a continuation. That thread has been deleted and my password has been changed.

 

The TCHunt FAQ now describes the steps used to ID TrueCrypt volumes.

http://16systems.com/TCHunt/faq.html

 

Thank You e4m

Theres multiple ways, regarding a TC Container specifically where it can be buried inside other softwares, Virtual Systems like i mentioned is one of them. I would bet the farm no matter what tool they compile would ever be able to fine or surface a TC Container lowered into a say Virtual System app. I tested as a break from malware a few times of doing this and if there is a program capable to pull off such a feat, i would put more confidence in first ERD Commander as a isolated file search app that holds a good chance of locating any TC Container as well as TestDisk.

Anyone care to comment or refute my speculations on this? Because i haven't tried it yet myself. But makes sense IMO.

EASTER

 

Actually, I suspect that any encrypted file that fulfills their conditions will register as TrueCrypt volume. The solution to counter one of the conditions is not to make containers multiple of 512 bytes (it is trivial to add a random number of random bytes in a TC container). As for the statistical analysis of the file, it is impossible to conceal the fact that it has encrypted/compressed data, and because of the lack of a header the compression is excluded.

 

tinchote -

It was that very behaivor that made me quit visiting the TC forums. I must say, behavior like that makes me think there are more problems with the software that they just don't want to get around.