I just tried this software. It found all my TrueCrypt files. Not that I'm worried. I don't have anything to hide, but people using TrueCrypt who do should sit-up and pay attention. I used TCHunt alpha version last month and it wasn't that impressive, but the detection seems to have improved a lot with this beta release. I would post this to the TrueCrypt forum. But they have banned posts related to TCHunt. http://16systems.com/TCHunt/download.html
If TrueCrypt is again employing security through obscurity, that doesn't make me feel good about them, no matter what they are giving away.
Steve, there is no security through obscurity that I am aware of. But it is pretty easy to find a TC container through normal methods used to detect encrypted files. From TCHunt site, about how does it work? The idea is nice, but I get the feeling that the author is trying to scare the users of TrueCrypt. The users of encrypted containers, no matter how they are created (and by what program) should be aware that a forensic analysis will reveal the presence of encrypted data and may raise suspicions. So a program as TCHunt should serve to increase awareness, not to scare users into not using TrueCrypt.
That should not be the case. As I understand it, AES encryption should be indistinguishable from noise data.
It is, but the problem is like this: how much noise data you have on your HDD except encrypted containers?
Erased free space is noise, true, as a totally encrypted partition is noise. A file which contains only random data looks suspicious to any forensic analysis, and a tool like tchunt can only speed up the process of finding (some) suspicious files. The way TrueCrypt (tries to) offer plausible deniability is through the use of hidden volumes.
Found all of my TrueCrypt files, but like I said, I'm not worried, I'm not a spy or anything like that.
Truecrypt has always been clear about their definition of Plausible Deniability: In case an adversary forces you to reveal your password, TrueCrypt provides and supports two kinds of plausible deniability. Hidden volumes (for more information, see the section Hidden Volume). It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted. However, note that for system encryption, the first drive track contains the (unencrypted) TrueCrypt Boot Loader, which can be easily identified as such (for more information, see the chapter System Encryption). In such cases, plausible deniability can be achieved by creating a hidden operating system (see the section Hidden Operating System). With or without TCHunt, TC still meets their definition of plausible deniability. It's about proving.
