Anyone Familiar with TrueCrypt?

Discussion in 'privacy technology' started by scrambledegg, Jan 22, 2008.

Thread Status:
Not open for further replies.
  1. scrambledegg

    scrambledegg Registered Member

    Jan 21, 2008
    I have a pressing question about TrueCrypt. Granted it may in fact be nothing more than my ignorance of exactly how the prog is supposed to operate. The problem deals with hidden volumes.

    As I understand it, a hidden volume is simply a container within a container. Using this technique you then have acquired "plausible deniability", whereby you can easily deny the existence of the hidden container, since it cannot be proven that it actually exists. (Hopefully I am not mis-stating anything here.)

    Let's say for example that on a new partition I place the following files:
    video2.mpg and

    Now I create a TrueCrypt container and call it video3.mpg (since you can give a container any extension and the idea is to make the container blend in with my existing files.)
    The purpose of this container is to hold a hidden container where I will place my most sensitive files. I will therefore size this container at 60GB.

    Inside this container (video3.mpg) I place a few files that I would like to hide, but would not be disastrous if they were to be found.
    Let's say these files are:
    music2.mp3 and

    Now I am going to create my hidden container. I will call my hidden container music4.mp3. This container is created 'inside' my outer container (video3.mpg). This will be where all of the files I really want to keep hidden will be located, so I'll size it at 50GB (10GB less than the outside container size of 60GB.)

    I now move all my most secretive files into music4.mp3, my top secret container.

    ** Here's the part I don't understand **

    When browsing the partition in Windows Explorer you will see...

    video1.mpg, which can be played and shows a file size of say 1.9MB
    video2.mpg can be played and shows a file size of .8MB
    video4.mpg can be played and shows a file size of 6.9MB
    However, video3.mpg - the outer encrypted container - cannot be played, and worst of all, shows a file size of 60GB.

    Obviously, to anyone looking, this is not just another mpg file, but some sort of container.

    Now, using the plausible deniability scenario from TrueCrypt, let's say I am forced to reveal the password to this outer container.
    Under this scenario, even once the outer password has been compromised (according to the TrueCrypt folks), my truly hidden files are supposed to be safe and sound.

    But, by opening the outer container using the forcefully acquired password I now see:
    music1.mp3 which can be played and shows a file size of 2.9MB
    music2.mp3 which can be played and shows a file size of 3.2MB
    music3.mp3 which can be played and shows a file size of 2.7MB
    and then there's music4.mp3 - my top secret hidden container - which cannot be played and shows a file size of 50GB!
    Obviously this is another container, just like the outer container, that I was just forced to provide the password to.

    If the container can be seen, and it is noticeably different from all the other files (or even if it wasn't - it's certainly not impossible to actually check out every file) then I can't see how you could possibly 'deny' that it exists?!

    Am I doing something wrong in setting up my containers? Am I misunderstanding something here?
    Hopefully someone can help shed some light on this puzzling predicament for me.
  2. Gizzy

    Gizzy Registered Member

    Oct 5, 2007
    NJ, USA
    when you create a new volume you should choose to create a hidden volume inside the container so that way you won't even see the container file for the hidden volume, it works where when you open the container to your truecrypt volume you can either enter the password for the outer volume or enter the password for the hidden volume,

    when you create a hidden volume you don't set up a container/file name for it, just a seperate password to get to it.

    here's some links about hidden volumes,

    or maybe some one that can explain it in more detail will come by.
  3. gb63

    gb63 Registered Member

    Jan 19, 2008
    TrueCrypt forms the hidden container within the outer volume by allocating the appropriate number of sectors starting from the end of the outer volume. There is no filename assigned to the hidden part. The outer volume has to be FAT32 because other filesystems such as NTFS pre-allocate certain sectors throughout the outer volume.
  4. dantz

    dantz Registered Member

    Jan 19, 2007
    As the other posters have stated, your music4.mp3 file will not be visible at all, as it is stored within a hidden volume, which is very different from a nested container file.

    In my opinion, the so-called "plausible deniability" feature is loaded with pitfalls, and it is also full of fairly obvious holes that most forensics experts can see through. Furthermore, it can be a very dangerous tactic, even when done by mistake. Thus, I consider hidden volumes to be far and away the least desireable feature of TrueCrypt.

    If a container is formatted as FAT (the default setting), and especially if it contains a great deal of what appears to be empty space, then this automatically implies to any investigator that it might contain a hidden volume. If you live in a country where there is a likelihood of torture (and based on your choice of adversaries, this might include the U.S.) then this can create a very risky situation. If your adversary suspects the existence of a hidden volume then you may lose quite a few fingernails (or whatever) while they try to make you divulge the password. Since there is no way that you can disprove the existence of a hidden volume (even if there isn't one), you'll have no way out of the situation.

    Here's a short example presented by Bill McGonigle on

    Attacker: Give me your password or we'll kill your family.
    User: OK, it's "fraggle1986"
    Attacker: What do you think we're stupid? You're using TrueCrypt, give us your other password or we kill your family.

    The safest approach is to format the container file as NTFS, as this prevents the creation of hidden volumes altogether, as your attackers should also realize. (And perhaps you will lose only one fingernail right before you divulge the one and only password!)

    I am particularly sorry that the TrueCrypt developers chose to make FAT the default filesystem, thus placing many innocent users at risk. This benefits only those who need to use hidden volumes, but it comes at the expense of the vast majority of users who have innocently accepted the default settings, thus causing them to become potential suspects.

    As far as your plan to have your container file look like a video file, I suppose this might fool a computer illiterate, but once it is discovered by a knowledgeable investigator (and it will be, very quickly) then they will come to expect additional subterfuges on your part, and this will make them even more inclined to suspect the existence of the hidden volume, i.e. "What, do you thing we're stupid?"

    Incidentally, there are numerous ways to destroy plausible deniability. For example, a careful inspection of your disk might show that certain files were opened recently and yet they can't be found in your filesystem or in your mounted container file (because they're obviously in your hidden volume). MS-Word keeps pointers to the last several files opened, as so do many other programs. Your registry also automatically stores information about recently opened documents. Many programs create recoverable files in the temp directory while they are open. Your pagefile might contain portions of cached data. Your hibernation file might contain the keys to both volumes. There's data similar to this all over the filesystem if you know where to look. As many users have already concluded, Microsoft Windows (any flavor) was definitely not designed for privacy and/or security. You would have to be a true security expert to plug the majority of the leaks, and at that point you would probably conclude that you ought to be using an entirely different operating system.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.