Truecrypt FDE on empty HD

Discussion in 'privacy technology' started by stap0510, Sep 26, 2008.

Thread Status:
Not open for further replies.
  1. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    Is it possible to perform Full Disk Encryption on a brand new (and therefore clean) hard drive, prior to installing Windows XP?

    I want to do this as sort of a anti-forensics method, so that, for example, when you run Data recovery-software like "GetDataBack for NTFS", you wont get any (usefull) data from before the installation of Truecrypt.

    I hope you guys understand what I mean with this, and can help me out on this :doubt:
     
  2. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Just do the basic Windows Install do your updates (Windows Update) then you can install TrueCrypt and install.

    If you do a system encryption, it is encrypting everything, even the OS, so once the system is encrypted, there is no way to recover any data.
     
  3. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I do not think it is possible to install TrueCrypt WDE before Windows installation. I am quite sure it is not possible, actually.

    When you use TrueCrypt WDE, it uses the algorythm/password you choose, in addition to a randomly generated number. The entire disk gets encrypted and nothing would be shown to forensic software, other than random data and the fact that TrueCrypt boot loader is installed.

    If you are so worried about the security of your WDE drive, I suggest using the hidden OS feature within TrueCrypt.
     
  4. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    AJohn, thank you for your reply, (the same goes for Kookyman).
    I dont think it is possible either.
    On a positive note, I can't seem to find any other kind of software FDE-solution that can encrypt an entire disk without the operating system being installed first.
    So on the upside; Truecrypt is equal to all the other solutions when it comes down to this.
    Because of my lack of extended experience with Truecrypt I thought I just had to ask.

    On the forensics-side: I think data-recovery software CAN still pick some files from the pre-truecrypt installation.
    I mean consider this: why else do you need to wipe a disk clean safely several times, instead of just once? Lots of 3-letter agencies have policies of between 15 to 35 wipes to even consider a disk "clean".
    The more a certain cluster/sector gets overwritten the harder it is the get the older data back reliably.
    So I think reformatting the entire disk with pseudo-random data (created by Truecrypt for the encrypted layer) once, doesn't mean the older (unencrypted) documents are completely inaccessible.

    Although I like Truecrypt a lot (just as it is open-source as to the contrary of the proprietary stuff out there, which i can't exclude from suspicion having a little backdoor somewhere), but here i'm just sceptical on the thoroughness of the whole FDE-process.......just from a forensics point of view.
     
  5. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    When installing TrueCrypt WDE, it allows you to define the number of passes upon encryption and includes the 35-pass guttman method.
     
  6. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Also, you could run freespace wipe after installing WDE.
     
  7. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    AJohn, again, thanks for the reply.
    The 35-pass Guttman-wipe sounds really solid to me.
     
  8. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    The Gutman Wipe is overkill. All you need is one random data pass, or if you want to do some overkill do two or three. Gutman provides no benefits on modern hard drives. (If your dealing with a drive from the 80s/early 90s, ok then maybe but that drive would be quite old.)
     
  9. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    Kookyman, let me ask you this:

    Is a professional data-recovery company able to get your old unencrypted data back after 3 random data wipes?
    That's the level I'm aiming for really.
     
  10. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    As far as anyone in these forums is aware of (that communites when questions are asked), 3 or 4 wipes is the maximum on current hard drives that is of any use without being 'over-kill'. The 35 passes can take up to a week or more to finish on bigger hard drives. I suggest 2 or 3 passes at the most.

    Like I mentioned earlier, you can use just 1 default pass and then afterwards run a freespace cleaner from within the WDE-Windows installation that will have a similar affect.

    The most anyone can find that recovery companies claim to be able to recover are like 1-2 passes.

    Edit: Also, a 'dummy OS' is an option when using TrueCrypt WDE that would provide a second layer of security in addition to the initial encryption.
     
  11. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    As of now, there is an open challenge for any professional data company to recover data from a drive that was overwritten by a single stream of random digits. Its been open for nearly a year and no one has even asked to partake.

    I think they would fall over themselves for the bragging rights if it was possible if nothing else. Imagine the selling point if you could advertise the ability to recover overwritten data with proof. They can't, which is why they won't step up to the challenge.

    And keep in mind that Drive + Random Wipe + System Encryption from the point of what is written to the hard drive is equivelent to writing two passes of random data. Since the encrypted version is random data when looked at unencrypted.
     
  12. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    Is it by the way possible to change the password once you have interely made the encrypted disk that has a password already?
     
  13. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Yes, you can always change the password.
     
Loading...
Thread Status:
Not open for further replies.