Helpful Navigation Toolbar

Monday, January 20, 2014

Identifying TrueCrypt Volumes For Fun (and Profit?)

The volatility crew posted a couple of new plug-ins that can search through a memory dump and extract TrueCrypt passwords (please read about it here). But what about TrueCrypt volumes themselves, how can you find those on a system? There are some tools (like TCHunt) and EnScripts (TrueCrypt File Locator and Encrypted Data Finder) that can help you to find TrueCrypt volumes. (DISCLAIMER: I am no longer a user of EnCase and the scripts may/may not still reside at those locations so I cannot verify how well the EnScripts work). But what if you do not have access to those tools, or what if you want to know more about WHAT these scripts are actually doing?

You can choose to encrypt your entire file system or drive, which protects the contents of your hard drive, but without an decryption key, your drive is essentially nothing more than a paperweight. You can also create individually encrypted file containers on a non-encrypted file system/drive.

This post will not cover the full disk encryption. However, it is important to note that some of the TrueCrypt characteristics discussed in this post, particularly the character distribution, will apply to anything created with TrueCrypt. For this post, we are going to focus on individually encrypted files created with TrueCrypt.

The first thing to note about files created with TrueCrypt is that the encrypted file is essentially a file container. On a Windows system, you can go through the process and you are presented with an option of either choosing a FAT or NTFS formatted container (if the file size is less than 3792KB, you can only choose FAT or None). If you choose "None" you will have to format the file after it is mounted, but usually this option is not chosen.

TrueCrypt container format options

Now that we have a little bit of background information, we can move on to the fun part, trying to identify TrueCrypt volumes on your drive. One of the tell-tale signs of a file being a TrueCrypt volume is anything with the extension ".tc". This is the default association of a file as being a TrueCrypt file, but to be honest, if you find ".tc" files, the level of sophistication of the user(s) of the drive may not be very high. Or perhaps there are hidden volumes created within the TrueCrypt volumes meant to throw you off (that will be a post for another time!)

Usually TrueCrypt volumes can be found in folders where "large" (several hundred MB and larger) files are commonly stored and are renamed to look normal among those files. For example, some locations I have encountered are folders associated with Outlook.pst files and downloaded videos.

Another thing to note with TrueCrypt volumes is the file sizes that the file "has" to be. The smallest size that a volume can be is 292KB. So we probably want to look for files that have a minimum size of 292KB (299,008 bytes). Because TrueCrypt volumes can increase in size by 1KB (1024 bytes) increments, we could search for all files that are only cleanly divisible by 1024 bytes. However, as the smallest allocation unit on a disk is a sector (which is typically 512 bytes), we will search for any file sizes that are cleanly divisible by 512 bytes. I would rather have more possible false positives rather than potentially missing some possible TrueCrypt volumes.

Three 292KB TC volume file properties

For example, one of the files referenced above "" has a file size (not size on disk, although with TrueCrypt volumes they are usually the same) of 299,008 bytes. We can take the size of that data and divide it by 512. If the result comes back clean, aka a whole number, our file has passed the size check test, so the file is possibly a TrueCrypt file.

299,008 / 512 = 598 = Pass!

Test-document.docx file properties

For another example, here's a test document that I created - "Test-document.docx" which has a file size of 461,359 bytes. Once again, we take the size and divide it by 512.

461,359 / 512 = 901.091796875 = Fail!

From this, we have learned that really don't have to look any more at the file "Test-document.docx" because it failed one of the easiest tests to perform when trying to find a TrueCrypt volume. Great success!!

The next step that we can take to determine if a file is possibly TrueCrypt or not is by trying to discern the file signature. There are MANY ways to do this, one of the examples I am going to demonstrate is running "file" on a Windows system using GNUWin32. 

Running "file" against our two files of interest

Running "file" recognizes the possible TrueCrypt volume as "data", but the Office document as a "ZIP" file (which it is and has been since Office 2007). So now we know that the file "" has passed the file size test and that it does not have a discernible file header. High five!!

High Five!

Now for the last step in trying to determine if our file is possibly a TrueCrypt file or not. There are once again several ways to do this, but I prefer to use Hex Workshop for this blog post as it makes prettier pictures than running a script of some sort. What we are looking for now is "entropy", aka "randomness", aka "character distribution". File data is stored as an arranged series of bytes on disk. What we are going to look for is how many times certain characters occur in the file. In most files, some characters will occur far more often than others (\x00, \xFF, etc.) In a TrueCrypt volume, the program tries to distribute the characters in a completely "random" (i.e. equally occurring) format. 

To explain this in simpler terms, if a "normal" file is made up of "01189998819991197253" (7 occurrences of 9), a TrueCrypt file will be made up of "01234567890123456789" (each character occurring only twice). With smaller TrueCrypt volumes the percentage of character occurrence is close to being "random", but it is not perfect. The highest percentage of character occurrences that I have seen in testing is 0.47%. As the size of the volume increases though, the percentage of character distribution is more level at 0.39%. I have seen tools demonstrate the "randomness" on a scale of 1 to 10, 1 to 8, and even 0 to 1, with different values correlating to how random the data is. Once again, for the purposes of this blog post, I prefer to use Hex Workshop to demonstrate the distribution. Below are three examples from random Word documents I downloaded from the web, three examples from smaller TrueCrypt files (292KB) and two examples from TrueCrypt larger files (1GB). Even though the actual number of times the characters appear varies, what we are looking for is the percentage of how many times those characters occurs. 

finalreport.authcheckdam.doc character mapping

PilotProjectFinalReportRev2.doc character mapping

TCR-AL252005_Wilma.doc character mapping (292KB) character mapping (292KB) character mapping (292KB) character mapping

TC-hidden-test (1GB) character mapping

TC-test (1GB) character mapping

To summarize all of the topics covered in this post, there are three main characteristics of TrueCrypt volumes that we can test for:

- Minimum File size / File size being a multiple of 512 bytes
- File Signature check
- Character distribution

I sincerely hope that you enjoyed this post on identifying TrueCrypt volumes for fun (and profit?). Hopefully you did indeed have a little fun reading this and can eventually turn that into profit of some sort!

No comments:

Post a Comment