From ForensicsWiki
Revision as of 12:45, 17 December 2007 by Cmihai (Talk | contribs) (Keyfiles, plausible deniability.)

Jump to: navigation, search

TrueCrypt is an open source program to create and mount virtual encrypted disks in Windows Vista/XP/2000 and Linux. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms (AES-256, Serpent and Twofish).

Forensic Acquisition

If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.


The only option for acquiring the content of a TrueCrypt drive is to do a brute-force password guessing attack. AccessData's Password Recovery Toolkit and Distributed Network Attack (DNA) can both perform such an attack, but DNA is faster.

TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).

The existence of a FAT volume may be an indication of the existence of hidden volumes (a hidden volume can only be created within a FAT TrueCrypt volume).

External Links