TCHunt 1.5

Discussion in 'privacy technology' started by 16s, Jan 22, 2011.

Thread Status:
Not open for further replies.
  1. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    Hey everyone... TCHunt 1.5 is available for download. I thought some on the privacy list may find it of interest. I've released some of my automatic TC volume generation scripts as well (bump the file size to > 5MB if you wish to test the volumes with TCHunt).

    If you have any problems using the program, let me know. Here's the URL:

    http://16s.us/TCHunt/
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Thanks for the snakeoil. Wow your software tells us that a random data file might be a TC file! Genius. Of course that random file might be anything.
     
  3. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    There's no need for negative remarks. The TCHunt FAQ clearly explains how the programs operates and the reasoning behind it. Why not read that, then you'll better understand.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ 16s

    Hi, thanks for this update :thumb:

    I'd almost forgotten i had an earlier version :D

    I like the fact it's a non install App :thumb:

    It successfully found 3 seperate TC containers and no FP's :thumb:

    tch1.gif

    Several buttons didn't seem to work for me though ? :(

    man.gif
     
  5. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Finding encrypted TrueCrypt volumes does nothing to reduce your security and privacy.

    It's what you can do with those volumes once you find them that really matters... :)

    Having a detectable volume means nothing...

    What we are really talking about FIRST is 'On-the-fly encryption (OTFE)', second we are talking about hiding a volume in a volume...

    The truth is, so what if your volume is found, can it be opened, because encryption is the name of the game we are really talking about, not anonymity.

    Granted many people will be concerned about anonymity, along with encryption, great, don't keep those volumes on your computer, store them away on a portable device somewhere.
     
    Last edited: Jan 22, 2011
  6. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    CloneRanger: Thanks for trying TCHunt. I appreciate your feedback.

    ---

    DasFox: You are right. The reason I wrote TCHunt (back in 2007) was to convince my friends to stop creating encrypted TC volumes and then trying to hide them by giving them fictitious file extensions and misleading names.

    They would create encrypted volumes with names such as 'Music_Collection.tar' or 'My_Movies.zip'. They believed (falsely) that doing this would hide the fact that the files were random/encrypted.

    In short, this sort of data stands out. If you have these files on your computer, others (who know what they are doing) will be able to identify them. Trying to explain them away with explanations such as, "It must have become corrupt" won't work.

    The FAQ covers all of this and more.
     
  7. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    But it's my understanding that if you create a proper hidden volume, then it's suppose to be hidden...

    Maybe you are only talking about creating a normal volume and giving it some strange name and thinking no one knows this is a true crypt volume?
     
  8. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    167
    Location:
    Sweden
    I don't agree with you because TC-Hunt can't see the difference between random data and a TC-container. I don't know of any other software that can do that either. It's already mentioned in your FAQ, but I think it's also good to have this pointed out in this thread. It's easy to verify this. On a Linux machine, run:
    dd if=/dev/urandom of=randpool.rnd bs=1M count=5

    This will create a 5MB file (randpool.rnd) containing random data which TC-Hunt thinks is a TC-container.

    In my opinion your friends did the right thing, almost :)
    They should not have used a standard file extension, instead use your own extension or something like .RND (.IMG or .DAT would also be fine since they don't have any real specification)

    Some applications that have their own CS-PRNG use random-byte files to seed the PRNG, e.g. GnuPG or Putty. Yarrow or Fortuna are some of the CS-PRNG:s that use seed files, often with the extension .RND. The size of the seed files is of course not that huge but this settings could be changed ;)

    I have seen a police investigation where they could not prove that a huge random-byte file was a TC-container. The TrueCrypt application was installed on the computer and the huge RND-file could not be linked to any other application or usuage, so they were pretty sure that it was a TC-container. But the owner of the computer denied the existence of any TC-containers, and the police could not prove it, later the case was closed without any further action. This case was a big piracy bust in Sweden.
     
    Last edited: Jan 24, 2011
  9. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    How dare you point out the snake oil that is TCHunt! You are raining on the parade of all of those who think there is something different between one random file and the next.
     
  10. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    167
    Location:
    Sweden
    I would not call it snake-oil since his faq is telling the truth. But it's pretty close to snake-oil even in my book ;)
     
  11. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    Countermail,

    Yes, the FAQ clearly states that TCHunt finds files that have the four attributes. TC volumes, random files, FreeOTFE volumes, other encrypted files, etc. Nowhere does TCHunt claim to differentiate between random data and encrypted data. That's not possible.

    Edit: I won't repeat the FAQ here, it's linked in the original post I made, feel free to read it.

    That's about it. I appreciate the feedback.
     
    Last edited: Jan 24, 2011
  12. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Spot on :rolleyes:
     
  13. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    I've place my TCHunt source code repository on github. Have a look or download and build it yourself. Make it better if you like:

    https://github.com/16s/TCHunt

    It's GPLv3, have fun with it.
     
  14. sfi

    sfi Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    68
    I have a question for the community, since this is relatively simple idea, would it be possible to make a bash script that does this? Not that I want anyone to come up with a script, but it may be a good weekend project for me...
     
  15. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I don't mind TCHunt -- at least it is open-source and free. But there is another similar project out there that claims it can differentiate "regular" random data from a TC container. And these people are charging for the software. (And they claim it is better than TCHunt).
     
  16. jesusjesus

    jesusjesus Registered Member

    Joined:
    Jul 21, 2009
    Posts:
    61

    Thanks for this. For some reason it's detected many grand theft IV .img files as TC encrypted files. It successfully did not detect pgp files or files that were recently securely erased(random data).

    These files it mistakenly detected as TC.

    /Electronic Arts/Battlefield Bad Company 2/Dist/win32/levels/sp_005_B/loader-00.fbrb
    /Rockstar Games/Grand Theft Auto IV/common/data/cdimages/carrec.img
    /Rockstar Games/Grand Theft Auto IV/pc/anim/anim.img
    /Rockstar Games/Grand Theft Auto IV/pc/anim/cuts.img
    /Rockstar Games/Grand Theft Auto IV/pc/anim/cutsprops.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/cdimages/navmeshes.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/east/bronx_e.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/east/bronx_e2.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/east/bronx_w.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/east/brook_n.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/east/brook_s.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/east/brook_s2.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/east/queens_e.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/east/queens_m.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/jersey/nj_01.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/jersey/nj_03.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/jersey/nj_05.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/jersey/nj_docks.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/manhat/manhat01.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/manhat/manhat02.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/manhat/manhat04.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/manhat/manhat05.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/manhat/manhat07.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/manhat/manhat08.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/manhat/manhat10.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/manhat/manhat12.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/manhat/subwayxr.img
    /Rockstar Games/Grand Theft Auto IV/pc/data/maps/props/lev_des/minigame.img
    /Rockstar Games/Grand Theft Auto IV/pc/models/cdimages/componentpeds.img
    /Rockstar Games/Grand Theft Auto IV/pc/models/cdimages/pedprops.img


    You can download the last image (pedprops.img) from the following site if you're interested in examining a sample of false positive.

    http://www.gta-downloads.com/en/gta4/file-backups/10674-models-cdimages-folder-backup.html
     
    Last edited: Jan 26, 2011
  17. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    Thanks for the results jesusjesus... looking at the pedprops.img file it looks very random. It passed all the TCHunt checks. It's padded with nulls at the end though, so it's not encrypted by TC or completely random either. This is one of those FPs that can be ruled-out (as covered in the FAQ).

    Many games compress and/or encrypt files. World of WarCraft does this with MPQ files (although they insert a header "MPQ" into those). Maybe Grand Theft Auto img files have recognizable headers as well.

    TCHunt only performs checks at the front of the file (have a look at the source code and you'll see where the checks are done). The nulls at the end would fail randomness testing, but TCHunt does not read that part of the file.
     
  18. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    Another quick note about the GTA FPs:

    I forgot about dynamic/sparse encrypted TC volumes (They have nulls in the middle now). However, I believe TC sparse volumes produced by older versions of TC had nulls at the end... before TC began putting a backup of the header there (volume spec changed).

    Newer encrypted spare volumes look like this:

    random data
    nulls
    random data

    I believe older TC volume specs produced sparse volumes like this:

    random data
    nulls

    That being said, if Grand Theft Auto has no identifiable header, then it could be a GTA img file or an older encrypted sparse TC volume or something else entirely. The only way to tell if it is a GTA img file is to use it in the game and see if it works.
     
  19. jesusjesus

    jesusjesus Registered Member

    Joined:
    Jul 21, 2009
    Posts:
    61
    yeah I should have read your faq first. but thanks for that detailed reply.

    Would you or anyone here know of a good free scanning software that will look for ANY encrypted files rather than just trying to find TC?

    I never even realised GTA IV used encrypted files, just found that interesting that TChunt found them, but is there a free or if not free commercial product that is as easy to use as TChunt but will search for any encrypted. Would be interesting to see what other software & games is using encryption for copy protection . Well I presume it's copy protection related or maybe stops people hacking the levels.
     
  20. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    16s: In my opinion TCHunt is not snake oil, it's merely a simple and clearly defined utility. Although TCHunt is often misunderstood by those users who imagine that it is capable of much more than it was designed for, I appreciate the openness and honesty of your FAQ.

    Aside from its demonstration purposes, I feel that TCHunt's most helpful real-world application will be to help various users relocate any "lost" TC container files that they may have misplaced or otherwise forgotten about.
     
  21. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    jesusjesus: Try using ent to find files that are random/encrypted. It does not 'scan' (so to speak) but it can be scripted to recurse a filesystem. TCHunt is specific, but ent is much more generic. Here's the URL: http://www.fourmilab.ch/random/

    dantz: Thanks for the comment. You're right. TCHunt is very specific. It's not magic nor does it do anything special. I released the source code to demonstrate this. Using it to find lost TC containers (as you suggested) is reasonable I think. However, using it to accuse someone of having a TC container is not. I doubt TCHunt results would be admissible in court. And, I highly doubt any secret/commercial software claiming to somehow differentiate random data from encrypted TC data would stand a chance. A professor or cryptanalyst could be called as an expert witness to put an end to that nonsense.
     
    Last edited: Feb 2, 2011
Thread Status:
Not open for further replies.