TCHunt is a small portable application that can be used to find encrypted True Crypt volumes on the system. It has been specifically designed to demonstrate the possibility of finding True Crypt volumes even if they are not mounted and well disguised by the user. With True Crypt, it is possible to encrypt a partition of a hard drive, or a specific amount of storage space which is stored in a container file on a storage device.
These volumes can have sizes from 19 Kilobytes onwards and completely arbitrary file names and extensions. The program has been designed to show that it is possible to identify those True Crypt containers even if they are reasonable small and disguised by the user. It is more or less impossible to verify the existence of a True Crypt container without technical help unless the container itself is rather large or placed in a location where it can be easily identified. While it is possible to analyze each possible container file on a system, it would take a very long time to do so.
TCHunt scans a select folder or partition on the computer for the following four attributes that are part of every TrueCrypt volume:
- The suspect file size modulo 512 must equal zero.
- The suspect file size is at least 19 KB in size (although in practice this is set to 5 MB).
- The suspect file contents pass a chi-square distribution test.
- The suspect file must not contain a common file header.
You need to accept the terms of service on start before you can use the folder browser to select a root folder for the scan. The application scans all files based on the attributes above and reports its findings back in the program interface. Not all files that are found are True Crypt containers, but you can be sure that all True Crypt containers stored under the selected root folder are found during the scan.
The program ignores the file name and extension completely, which many True Crypt users use to disguise the volume on the computer system. The program can also be helpful if you forgot where you placed your own True Crypt volume on a system, as it can reveal that location to you.
TCHunt demonstrates that it is possible to detect True Crypt volumes even if they are not mounted on the system. It stops here however, as it cannot brute force or bypass the encryption itself. True Crypt users should take note that it is possible to detect those volumes, and the True Crypt developers should consider randomizing the volumes if possible to avoid that detection.
True Crypt Hunt is available for the Windows operating system. The source code of the program is available for download on the website as well. According to the developer's site the program is only compatible with Windows 7.
Update: The program ships as a command line tool now and no longer with its own interface. You need to run it from the Windows command prompt and use the following options to start a search:
- -d directory The directory you want searched, e.g. -d c:\ to scan drive c
- -h displays the help
- -v prints verbose output
Versions for Linux and Mac are also available, but they need to be compiled from source.