Truecrypt containers revealing file properties in MFT after deletion

Discussion in 'encryption problems' started by onshen, Oct 22, 2012.

Thread Status:
Not open for further replies.
  1. onshen

    onshen Registered Member

    Joined:
    Oct 22, 2012
    Posts:
    2
    Using Windows 7 Home Premium

    I have found that when i delete a Truecrypt container with data inside, its previously encrypted contents become listed in the Master File Table and can be browsed and partly recovered by using the Recuva piece of software. File names, file sizes, file locations, its all there. I just tested it twice by creating new containers and they spilled the content into the MFT both times, which i could view with Recuva. The data was definitely not listed in the MFT beforehand when viewing it with the Recuva tool.

    So what is supposed to be sensitive data can therefore be accessed? Am I missing something because this would appear to be a massive security hole in Truecrypt. Apologies if this is a well known feature but i am new to these matters and have never heard anyone speak of this particular issue.

    Many people put their faith in truecrypt but in my experience all an adversary would need to do is delete the TC container then run Recuva to see what was being hidden. To see a list of the file extensions, names and sizes may well be enough in some situations even if no items can be recovered intact. I know i can use software to wipe files that are marked for deletion in the MFT to prevent recovery but that measure becomes irrelevant if the adversary has access to the system or makes a duplicate of the TC container to take away, delete and examine.

    How do i stop the contents of a TC container becoming entered in the MFT upon its deletion. Is this how TC is supposed to behave?

    Thanks in advance
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    There are two MFT's in your scenario. Your NTFS-formatted partition has an MFT. If you create a file-hosted container inside a specific partition then that partition's MFT stores data about the name, size, location etc. of the newly created file, but it does NOT store any of the encrypted volume's contents such as encrypted folder and filenames. (Or at least, it's not supposed to and I've never heard of it happening except in the case of data leakage, and in that case the data is stored outside the TrueCrypt volume, e.g. temp files, paging file etc).

    The TrueCrypt volume also contains an MFT (assuming it was formatted NTFS), although this is only accessible while the volume is mounted.

    I don't see how TC could be leaving any of this sort of information behind in the partition's MFT. What is your exact procedure? Are you merely deleting the contents of the mounted volume and then exploring the volume's data remnants using Recuva or similar? Or are you actually dismounting the volume, deleting the container file and then exploring the partition's MFT? Also, are you rebooting at any time? If you would explain your procedure clearly and it makes sense then I'll be happy to attempt to duplicate your results.

    Also, do you have "Previous versions" enabled for the files within the TrueCrypt volume? This feature is supported by either System Restore or Windows Backup, depending on how you've set things up. I've never tried it on a TrueCrypt volume before, so I'm not sure if it's possible, but if that's what you've done then I'll give it a shot.
     
  3. imseca

    imseca Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    2
    I'm interested to this topic. It seems that many programmers are recently challenge to break Truecrypt. But honestly, if the file is critically for me I don't just delete it without using file shredder.
     
  4. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    RTFM !!

    I simply can not comprehend why people don't read the manual
    for software like TC !
     
  5. onshen

    onshen Registered Member

    Joined:
    Oct 22, 2012
    Posts:
    2
    Thanks all and Enigm. Confess I'm not an IT person, when i set up my computer i had never heard the phrase journaling file system. When trying to digest the raft of technical info on the TC webpage, i obvously passed through this passage without understanding what its implications were and how they related to me.

    I undertand the frustration of thinking people don't read the manual but in my defence i did spend hours reading their website. Problem is, when you've never heard of paging files or trim operations, digesting it all becomes more difficult and its easy to miss something. In my view, it wouldnt do any harm if they made a handful of such fundamental points more salient on their site.

    Thanks again.
     
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I don't think the issue described in that snippet from the TC manual is consistent with what Onshen originally described. I think Onshen needed to respond to dantz.
     
Loading...
Thread Status:
Not open for further replies.