Finding an encrypted container

Discussion in 'privacy technology' started by KindaParanoid21, Feb 19, 2019.

  1. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    64
    This is something I've been wondering about for a while now... That no matter what encryption program you use, if you're able to rename the file \ container something innocuous and not draw attention to it, can it be detected? Now obviously if it has the .avi extension and you click on it it's not going to actually play anything, similar to any other extension you could think of not working correctly with the right program.

    But is it possible to do a sweep of a system looking for renamed encryption files \ containers and find them? If not, but you suspect a file, what then? (And I mean this essentially at the consumer \ basic thief \ hacker level, not feds or LE.)
     
  2. daw_10

    daw_10 Registered Member

    Joined:
    Jan 7, 2019
    Posts:
    4
    Location:
    UK
  3. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    64
    @daw_10 - See there you go, why wouldn't a program like that exist?! And look, you don't actually have to any further then if you actually find an encryption program on a person's PC, and assume that that person may indeed, be encrypting files. But in wondering about the ways in which it could be done, well here I am!:)
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,136
    Well my interest and specialty is in hiding encryption in plain view - the reverse of what your OP was about. Its one and the same but viewing from different perspectives. Any "globs" of encryption or RAW scrambled data cause pause, but unidentifiable "globs" can be better explained as NOT being encrypted secret volumes. I especially like Headerless encryption such as with dm crypt or similar. If you employ removable media that can address the "glob" via creating or containing the header needed to open the volume it works flawslessly. Next a hard drive is based upon Geometry or canonical calls to find many things. Its is quite easy to pick a starting sector anywhere on the disk and conclude on a specific sector and use ONLY that space as your volume. Lacking the knowledge of where the start and stop zone is you couldn't launch the volume. All the space around the defined space is garbled too so it all looks the same. Such a thing can be called by Grub for dos or other means. In conclusion no person can identify any volume I have in those areas because no header displays a known pattern and lacking canonical definition (partition, file, etc.....) it blends in perfectly.

    For beginners its easier to use software that hides a volume inside another volume. It will create questions and assumptions of course, but no proof exists of those hidden volumes without operator error on the system disk during usage.
     
  5. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    90
    It is impossible to hide large amounts of encrypted data. By definition, it appears as random (high entropy) data. You can scan the entire hard drive and it will show up even if it is in "free space" between files. It can't be proven to be encryption but if there is no other explanation it is highly suspicious. There are ways to provide plausible cover stories of course. Some free space eraser tools can be configured to overwrite using random data for example. Problem is that if you are actually using "free space" to store encrypted data, you have to go to extraordinary lengths to prevent the OS from overwriting it. You can create headerless file containers but a file named "family video - 2017.mp4" that contains 4 gigs of random data isn't going to fool anyone.
    It is possible to truly hide encrypted data via steganography but this has some severe limitations. If you stuff hidden data into an image file for example, you have to stay well below 1% of the total file size. Any more and it can be detected by statistical analysis.
    Of course all this depends on how sophisticated and determined you adversary is. Your local police department may not be able to find it but if the NSA thinks you are a terrorist, you would be toast.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.