Notifications
Clear all

Encrypted Volume

10 Posts
8 Users
0 Likes
685 Views
(@workneverends)
Posts: 33
Eminent Member
Topic starter
 

I have a CP case where the suspect put all his pics in an truecrypt encrypted volume. He gave us the password and I was able to mount it in Truecrypt and see what was within it. How do I get the volume into encase to hash the pictures in there and work within this volume in encase?

Thanks for all who provide input.

 
Posted : 14/05/2009 11:34 pm
schlecht
(@schlecht)
Posts: 46
Eminent Member
 

I would copy the files from the Truecrypt volume, import them into Encase and hash them….all while keeping a copious log detailing/showing what and why you were doing it.

 
Posted : 14/05/2009 11:52 pm
markg43
(@markg43)
Posts: 77
Trusted Member
 

This post assumes that when you open the volume with Truecrypt that it mounts on the OS as a windows drive letter. You did not specify.

Use EnCase or FTK Imager, load the LOGICAL volume (drive letter) as the source input.

Now image that logical volume to an image file, dd or E01.

Work Encase from there.

Mark

 
Posted : 15/05/2009 12:34 am
watcher
(@watcher)
Posts: 125
Estimable Member
 

I have a CP case where the suspect put all his pics in an truecrypt encrypted volume. He gave us the password and I was able to mount it in Truecrypt and see what was within it. …

Don't forget that Truecrypt supports a hidden volume such that a different password gives completely different content.

One would assume that a fake secondary volume would not contain incriminating files.

 
Posted : 16/05/2009 1:44 am
jim123
(@jim123)
Posts: 2
New Member
 

I concur with the above reply. Trucrypt needs two passwords. If I was your man I would give one password to some dodgy files (half lie as a deception) where as the second password is the one you want.

Hope this is of some help?

 
Posted : 17/05/2009 11:37 am
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

TrueCrypt only needs one password per volume. However, you can create a hidden volume within a TrueCrypt volume. The hidden volume is hard but no longer impossible to detect and it requires its own password. Here's the link to the article describing the detection, and a tool to do so

http//www.forensicinnovations.com/blog/?p=7

-David

 
Posted : 17/05/2009 7:53 pm
(@thefuf)
Posts: 262
Reputable Member
 

The hidden volume is hard but no longer impossible to detect and it requires its own password. Here's the link to the article describing the detection, and a tool to do so

This tool detects files that contain "random" data (= encrypted headerless data), it cannot detect hidden volumes since they are created in the free space of the outer volume.

From TC doc

free space on any TrueCrypt volume is always filled with random data when the volume is created

So, every TC container has "random" data in unallocated space.

 
Posted : 17/05/2009 9:26 pm
(@workneverends)
Posts: 33
Eminent Member
Topic starter
 

You guys are right…there may be a hidden volume. But this criminal wasn't the brightest because there are enough incriminating images on this volume that he gave me the password to.

I still can't figure out how to get it into Encase as a volume. I tried doing what MarkG said but Encase is not letting me add that logical drive. Also I don't want to just import the pictures in there because I want the volume information and everything in Encase so the defense can't argue I just imported in random pictures.

Anybody else know the best way to do this?

 
Posted : 18/05/2009 6:16 pm
CdtDelta
(@cdtdelta)
Posts: 134
Estimable Member
 

So EnCase isn't allowing you to add it as a local device? Is it giving you an error when you try to add it? If the volume has been assigned a drive letter you should be able to add it to EnCase.

Tom

 
Posted : 18/05/2009 6:21 pm
(@thefuf)
Posts: 262
Reputable Member
 

Did you try FTK Imager?

 
Posted : 18/05/2009 6:22 pm
Share: