Skip to main content

TCHunt Finds Hidden And Encrypted TrueCrypt Volumes

TCHunt is a data forensic tool to find encrypted TrueCrypt volumes that are hidden or disguised as other files. The software was written to demonstrate that while encrypted volumes may be indistinguishable from random data, volumes themselves can be easily distinguished from most other files on your system.

People believe that they can hide files by simply changing the file extension and disguising it as another file. The truth, is you cannot. Each file type has a well defined header – a pattern of ones and zeroes - from which it can be easily identified whether it is a video file or audio file or a document or a TrueCrypt volume. You cannot even claim the file is corrupted because data corruption is random and statistically can never resemble AES encrypted data, which is the encryption algorithm used by TrueCrypt.

tchunt

TCHunt tries to identify hidden TrueCrypt volumes by looking at the following file attributes:

  • The suspect file size modulo 512 must equal zero.
  • The suspect file size is at least 19 KB.
  • The suspect file contents pass a chi-square distribution test.
  • The suspect file must not contain a common file header.

TCHunt completely ignores file names and file extensions when scanning drives and folders for hidden volumes.

The reporting window will list volumes as they are found. Among those listed, there might be false positives. TCHunt takes a very conservative approach when looking for TrueCrypt volumes because the developer believes that it better to have a few false positives than false negatives as false positives can be easily dismissed if they are indeed false. Besides, according to the developer, many false positives usually turn out to be other forms of encrypted data, or in the worst case, files that contain random data.

TCHunt, however, cannot brute-force or break the TrueCrypt volumes, so you are safe on that ground.

TCHunt is available in several languages and runs on all Windows versions newer than Windows XP.

Labels:

Comments

Post a Comment

Popular posts from this blog

How to Record CPU and Memory Usage Over Time in Windows?

Whenever the computer is lagging or some application is taking too long to respond, we usually fire up task manager and look under the Performance tab or under Processes to check on processor utilization or the amount of free memory available. The task manager is ideal for real-time analysis of CPU and memory utilization. It even displays a short history of CPU utilization in the form of a graph. You get a small time-window, about 30 seconds or so, depending on how large the viewing area is.
17 comments
Read more

Diagram 101: Different Types of Diagrams and When To Use Them

Diagrams are a great way to visualize information and convey meaning. The problem is that there’s too many different types of diagrams, so it can be hard to know which ones you should use in any given situation. To help you out, we’ve created this diagram that lays out the 7 most common types of diagrams and when they’re best used:
Post a Comment
Read more

How to Schedule Changes to Your Facebook Page Cover Photo

Facebook’s current layout, the so called Timeline, features a prominent, large cover photo that some people are using in a lot of different creative ways. Timeline is also available for Facebook Pages that people can use to promote their website or business or event. Although you can change the cover photo as often as you like, it’s meant to be static – something which you design and leave it for at least a few weeks or months like a redesigned website. However, there are times when you may want to change the cover photo frequently and periodically to match event dates or some special promotion that you are running or plan to run. So, here is how you can do that.
1 comment
Read more