Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- TCHunt - FAQ
- Q. How do I use TCHunt?
- A. Download TCHunt. If you download source, compile it using one of the build
- scripts. Then, execute TCHunt: TCHunt -d /folder_to_search 2> /dev/null.
- Q. How would I run TCHunt against an Encase E01 or dd forensic image?
- A. Mount a copy of the image (read-only, write-blocker, etc) and then run
- TCHunt against the files. There is no way to run TCHunt against the image
- itself.
- Q. How do I compile TCHunt?
- A. For convenience, a pre-built Microsoft Windows executable is available for
- download. However, Linux, Mac and BSD users should download and compile from
- source. A modern C++ compiler (such as g++) and the boost C++ libraries are
- required to compile TCHunt. The build scripts are straight-forward and easy to
- follow. Microsoft Windows users may elect to build from source as well. It's
- easy. Just follow the build scripts.
- Q. Can law enforcement determine if my hard drive is encrypted with TrueCrypt
- whole disk encryption?
- A. Yes. It's trivial to determine this. There are commercial tools written to
- do it.
- Q. Can TCHunt break encryption or brute-force my encrypted password?
- A. No.
- Q. Can TCHunt differentiate between encrypted data and random data?
- A. No. That's not possible. TCHunt locates files that have the four attributes
- listed below. That's all it does. Please read the source code to see this for
- yourself. There is no magic.
- Q. Can TCHunt locate encrypted sparse volumes?
- A. Yes.
- Q. Can TCHunt locate encrypted hidden volumes?
- A. Yes. However, TCHunt cannot differentiate between a standard volume and a
- hidden one.
- Q. Will TCHunt find encrypted volumes that lack file extensions or have
- fictitious file extensions?
- A. Yes. TCHunt completely ignores file names and file extensions.
- Q. Does it matter what version of TrueCrypt was used to create the encrypted
- volume?
- A. No.
- Q. TCHunt found all of my encrypted volumes. How does it work?
- A. TCHunt searches for four (4) file attributes. This is all TCHunt does:
- 1. The suspect file size modulo 512 must equal zero.
- 2. The suspect file size is at least 19 KB in size (although in practice
- this is set to 15 MB).
- 3. The suspect file contents pass a chi-square distribution test.
- 4. The suspect file must not contain a common file header.
- Q. Does TCHunt run on Windows 7 and Windows 8?
- A. Yes. Windows XP or newer Windows operating systems are supported.
- Q. Why is 19 KB the minimum file size limit?
- A. Because that is the legacy minimum size of a TrueCrypt volume.
- Q. Why are mounted volumes not found?
- A. Mounted volumes are self-evident.
- Q. Why write a program such as TCHunt?
- A. To demonstrate that while encrypted volumes may be indistinguishable from
- random data created in one specific fashion that the volumes themselves can be
- easily distinguished from most other files on your system. Many people insist
- that their encrypted volumes are undetectable. I hope TCHunt will convince them
- otherwise, before they learn this fact the hard way. More importantly, you
- should never claim that an encrypted volume with a mp3 file extension (or
- whatever) is a corrupt file, etc. While that explanation may seem plausible to
- an average person, it will not stand up to forensic or legal scrutiny. Data
- corruption does not resemble AES encrypted data. If disclosing the location of
- your encrypted volumes may lead to legal issues, then say nothing and contact a
- competent lawyer.
- Q. Hey! TCHunt found some files that are not encrypted volumes (false
- positive). Why?
- A. The algorithm may generate some false positives when testing millions of
- files. TCHunt takes a very conservative approach. I'd rather have false
- positives than false negatives as false positives can be easily dismissed if
- they are indeed false. Also, many false positives are either other forms of
- encrypted data (e.g. oembios.bin) or files that contain random data (e.g. dd
- with /dev/urandom as input).
- Q. Can TCHunt find encrypted files created by other software?
- A. Yes. So long as the files contain the TCHunt attributes listed above.
- Formatted FreeOTFE volumes are one example. PGP/GPG and openssl encrypted files
- do not consistently create files that contain the attributes, but may
- occasionally. In addition to encrypted files, PRNGs that produce files with the
- attributes would be found too. Using dd with /dev/urandom as input is one
- example.
- Q. Can TCHunt false negative (miss an actual encrypted volume)?
- A. It's possible, but not probable. I've tested several million volumes. TCHunt
- has found all but a few of them. Should a volume happen to be created with a
- common file header (and that is a possibility), then TCHunt would not find that
- volume. Download my testing scripts and generate thousands of encrypted volumes
- for testing.
- Q. Can TCHunt be executed from a floppy disk, USB drive or CD/DVD?
- A. Yes.
- Q. Does TCHunt have to be installed before I can use it?
- A. No. TCHunt is a self-contained, standalone program. Just download and then
- execute it. To remove TCHunt, delete the executable. That's it. There are no
- registry entries or files produced by TCHunt (unless you explicitly redirect
- output to a file).
- Q. Does other software have to be installed before I can use TCHunt?
- A. No. TCHunt does not require other software to operate.
- Q. Does TCHunt connect to the Internet or phone home?
- A. No. A network connection is not required to use TCHunt. If you are
- concerned about this, read the source code and use a packet sniffer such as
- Wireshark while using TCHunt.
- Q. Is TCHunt free software? May I see the source code?
- A. Yes.
- Q. Why do you call it TCHunt?
- A. If someone renamed your encrypted TrueCrypt volumes and hid them among
- millions of files of similar size, file extension, modification time, etc.
- TCHunt would quickly and accurately find the actual encrypted volumes. There
- can be false positives (as explained above) but they can be easily dismissed.
- Note: If the encrypted volumes are hidden among /dev/urandom created files via
- dd, they will not stand out.
- Q. May I get a Linux version of TCHunt?
- A. Yes, in addition to Microsoft Windows, TCHunt runs on Linux, Macs and BSD
- systems.
- End
Add Comment
Please, Sign In to add comment