Question regarding hidden TrueCrypto volumes

Discussion in 'privacy technology' started by paty, Dec 2, 2014.

  1. paty

    paty Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    3
    Hi everyone,

    I've been using hidden volumes for a while now but doing some research on what to use now that TrueCrypt has been discontinued a question popped up that I hope you guys can answer.

    Reading about plausible deniability it seems that if i encrypt an external harddisk (full-disk) it is impossible for anyone to prove that this harddisk is actually encrypted and hasn't just been deleted securly i.e. isn't just filled with random data.
    The question this raises for me is why would I even bother with hidden volumes if noone can prove there is an encrypted volume at all ?
    It seems to me that "maintining" an outer volume that makes even some sense to have (plausible data that are also at least remotely recent) is way harder than to simply deny there being an encrypted volume in the first place.

    Am I missing something ?
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Yes, you are definitely missing the point of the volume structuring with TrueCrypt.

    The value of the outer/decoy volume is where an adversary will/can force you to open the media. While in the "Cinderella world' of your right to non-comply (5th amendment for USA) sounds good on paper, that world is mostly a fantasy. Being familiar with LE and how pressure is applied, it is quite dis-advantageous to play stupid. If you were truly in an adversarial encounter of that nature, a thought out outer volume could be a lifesaver pure and simple. That shell volume recent data argument is false if the items contained in the outer volume have archive value perception. There are strong and personal value items that are reasonable to archive for "keeping sake". e.g. - A pdf of your Last Will and Testament, or Trust Papers, etc.... It would be very reasonable for a volume containing these items to be seldom accessed, and yet the obvious importance justifies their seclusion in an encrypted volume. Using this method you would never have to use the outer volume after creation. I know the TC manual and what it purports to be the correct usage of outer volumes.


    Since this is your first post here; welcome.
     
  3. paty

    paty Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    3
    Thanks for the welcome and your thorough answer :)

    I do understand what a hiddenvolume is for and I can absoutely see it being a life-saver when it is obvious that there is an ecrypted volume.
    My point is that a fully-encrypted harddrive isn't obviously encrypted. It could just as well have been securely deleted. Stating that it isn't encrypted but has been securly deleted is imho not playing dumb but rather playing smart as there is no way for "them" to prove that I'm not telling the truth.
    You are right about using data with archive character for the outer volume. I'd still think it looks a little suspicous that a 2 TB hardrive is only used for 1 GB (and that would be a lot) of documents and such.
    Setting up an innervolume isn't complicated so I'm not even trying to avoid that. I'm merely wondering if it wouldn't be smarter to flatout deny that the harddisk is encrypted in the firstplace.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    TrueCrypt writes headers to the disk, so it's obviously not just random data. That's also the case for many other FDE methods, including dm-crypt/LUKS in Linux. It is possible to do FDE without headers. In Linux, one can do that with dm-crypt. However, in order to decrypt and mount the disk, it's necessary to supply both the passphrase and all of the relevant encryption settings (where the data start and end, algorithm, etc). And still, adversaries can detect likely encrypted data by looking at write history of the drive.
     
  5. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    If adversary have access to your PC and have knowledge of forensics, then there're clues which can be proof of your TC usage.
    TC tries to minimize such risk but still can'be perfect e.g. if error happens in Z:\brabra\...\secretfile.dat which is not found in your usual setup, it will be recorded in Event log. (just an example)
    For file container file slack were used to prove TC usage, though I think it don't affects FDE as long as you follow best practice described in the manual.
    Well, those things can equally affect hidden volume.
    However, it's harder to prove existence of hidden volume than just proving TC usage.
     
  6. paty

    paty Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    3
    Your answer makes a lot of sense Yuki :) I guess I must have misread / missunderstood the the text about plausible deniability then.
    So hidden volume it is - Thanks everyone !
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Taking what Yuki started a bit further: it should go without saying that an adversary if given full access to the windows operating system (that created/writes to those encrypted volumes) would easily "sink your battleship". The highest value of hidden encrypted media is when they stand on their own, such as a usb in your pocket while your walking around. Or maybe an off premises backup external media.

    Using TrueCrypt (any encryption software really) as an example, remember that a shell/decoy volume is created on a safe and clean operating system. Revealing that operating system will show the "trail" and files and HOW the volume data was written to the encrypted media. Believe me forensically its all there with a small amount of examination.

    So in retrospect. Create your outer/shell/decoy volume on a system that you can produce/display for an adversary if required. You MUST create your hidden volume ONLY on and by an operating system that an adversary will NEVER gain access to. Never access a hidden volume using ANY operating system that an adversary will ever see. No exceptions. That is the rule of the land for high security applications. There is so much more you could type on for pages about filesystems, etc.... I'll stop now. LOL!
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    You're right, if adversary have deep knowledge/skills of forensics they'll found hidden volume usage while TC usage will be found by much less knowledge/skills.

    So your advice makes sense if you really fear such skilled enemy, not your wife.
    Maybe the best way will be using Linux boot CD/USB, second best will be using VM, and the 3rd will be use virtualization software such as Toolwiz for when you create hidden volume and whenever you mount this.
     
Loading...