So here I was relaxing and watching Friends…when suddenly one of my old and almost forgotten ideas popped in my head. The problem context is as follow:
Let’s say you image(or you just want to search) a harddisk and want to know if the person has any crypto containers on his/her harddisk? How would you go about this?
The truecrypt website clearly states that:
Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (steganography) and hidden operating system.
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
The sentence that got my attention a while back was sentence number 2. Because I was thinking…a computer hardly has random data in my opinion. So if you encounter a file which ONLY contains random data…that would pretty much indicate the POSSIBLE presence of a encrypted file container. So the statement that truecrypt makes still holds up…because you can NOT be 100% sure it is a truecrypt container unless you find it’s password, crack the password or the person just hands you the password. Nonetheless you are able to identify a possible crypto container. This is usefull if you need some bluffing/convincing to achieve some other goal/purpose. I have used truecrypt as a example here this theorie also would apply to other products capable of making crypto containers like drivecrypt or any other crypto container making software.
I then thought of the following steps to isolate possible crypto containers:
- A tool that is able to identify file formats
- A tool that is able to calculate the entropy on a given file
First you start with the file identifier this can either be file under linux or trid under windows(or any other preferred file identifier). You feed it all the files found on the harddisk and you discard all file which are identified by the file identifier tools.
The files that have not been identified you feed to your entropy calculator for example this one or that one. Now after this last weed you should be left with only a couple of files (in the best of cases the amount of files found would be the same as the amount of crypto containers on the harddisk). All you need to do now is find the good password and open it.
Be aware that files like compressed files,media files and raw image files also contain pretty high levels of entropy. So before you go all EUREKA make sure to double check that the file is not any of the ones mentiones before.
I filed this post under “midnight thoughts” because this theorie is not really fullproof…so if used in any forensic investigation you only have like a tiny clue that the harddisk possibly contains a crypto container which is useless if you don’t have the password or a way to crack it.