TrueCrypt Boot Loader - Identification String

Discussion in 'privacy technology' started by e4m, Apr 9, 2009.

Thread Status:
Not open for further replies.
  1. e4m

    e4m Registered Member

    Joined:
    Dec 7, 2008
    Posts:
    11
    I was under the impression that when you remove the pre-boot authentication text from the TrueCrypt Boot Loader that it was gone (no indication that my hard drive used TC whole disk encryption). Apparently, that is not the case:

    http://16systems.com/TCHunt/TCBoot/index.php

    The screenshots show how to manually delete the string. Seems to work OK. Is there a reason not to delete that string? Maybe TC updates need it or something?

    Thanks
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    There's no way you can hide the TrueCrypt bootloader from a knowledgeable person who examines your hard drive with the proper tools, since large portions of the bootloader code are easily identifiable and can't be changed without destroying their functionality. The presence of TrueCrypt bootloader code, followed by a large, fully encrypted partition, would indicate with almost 100% certainty that you have encrypted your system drive with TrueCrypt.

    Perhaps editing a few of the easily identifiable text strings would fool a computer neophyte, but I doubt if many neophytes would be examining your hard drive with a hex editor in the first place, wheras most forensic examiners would be knowledgeable enough to see right through your little diversion. Don't underestimate your potential adversary.
     
  3. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Dantz is right, and because there's no plausible deniability of TC being used if you're using system encryption, TrueCrypt developed the Hidden Operating System option. It does provide plausible deniability. Which just to clarify, means there is no way anybody can prove you are using the Hidden OS feature.
     
  4. Keller

    Keller Registered Member

    Joined:
    May 25, 2008
    Posts:
    10
    It may be that you cannot hide the presence of the TC bootloader. The next best thing might be to remove it altogether? You can use the rescue disk 'Repair Options' to:

    (1) restore original system loader (say 'yes' when it asks if the partition is decrypted!)
    (2) restore key data

    From then on, you have to use the rescue disk every time to boot to the encrypted system partition. But at least the hard drive itself does not contain the boot loader...you could easily have "wiped the hard drive in preparation for a reinstall".

    (As a further step, if your PC supports booting from USB, you could install the TC bootloader to a USB drive, with the result that you can only boot to the system partition when that USB drive is inserted.)
     
Loading...
Thread Status:
Not open for further replies.