I have reviewed TCHunt yesterday, a free program to scan a computer system for unmounted True Crypt containers. The program can be used to prove the existence of an encrypted container on a one of the connected storage devices. What it cannot do is to decrypt the data, but proof of existence of an encrypted volume may be enough to get you into troubles.
It was only a matter of time until someone came up with a concept to hide the existence of a True Crypt volume on the computer. A method has been described in detail in February, months before the release of the TCHunt application.
TCSteg basically hides the True Crypt container inside a MP4 video file. Even better, that mp4 video is still playable which makes it more plausible that the file is indeed just a video and not host for an encrypted True Crypt volume.
There are still some limitations though, for instance a limitation to a maximum file size of 4 Gigabytes, or the fact that someone who would monitor the bitrate of the video could identify the manipulation. The method however makes it a less likely that someone will find the hidden True Crypt container on the system, as it renders software such as TCHunt useless.
The method combines the mp4 file with the True Crypt container, or to be more precise, the hidden volume of the True Crypt container. You may remember that you can create a hidden volume inside a True Crypt container for that extra bit of security? Exactly that volume is used for the process, the outer volume will not be used at all.
A Python script has been created that handles all the file merging, you can download it from the developer website. You also need a solid quality mp4 video file that's encoded efficiently to make the combined file size more plausible.
You then create a True Crypt container and a hidden volume and give it a .mp4 name. You should follow the instructions on the developer site to the letter for maximum efficiency, for instance to select a plausible total size for the True Crypt volume and to select the maximum possible size for the hidden volume.
You run the Python script with the following command
python tcsteg.py RealVideo.mp4 TrueCryptContainer.mp4
where RealVideo.mp4 is the mp4 video that you want to use for the disguise, and TrueCryptcontainer.mp4 the encrypted True Crypt container.
Windows users need to first install Python before they can run the Python script.
The process combines the two files, and the end result should be that you can still play the resulting file in a video player and that you can mount the hidden True Crypt volume inside that video.
Additional instructions and the Python script are available at the developer's website.
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.