Disguising True Crypt Volumes In MP4 Videos

Martin Brinkmann
Apr 12, 2011
Updated • Dec 16, 2012
Encryption, Security
|
10

I have reviewed TCHunt yesterday, a free program to scan a computer system for unmounted True Crypt containers. The program can be used to prove the existence of an encrypted container on a one of the connected storage devices. What it cannot do is to decrypt the data, but proof of existence of an encrypted volume may be enough to get you into troubles.

It was only a matter of time until someone came up with a concept to hide the existence of a True Crypt volume on the computer. A method has been described in detail in February, months before the release of the TCHunt application.

TCSteg basically hides the True Crypt container inside a MP4 video file. Even better, that mp4 video is still playable which makes it more plausible that the file is indeed just a video and not host for an encrypted True Crypt volume.

hide true crypt volume

There are still some limitations though, for instance a limitation to a maximum file size of 4 Gigabytes, or the fact that someone who would monitor the bitrate of the video could identify the manipulation. The method however makes it a less likely that someone will find the hidden True Crypt container on the system, as it renders software such as TCHunt useless.

The method combines the mp4 file with the True Crypt container, or to be more precise, the hidden volume of the True Crypt container. You may remember that you can create a hidden volume inside a True Crypt container for that extra bit of security? Exactly that volume is used for the process, the outer volume will not be used at all.

A Python script has been created that handles all the file merging, you can download it from the developer website. You also need a solid quality mp4 video file that's encoded efficiently to make the combined file size more plausible.

You then create a True Crypt container and a hidden volume and give it a .mp4 name. You should follow the instructions on the developer site to the letter for maximum efficiency, for instance to select a plausible total size for the True Crypt volume and to select the maximum possible size for the hidden volume.

You run the Python script with the following command

python tcsteg.py RealVideo.mp4 TrueCryptContainer.mp4

where RealVideo.mp4 is the mp4 video that you want to use for the disguise, and TrueCryptcontainer.mp4 the encrypted True Crypt container.

Windows users need to first install Python before they can run the Python script.

The process combines the two files, and the end result should be that you can still play the resulting file in a video player and that you can mount the hidden True Crypt volume inside that video.

Additional instructions and the Python script are available at the developer's website.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. help said on March 17, 2012 at 10:36 pm
    Reply

    i get this error:

    python tcsteg.py Snake.mp4 DeadSnake.mp4

    SyntaxError: incorrect syntax

  2. P,Dant said on April 14, 2011 at 1:48 pm
    Reply

    (This may be a duplicate: the last one hasn’t appeared)
    Your first statement indicates that while TCH won’t produce false negatives (i.e. it won’t miss TC volumes), it may produce false positives (i.e. it may flag files, some or all of which aren’t TC volumes).

    So how can TCH *prove* the existence of a TC volume, when some or all of its results may be false positives?

    In your own example: https://www.ghacks.net/wp-content/uploads/2011/04/tchunt.png , how can TCH *prove* that one or more of those zip files are, or are not, TC volumes?

    Perhaps there are then other tools for, or ways of, examining suspect files to prove if they’re TC volumes, but TCH can’t do so (or if it can, you omitted that capability in your review).

    1. Martin Brinkmann said on April 14, 2011 at 1:50 pm
      Reply

      Well what I meant is that it will find all TC volumes on the system. You are right that the tool cannot differentiate between false positives and positives, but you could further analyze the file to find out. That way, you won’t miss a single TC volume on the system.

      1. BillRM said on April 15, 2011 at 6:47 pm
        Reply

        You can analyze to the ends of time with any software you might wish to employ and all you can do is prove that some file is full of seemingly completely random numbers and may or may not be a truecrypt volume.

  3. Thomas said on April 13, 2011 at 4:24 pm
    Reply

    Really cool. I like the idea to be always a step ahead or a bit smarter.

  4. Crodol said on April 13, 2011 at 7:43 am
    Reply

    Thanks for the follow up.
    I already feared that the bad guys win….

  5. P.Dant said on April 13, 2011 at 3:40 am
    Reply

    Yesterday you said about TCHunt :-

    “Not all files that are found are True Crypt containers, but you can be sure that all True Crypt containers stored under the selected root folder are found during the scan.”

    And today :-

    “I have reviewed TCHunt yesterday, a free program to scan a computer system for unmounted True Crypt containers. The program can be used to prove the existence of an encrypted container on a one of the connected storage devices.”

    Those two statements can’t both be true …

    1. Martin Brinkmann said on April 13, 2011 at 9:42 am
      Reply

      What makes you think that?

  6. bastik said on April 12, 2011 at 8:23 pm
    Reply

    Indeed something that makes it harder to find the container. Nice tool.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.