TrueCrypt is Now Detectable

By Rob Zirnstein: Published: April 22, 2009
Hosted at: EmbeddedSw - Security News

Why do people encrypt their data? Well, to protect their information from getting into the wrong hands, of course. But, what if the "wrong hands" is law enforcement, the court system or even your boss? Should they have the right to access your data when the law is on their side, or when you are storing it on a company owned computer? Most people would say that their information is sacred, and that they need to maintain control of it themselves.

When companies and individuals encrypt their data, they typically use software that is easily detectable. They see no need to hide the fact that they are encrypting data. Why should they? It is their data. There's nothing wrong with encrypting data. But, maybe they should hide the data too. Can't the encryption be broken with decryption software? Sure, depending on how strong the encryption key is and how many days, months or years you want to spend working on it. One step you can take to further secure your data, is to hide it as well.

How do you hide encrypted data? Well, you can find some very complicated ways to move it to unused/hidden places on a hard drive, make it look like a different/innocuous type of computer file or make it look like random/unerased data. This may sound pretty complicated, but products like TrueCrypt (9,623,114 downloads/users) actually make this whole process simple.

What does TrueCrypt do? TrueCrypt is a free open source utility that specializes in encrypting and hiding your data. This tool can create an entire encrypted hard disk partition, or a smaller encrypted file (virtual drive) that is easily seen by any disk utility. Where they differ from most of their competitors is that they also encrypt the parts of their storage file that don't contain your data. This means that there are no file signatures, magic number IDs or even a common file extension for the disk utilities to identify that the encrypted file is made by TrueCrypt or even that it is encrypted. They even go one step further and provide an hidden encrypted partition within an encrypted partition for the off chance that your encrypted data is discovered and you are forced to provide the encryption key. In that situation, the invading party will see inside the first level of encryption and assume that there is nothing else to find.

How do investigators detect encrypted data? Well, most encryption tools use a recognizeable file header that can easily be recognized, but tools like TrueCrypt don't do that. Encrypted data tends to look like random data. So, without a file header, encrypted data is completely undetectable. Or so we thought…

We recently started analyzing encrypted files, and found a method for detecting headerless encrypted data. Sure, it looks random, but not really. There actually is a pattern to it. You have to know how to extract that pattern. We just released version 2.23 of File Investigator TOOLS. This version detects TrueCrypt Dynamic files as well as most any other headerless encrypted file, as far as we have seen so far. Feel free to try the tool and see if you can find an encrypted file that it can't identify.

What's the value in finding encrypted data, that you can't decrypt? It's up to you how you leverage the information that our tool provides. Use it to entice the encryption key from a suspect, show the withholding of potential evidence in a case or catch your employees hiding data on company computers.