Skip to main content

TCHunt Finds Hidden And Encrypted TrueCrypt Volumes

TCHunt is a data forensic tool to find encrypted TrueCrypt volumes that are hidden or disguised as other files. The software was written to demonstrate that while encrypted volumes may be indistinguishable from random data, volumes themselves can be easily distinguished from most other files on your system.

People believe that they can hide files by simply changing the file extension and disguising it as another file. The truth, is you cannot. Each file type has a well defined header – a pattern of ones and zeroes - from which it can be easily identified whether it is a video file or audio file or a document or a TrueCrypt volume. You cannot even claim the file is corrupted because data corruption is random and statistically can never resemble AES encrypted data, which is the encryption algorithm used by TrueCrypt.


TCHunt tries to identify hidden TrueCrypt volumes by looking at the following file attributes:

  • The suspect file size modulo 512 must equal zero.
  • The suspect file size is at least 19 KB.
  • The suspect file contents pass a chi-square distribution test.
  • The suspect file must not contain a common file header.

TCHunt completely ignores file names and file extensions when scanning drives and folders for hidden volumes.

The reporting window will list volumes as they are found. Among those listed, there might be false positives. TCHunt takes a very conservative approach when looking for TrueCrypt volumes because the developer believes that it better to have a few false positives than false negatives as false positives can be easily dismissed if they are indeed false. Besides, according to the developer, many false positives usually turn out to be other forms of encrypted data, or in the worst case, files that contain random data.

TCHunt, however, cannot brute-force or break the TrueCrypt volumes, so you are safe on that ground.

TCHunt is available in several languages and runs on all Windows versions newer than Windows XP.


Popular posts from this blog

How to Record CPU and Memory Usage Over Time in Windows?

Whenever the computer is lagging or some application is taking too long to respond, we usually fire up task manager and look under the Performance tab or under Processes to check on processor utilization or the amount of free memory available. The task manager is ideal for real-time analysis of CPU and memory utilization. It even displays a short history of CPU utilization in the form of a graph. You get a small time-window, about 30 seconds or so, depending on how large the viewing area is.

How to Schedule Changes to Your Facebook Page Cover Photo

Facebook’s current layout, the so called Timeline, features a prominent, large cover photo that some people are using in a lot of different creative ways. Timeline is also available for Facebook Pages that people can use to promote their website or business or event. Although you can change the cover photo as often as you like, it’s meant to be static – something which you design and leave it for at least a few weeks or months like a redesigned website. However, there are times when you may want to change the cover photo frequently and periodically to match event dates or some special promotion that you are running or plan to run. So, here is how you can do that.

69 alternatives to the default Facebook profile picture

If you have changed the default Facebook profile picture and uploaded your own, it’s fine. But if not, then why not replace that boring picture of the guy with a wisp of hair sticking out of his head with something different and funny?