TCHunt, Search For TrueCrypt Volumes
TCHunt is a small portable application that can be used to find encrypted True Crypt volumes on the system. It has been specifically designed to demonstrate the possibility of finding True Crypt volumes even if they are not mounted and well disguised by the user. With True Crypt, it is possible to encrypt a partition of a hard drive, or a specific amount of storage space which is stored in a container file on a storage device.
These volumes can have sizes from 19 Kilobytes onwards and completely arbitrary file names and extensions. The program has been designed to show that it is possible to identify those True Crypt containers even if they are reasonable small and disguised by the user. It is more or less impossible to verify the existence of a True Crypt container without technical help unless the container itself is rather large or placed in a location where it can be easily identified. While it is possible to analyze each possible container file on a system, it would take a very long time to do so.
TCHunt scans a select folder or partition on the computer for the following four attributes that are part of every TrueCrypt volume:
- The suspect file size modulo 512 must equal zero.
- The suspect file size is at least 19 KB in size (although in practice this is set to 5 MB).
- The suspect file contents pass a chi-square distribution test.
- The suspect file must not contain a common file header.
You need to accept the terms of service on start before you can use the folder browser to select a root folder for the scan. The application scans all files based on the attributes above and reports its findings back in the program interface. Not all files that are found are True Crypt containers, but you can be sure that all True Crypt containers stored under the selected root folder are found during the scan.
The program ignores the file name and extension completely, which many True Crypt users use to disguise the volume on the computer system. The program can also be helpful if you forgot where you placed your own True Crypt volume on a system, as it can reveal that location to you.
TCHunt demonstrates that it is possible to detect True Crypt volumes even if they are not mounted on the system. It stops here however, as it cannot brute force or bypass the encryption itself. True Crypt users should take note that it is possible to detect those volumes, and the True Crypt developers should consider randomizing the volumes if possible to avoid that detection.
True Crypt Hunt is available for the Windows operating system. The source code of the program is available for download on the website as well. According to the developer's site the program is only compatible with Windows 7.
Update: The program ships as a command line tool now and no longer with its own interface. You need to run it from the Windows command prompt and use the following options to start a search:
- -d directory The directory you want searched, e.g. -d c:\ to scan drive c
- -h displays the help
- -v prints verbose output
Versions for Linux and Mac are also available, but they need to be compiled from source.
Advertisement
please explain “X2_random” 231.69,
and why it show no_header:
on a file that is a tc container. thanks
unfortunately this article is being sited frequently as a “truecrypt is broken” reference. Let me be very clear, it is not. Essentially this program allows a user to find lots of files, some TC volumes, some not, which have some characteristics that TC volumes also have. It also will not pick up some TC volumes (such as the mentioned mp4 hide). Further, it can tell nothing about the “volume” (ie are you taking advantage of PD?).
So… basically you have false negatives and false positives and gain no actual new data about the files, which your not sure even ARE tc volumes.
Its mildly interesting, but no, TC remains un-fased. I think the article is only relevant academically, if you see this please stop with the chicken little linking.
If you open a true crypted file in a hex editor, add a few bytes to the end, save it, it will still open and no longer be detectable by TC Hunt.
“True Crypt developers should consider randomizing the volumes”
I think you have a bit of a misunderstanding about what a TrueCrypt volume is. It’s already “randomized.” A TrueCrypt volume is a file whose entire contents look like random data. Not even a header. The reason it’s recognizable to TCHunt is that it’s pretty unusual for a file to look like random noise. But you can never be certain what that random-noise file is. (In fact, it looks like you have a few false positives in your screenshot here.)
So yeah, it’s pretty simple to be pretty sure that a file is encrypted with something like TrueCrypt. But it’s still impossible to positively identify TrueCrypt volumes.
Would I be correct in saying that this program will not find the truecrypt file if it is hidden inside an mp4 video file? I would test it myself, but alas, I do not have access to a windows machine.
Blah yes that is correct.
I’m afraid. First I’m the first to comment this. Secondly there’s an impact on my safety feeling. Well I used TC (and still use it, in terms of “there’s still a container on my system”) and build up much trust, which is not damaged at all, but it’s still something that changes something.
I guessed before that something that looks random (that’s what the “chi-square distribution test” should be there for) and does not behave like a normal file (not contain a common file header) may be revealed. On top of that there are two other characteristics which are fingerprints of such a container.
Maybe the developers of TrueCrypt find a way to work around that. (BTW: I saw your review about the tool to “hide” the container.)
However I got taught that even if one knows where a container is located it can’t be opened. I still believe in Security through Obscurity to some small degree.