Finding an encrypted container

Discussion in 'privacy technology' started by KindaParanoid21, Feb 19, 2019.

  1. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    67
    This is something I've been wondering about for a while now... That no matter what encryption program you use, if you're able to rename the file \ container something innocuous and not draw attention to it, can it be detected? Now obviously if it has the .avi extension and you click on it it's not going to actually play anything, similar to any other extension you could think of not working correctly with the right program.

    But is it possible to do a sweep of a system looking for renamed encryption files \ containers and find them? If not, but you suspect a file, what then? (And I mean this essentially at the consumer \ basic thief \ hacker level, not feds or LE.)
     
  2. daw_10

    daw_10 Registered Member

    Joined:
    Jan 7, 2019
    Posts:
    4
    Location:
    UK
  3. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    67
    @daw_10 - See there you go, why wouldn't a program like that exist?! And look, you don't actually have to any further then if you actually find an encryption program on a person's PC, and assume that that person may indeed, be encrypting files. But in wondering about the ways in which it could be done, well here I am!:)
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,160
    Well my interest and specialty is in hiding encryption in plain view - the reverse of what your OP was about. Its one and the same but viewing from different perspectives. Any "globs" of encryption or RAW scrambled data cause pause, but unidentifiable "globs" can be better explained as NOT being encrypted secret volumes. I especially like Headerless encryption such as with dm crypt or similar. If you employ removable media that can address the "glob" via creating or containing the header needed to open the volume it works flawslessly. Next a hard drive is based upon Geometry or canonical calls to find many things. Its is quite easy to pick a starting sector anywhere on the disk and conclude on a specific sector and use ONLY that space as your volume. Lacking the knowledge of where the start and stop zone is you couldn't launch the volume. All the space around the defined space is garbled too so it all looks the same. Such a thing can be called by Grub for dos or other means. In conclusion no person can identify any volume I have in those areas because no header displays a known pattern and lacking canonical definition (partition, file, etc.....) it blends in perfectly.

    For beginners its easier to use software that hides a volume inside another volume. It will create questions and assumptions of course, but no proof exists of those hidden volumes without operator error on the system disk during usage.
     
  5. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    98
    It is impossible to hide large amounts of encrypted data. By definition, it appears as random (high entropy) data. You can scan the entire hard drive and it will show up even if it is in "free space" between files. It can't be proven to be encryption but if there is no other explanation it is highly suspicious. There are ways to provide plausible cover stories of course. Some free space eraser tools can be configured to overwrite using random data for example. Problem is that if you are actually using "free space" to store encrypted data, you have to go to extraordinary lengths to prevent the OS from overwriting it. You can create headerless file containers but a file named "family video - 2017.mp4" that contains 4 gigs of random data isn't going to fool anyone.
    It is possible to truly hide encrypted data via steganography but this has some severe limitations. If you stuff hidden data into an image file for example, you have to stay well below 1% of the total file size. Any more and it can be detected by statistical analysis.
    Of course all this depends on how sophisticated and determined you adversary is. Your local police department may not be able to find it but if the NSA thinks you are a terrorist, you would be toast.
     
  6. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    67
    @Palancar - @brians08 \ Thanks for the responses, and sorry it took me this long! But great stuff of course, and it all makes sense. My logic is I'm never going to go, or really can even go, far enough to hide or fool the government and or local law enforcement, but essentially everyone else... Hackers, thieves, etc. Either way it looks like you don't really have to dig that deep as long as basic programs exist that anyone can get and find containers.

    So I suppose that leads to this question, if I'm even asking it correctly... Does anything exist where you can in a basic form hide encrypted containers? (At least from my latter examples and not the formers!) Thanks again!
     
  7. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    98
    In software the only thing you can do is create a hidden container inside another. As per the instructions in TrueCrypt and VeraCrypt, you can decrypt the outer container and claim the hidden one does not exist.
    Otherwise, you would need to create a custom storage device that hides the existence of part of the total amount. There would be a password or something that would reveal the extra data and, most importantly, there would need to be a self destruct function that would activate on tampering so that even a sophisticated attempt to access it would fail. Pretty sure there's nothing like that available to us common folk. Maybe the CIA, Secret Service or such agencies have something like this?
     
  8. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    67
    Yep, logic all, thanks for that! Now as I recall, VC is based off of TC right? And if memory serves, TC had a whole bunch of issues back in the day, enough to spook the already spookable (myself among them!)
     
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,160
    From reading your posts and estimating where you are on the level of familiarity with encryption you should likely stay with an out of the box software that simply hides volumes inside a shell volume. If you are using e.g. an 1 TB external drive you can create a device based (not file based) volume that covers the entire disk platter. Everyone would suspect you have a hidden volume but it can't be proven if created correctly ---------------------- > that is unless they get a hold of the system that created the volume and you leave trails on that system.

    Rest assured that as you learn and if you really are interested you can go advanced stealth. Again on a 1 TB external (example only of course) you could wipe the disk entirely with common software and then encrypt the disk using more advanced means so that the garbled data would appear EXACTLY the same as the legit totally WIPED platter would have. No headers or "tells" of any kind. Now you have an external drive sitting in a box marked WIPED and maybe a dummy DVR that contains the software alleged to have wiped the disk. At that point an adversary could and likely would have suspicion but its far superior to a hidden volume because, its ASSUMED shell volumes contain hidden. In other words you appear more "guilty" of having a hidden volume. Very few can create what I am talking about because they are lazy and don't want to learn, but its easily doable. Just sayin!
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,798
    Location:
    UK
    Might I also encourage thinking about the operational context here rather than technical security controls in isolation.

    IF you are not coerced or the creating systems weren't compromised, why does it matter whether or not "they" know you have encrypted content or not - if the crypto is good, and you use long-strong passwords, it can't be cracked in feasible time now. That includes TC by the way, whose security audit did identify weaknesses, but could be mitigated (e.g. by ensuring long-strong).

    If the wrench technique is to be used, you'd likely sing like a canary, unless you literally cannot unlock the crypto (e.g. due to lack of keyfile). And that would be painful if your adversary didn't believe you.
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,160

    Without question OpSec is the number one key, so I agree totally. I would much rather spend my time learning operational aspects that keep the "man" away from my door. It doesn't matter how big the wrench is if they can't find the person to hit it with, LOL!
     
  12. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    67
    @Palancar \ @deBoetie - Hey, thank you both for the information and insight, believe me it's needed! And again, logical all:)
     
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,798
    Location:
    UK
    @KindaParanoid21 - You're welcome. One of the things that's exercising me at the moment is what you could or should take with you when travelling. There's a balancing act to be had, with my instinct suggesting taking nothing with you at all, except maybe a sacrificial system so you can cooperate with anyone with a wrench or otherwise. I suspect, travelling with keys or hidden stuff will likely cause you grief, so @Palancar 's notion of avoiding attention is right, coupled with avoiding having suspicious media or accounts.

    Of course, the biggest exposure is the mobile phone, so useful when travelling but also hard to secure properly unless you wipe it and restore from alternative backups, that kind of thing. Again, a dumb-phone and paper might be the best approach depending on the risks. People did survive without smartphones 10 years ago. Of course, the hard-to-secure is by design.
     
  14. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,160
    Further; I suspect the notion of true security while carrying a Smartphone is an exercise in futility. "Bathroom lock" security is doable, but "Front Entrance" lock security is beyond reason!

    I know Google is tracking my Android and while possessing it I simply attempt to stay private from general crowds. When I want to disappear, such as here, my Android is in another room and not on any shared LAN - ever. In my life I cannot give up my Android and maintain my responsibilities, but I can and do go "dark" when I need or want to.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.