TCHunt is a small portable application that can be used to find encrypted True Crypt volumes on the system. It has been specifically designed to demonstrate the possibility of finding True Crypt volumes even if they are not mounted and well disguised by the user. With True Crypt, it is possible to encrypt a partition of a hard drive, or a specific amount of storage space which is stored in a container file on a storage device.
These volumes can have sizes from 19 Kilobytes onwards and completely arbitrary file names and extensions. The program has been designed to show that it is possible to identify those True Crypt containers even if they are reasonable small and disguised by the user. It is more or less impossible to verify the existence of a True Crypt container without technical help unless the container itself is rather large or placed in a location where it can be easily identified. While it is possible to analyze each possible container file on a system, it would take a very long time to do so.
TCHunt scans a select folder or partition on the computer for the following four attributes that are part of every TrueCrypt volume:
- The suspect file size modulo 512 must equal zero.
- The suspect file size is at least 19 KB in size (although in practice this is set to 5 MB).
- The suspect file contents pass a chi-square distribution test.
- The suspect file must not contain a common file header.
You need to accept the terms of service on start before you can use the folder browser to select a root folder for the scan. The application scans all files based on the attributes above and reports its findings back in the program interface. Not all files that are found are True Crypt containers, but you can be sure that all True Crypt containers stored under the selected root folder are found during the scan.
The program ignores the file name and extension completely, which many True Crypt users use to disguise the volume on the computer system. The program can also be helpful if you forgot where you placed your own True Crypt volume on a system, as it can reveal that location to you.
TCHunt demonstrates that it is possible to detect True Crypt volumes even if they are not mounted on the system. It stops here however, as it cannot brute force or bypass the encryption itself. True Crypt users should take note that it is possible to detect those volumes, and the True Crypt developers should consider randomizing the volumes if possible to avoid that detection.
True Crypt Hunt is available for the Windows operating system. The source code of the program is available for download on the website as well. According to the developer’s site the program is only compatible with Windows 7.
Related Articles:
Resize TrueCrypt Volumes With ExtcvDisguising True Crypt Volumes In MP4 Videos
Disk Encryption Software TrueCrypt 7.1a Released
Disk Encryption Software TrueCrypt 6.3 Released
Disk Catalog Software Virtual Volumes View
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.
I’m afraid. First I’m the first to comment this. Secondly there’s an impact on my safety feeling. Well I used TC (and still use it, in terms of “there’s still a container on my system”) and build up much trust, which is not damaged at all, but it’s still something that changes something.
I guessed before that something that looks random (that’s what the “chi-square distribution test” should be there for) and does not behave like a normal file (not contain a common file header) may be revealed. On top of that there are two other characteristics which are fingerprints of such a container.
Maybe the developers of TrueCrypt find a way to work around that. (BTW: I saw your review about the tool to “hide” the container.)
However I got taught that even if one knows where a container is located it can’t be opened. I still believe in Security through Obscurity to some small degree.
Would I be correct in saying that this program will not find the truecrypt file if it is hidden inside an mp4 video file? I would test it myself, but alas, I do not have access to a windows machine.
Blah yes that is correct.
“True Crypt developers should consider randomizing the volumes”
I think you have a bit of a misunderstanding about what a TrueCrypt volume is. It’s already “randomized.” A TrueCrypt volume is a file whose entire contents look like random data. Not even a header. The reason it’s recognizable to TCHunt is that it’s pretty unusual for a file to look like random noise. But you can never be certain what that random-noise file is. (In fact, it looks like you have a few false positives in your screenshot here.)
So yeah, it’s pretty simple to be pretty sure that a file is encrypted with something like TrueCrypt. But it’s still impossible to positively identify TrueCrypt volumes.
If you open a true crypted file in a hex editor, add a few bytes to the end, save it, it will still open and no longer be detectable by TC Hunt.