Monday, January 7, 2013

Backtrack Forensics: Truecrypt

Forensics -> Digital Anti Forensics

Truecrypt is an application that will can do 3 main things:
  • Encrypt an entire external drive (USB, HDD)
  • Create encrypted files, which can be mounted as a drive / partition
  • On Windows it can run the entire drive where it is installed, thus it will require pre-boot authentication
So basically the purpose is to hide data, and harden other's job if need to do forensic investigations on our encrypted drive / file. Truecrypt recommends to use at least 20 character long passwords. We can also specify keyfiles, which will be used as an addition to the password. Anything can be used, but compressed files are recommended. Keyfiles stored on smart cards are also supported.
The encryption algorithms are very strong we can choose from AES, Twofish, Serpent, or we can even cascade them and use multiple:
  • AES-Twofish
  • AES-Twofish-Serpent
  • Serpent-AES
  • Serpent-Twofish-AES
  • Twofish-Serpent

The encryption doesn't have any backdoor, so if we forgot the password or lose the keyfiles, it's impossible to crack it. FBI failed as well, as stated here: http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/.
Another great feature is that it can create a hidden part on a truecrypt volume. It will have an outer and a hidden part, which is located at the physical end of the main. For example if we have a 10G volume, we can choose to have a 2G (up to 10G) hidden part, the outer partition will always appear as 10G in size, and the hidden as 2G. If the volumes are not mounted then it's impossible to tell if there is a hidden part or not. This means that when we mount the outer partition normally, the app doesn't have a view on the hidden one, and thus we have the risk of overwriting data on it, cause we can utilize the whole drive. We have the option to mount it with hidden volume protection, but for that we will need to supply the password for that as well.
This feature is useful if you are forced to reveal the password for your encrypted media, and can't refuse it. With that you can supply the password for the outer volume, and the hidden part remains unseen, and no one can tell if there is one or not.

Here we can see a mounted file:


and here we can see that file being accessed as a mounted partition, and we can se it as a normal storage media:


Official Website: http://www.truecrypt.org/
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)