TCHunt is a data forensic tool to find encrypted TrueCrypt volumes that are hidden or disguised as other files. The software was written to demonstrate that while encrypted volumes may be indistinguishable from random data, volumes themselves can be easily distinguished from most other files on your system.
People believe that they can hide files by simply changing the file extension and disguising it as another file. The truth, is you cannot. Each file type has a well defined header – a pattern of ones and zeroes – from which it can be easily identified whether it is a video file or audio file or a document or a TrueCrypt volume. You cannot even claim the file is corrupted because data corruption is random and statistically can never resemble AES encrypted data, which is the encryption algorithm used by TrueCrypt.
TCHunt tries to identify hidden TrueCrypt volumes by looking at the following file attributes:
- The suspect file size modulo 512 must equal zero.
- The suspect file size is at least 19 KB.
- The suspect file contents pass a chi-square distribution test.
- The suspect file must not contain a common file header.
TCHunt completely ignores file names and file extensions when scanning drives and folders for hidden volumes.
The reporting window will list volumes as they are found. Among those listed, there might be false positives. TCHunt takes a very conservative approach when looking for TrueCrypt volumes because the developer believes that it better to have a few false positives than false negatives as false positives can be easily dismissed if they are indeed false. Besides, according to the developer, many false positives usually turn out to be other forms of encrypted data, or in the worst case, files that contain random data.
TCHunt, however, cannot brute-force or break the TrueCrypt volumes, so you are safe on that ground.
TCHunt is available in several languages and runs on all Windows versions newer than Windows XP.