is there a way to erase all truecrypt traces?

Discussion in 'privacy general' started by mantra, Dec 4, 2013.

Thread Status:
Not open for further replies.
  1. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,141
    Hi
    i use truecrypt portable in several machine

    is there a way to erase all the traces left by truecrypt?

    most machine work under w7 64bit and w8.1 64bit

    for example i found that it left data in
    Code:
    HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
    thanks
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    That is a tall order. Any OS is going to leave traces of much activity performed when it is used, and not just TrueCrypt stuff. Things like file names, times, file system journals, logs etc.. What exactly do you do with TC portable? If you only need to copy files to/from computers you could likely accomplish that easily with a live CD containing TC in the build. E.g. you would bring up linux live containing TC and then open your container using it. From there you can mount the partition/disk on the windows machine (encryption out of the way or you decrypt) and copy any files you want to over to your TC encrypted portable media device. Since windows isn't running the activity won't get traced as it would using an active windows OS. Then close out TC and when you shut down the Linux live media all traces on the machine disappear if done correctly.

    However; in general for simple use the answer is NO. Once you use TC portable the exe is installed (must be Admin user employed at least once). That alone leaves a small trace. As far as windows tracks when you do anything at all, just don't get me started because it isn't pretty. And that is why WDE is the only true answer and anyone saying otherwise needs to spend some time using forensic software tools. Just once would convince you.
     
  3. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,279
    Use Shadow Defender or a similar virtualizer.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Restore from a pre-TrueCrypt disk image or re-install Windows after zeroing out the drive.

    It's too late for vitrualization, but if you choose to do so make sure the changes are written in the RAM unless it shreds them on exit.
     
  5. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,141
    hi
    i use the portable version , and an usb3 external portable hard drive
     
  6. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Agree with Palancar on his views.

    I found while its nice to run portable software, the issue is your always going to leave behind some traces of it in windows and windows logs, and just about everything you do in windows leaves evidence in logs which are scattered everywhere.

    An adversary could easily search for tc exe and dlls and files and locate it or check logs, same applies for any portable app!

    I am still debating this but I feel it maybe and I could be wrong with this....
    but to install the apps properly and allow ccleaner+cc-enhancer and privazer and other disk cleaning apps to "see" and locate the installed app so it can better clean the traces of the program. If you had a portable app the cleaning apps may not see it or see the traces left correctly. Manually adding the program to cleaning apps my gut tells me it does not work as well as it would if it was fully installed.

    Either way the above is a theory, its still best to do FDE (full disk encryption)
    tc has the hidden os, and diskcrypt also can do FDE. If your entire windows is encrypted your way safer and secure from adversaries.
     
Loading...
Thread Status:
Not open for further replies.