±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36763
New Yesterday: 9 Visitors: 140

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Encrypted Volume

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

workneverends
Member
 

Encrypted Volume

Post Posted: May 14, 09 23:34

I have a CP case where the suspect put all his pics in an truecrypt encrypted volume. He gave us the password and I was able to mount it in Truecrypt and see what was within it. How do I get the volume into encase to hash the pictures in there and work within this volume in encase?

Thanks for all who provide input.  
 
  

schlecht
Member
 

Re: Encrypted Volume

Post Posted: May 14, 09 23:52

I would copy the files from the Truecrypt volume, import them into Encase and hash them....all while keeping a copious log detailing/showing what and why you were doing it.
_________________
schlecht 
 
  

markg43
Senior Member
 

Re: Encrypted Volume

Post Posted: May 15, 09 00:34

This post assumes that when you open the volume with Truecrypt that it mounts on the OS as a windows drive letter. You did not specify.

Use EnCase or FTK Imager, load the LOGICAL volume (drive letter) as the source input.

Now image that logical volume to an image file, dd or E01.

Work Encase from there.

Mark  
 
  

watcher
Senior Member
 

Re: Encrypted Volume

Post Posted: May 16, 09 01:44

- workneverends
I have a CP case where the suspect put all his pics in an truecrypt encrypted volume. He gave us the password and I was able to mount it in Truecrypt and see what was within it. ...


Don't forget that Truecrypt supports a hidden volume such that a different password gives completely different content.

One would assume that a fake secondary volume would not contain incriminating files.  
 
  

jim123
Newbie
 

Re: Encrypted Volume

Post Posted: May 17, 09 11:37

I concur with the above reply. Trucrypt needs two passwords. If I was your man I would give one password to some dodgy files (half lie as a deception) where as the second password is the one you want.

Hope this is of some help?  
 
  

kovar
Senior Member
 

Re: Encrypted Volume

Post Posted: May 17, 09 19:53

Greetings,

TrueCrypt only needs one password per volume. However, you can create a hidden volume within a TrueCrypt volume. The hidden volume is hard but no longer impossible to detect and it requires its own password. Here's the link to the article describing the detection, and a tool to do so:

www.forensicinnovation.../blog/?p=7

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

thefuf
Senior Member
 

Re: Encrypted Volume

Post Posted: May 17, 09 21:26

The hidden volume is hard but no longer impossible to detect and it requires its own password. Here's the link to the article describing the detection, and a tool to do so


This tool detects files that contain "random" data (= encrypted headerless data), it cannot detect hidden volumes since they are created in the free space of the outer volume.

From TC doc:
free space on any TrueCrypt volume is always filled with random data when the volume is created


So, every TC container has "random" data in unallocated space.  
 

Page 1 of 2
Page 1, 2  Next