

Chi Square and Modulo 512 to find TrueCrypt Files - damn_cops
http://16systems.com/TCHunt

======
damn_cops
I neglected to mention that the method for detecting TrueCrypt volumes is
described, somewhat, in the FAQ.

------
devicenull
That's rather interesting, though it seems rather simple for the truecrypt
developers to defend against this. Add some random noise the end of the file,
or fake a file header.

------
derefr
Can this be used to detect TrueCrypt Hidden volumes (the ones it stores in the
free space of other TrueCrypt volumes, for deniability purposes)?

~~~
damn_cops
From the FAQ:

Q. Can TCHunt locate hidden volumes?

A. Yes. However, TCHunt cannot differentiate between a standard volume and a
hidden one.

~~~
derefr
I took that to refer to volumes that are just stored on a normal filesystem
with their hidden bit set, or a dot prepended. If TCHunt could really find the
"stored-in-free-space" Hidden volumes, it definitely _would_ be able to
distinguish them, or the disclaimer would at least read "TCHunt cannot
differentiate between a _deleted_ volume and a hidden one," because that's
what it would look like--data in the filesystem without a corresponding
inode/MFT entry. Plus, depending on whether or not it _is_ trying to find
these deleted volumes, its scanning algorithm would have to be completely
different--one just following down the directory tree, the other working
across the block device with a resizable window.

