Requirements
- Windows XP
- TrueCrypt 6.x
TrueCrypt is a piece of amazing, free and open-source encryption software. One of TrueCrypts main features is the ability to encrypt an entire hard disk where the Windows operating system has been installed.
There is currently no way to figure out what sort of data is stored on a storage device that has been encrypted with TrueCrypt (besides knowing or having the passkey that is). However, TrueCrypt does leave behind some identifiable data as seen in the screenshot below.
Encase - TrueCrypt Boot Loader
You should notice the plaintext “Missing operating system” in the screenshot, this text is what I’m using as a custom “error” message for when the machine boots. This is the password prompt and most people will assume that either there is no operating system is installed or that the computer is just not working anymore. The software used to view this drive (as seen in the screenshot) is called Encase. Encase is a very common forensic software used by public (law enforcement) and private sectors (corporations, private forensic investigators, etc.). If you ever find yourself on the receiving end of a computer investigation it is very likely that an examiner will be using this software.
All other data on this drive cannot be identified as anything other than random patterns of bytes.
To add to this, the developers at TrueCrypt have added a feature that allows you to run two operating systems that are accessed with different passwords. This allows you to keep a hidden operating system for doing whatever it is you do that needs to be kept private. The other you’ll probably use to browse the news, watch youtube videos of dancing dogs and laughing babies, which is the one you would give up.
There is another option you can use which can also be very effective. TrueCrypt developers have added the ability to use a custom boot message during system startup before entering your password (remember in the screenshot above I have done this). Normally you are greeted with the easily identifiable TrueCrypt boot loader screen as seen below.
Default TrueCrypt Boot Loader
This addition allows you to add a custom message in place of the TrueCrypt boot loader screen such as “Operating system missing.” You can enable or disable cursor movement as well for when you hit keys on the keyboard. This could help you social your way out of a tricky situation (e.g., the computer stopped working like 3 months ago!)
Examples of where this may save your ass include:
- Customs inspection when crossing borders
- FBI raid
- Someone jacks your laptop at the airport
- Many more… use your imagination
I will be covering this topic again in the near future. I have an idea but have not tested it or researched it yet. I’m guessing it is possible to modify the strings in the TrueCrypt boot loader on the hard disk with a hex editor (see the first screenshot). If this is possible, then you could modify the text (i.e. TrueCrypt Boot Loader) to disguise or mask it from screaming to an examiner that this drive has been encrypted with TrueCrypt.
Related posts:
Recent Comments