My Road to Digital Forensics Excellence

Graphical Visualization of Truecrypt Volumes

Posted by Paul Bobby on November 4, 2008

Quick background. I was reading the following presentation, Visual Forensic Analysis and Reverse Engineering of Binary Data, which got me thinking about an approach to identify hidden volumes in Truecrypt containers. The following paper, Defeating Encrypted and Deniable File Systems, addresses some of the problems with information leakage and the current deniable file system solutions. The paper is unfortunately only based on Truecrypt 5.1a (even though the authors the release of v6.0 that addresses some of the problems), and no product such as PGP whole disk encryption etc.

Regardless, I wanted to apply the visual checks in the first paper against Truecrypt volumes to determine if the data is visually random. I will say up front that I did not expect any earth shattering discoveries, and I did not find any. But, I will the post data because it is interesting anyway.

Two visual components were used, Attractor Plots and Frequency counts. Attractor plots plot pairs of bytes on a graph with the x and y axes ranging from 0-255. See the above paper for some great examples. Frequency counts simply keep a running total of the appearance of each byte from 0-255. Theoretically, an encrypted file, containing random data per the algorithm chosen, the frequency of each individual byte should be 100/255 or 0.39% or as close to it as possible. The visual representation in the attractor plot should show no structure whatsoever.

I created the following test environment:

  1. Created a 1gb partition on an external drive
  2. Wiped the partition by writing 0xFF
  3. Using Truecrypt v6 created the following file-based truecrypt volumes within this partition
    1. Normal Volume, 64Mb, FAT called
    2. Hidden Volume, 64Mb, FAT outside with 16Mb Hidden FAT volume, called
    3. Hidden Volume, 64Mb, FAT outside with 16Mb Hidden NTFS volume, called
  4. For each container I mounted the volume
  5. In Encase, I added the drive and Copied/Unerased the Unallocated space to separate files, these are called
    1. FAT-Normal-Mounted-Unallocated.bin
    2. FAT-Hidden-FAT-Mounted-Unallocated.bin
    3. FAT-Hidden-NTFS-Mounted-Unallocated.bin

The intention is to determine the following:

  1. How do the truecrypt containers look visually?
  2. What is the frequency count within the container?
  3. Does the unallocated space of a mounted container retain randomness?
  4. Does the unallocated space of a mounted contained with a hidden volume retain randomness (remember the hidden volume is located within the unalllocated space of the mounted container)

Container Visualizations




There are a couple of spikes in the frequency graph, but the distribution is well spread. The graphs for the hidden containers show nothing to differentiate between containers with standard volumes and containers with hidden volumes (as designed by the software).

Unallocated Visualizations







Again, about the only thing that can be said is that this data is close to random, and signifies encryption. But beyond that, I can’t determine anything from this visual plot.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: