TCHunt - FAQ Q. How do I use TCHunt? A. Download TCHunt. If you download source, compile it using one of the build scripts. Then, execute TCHunt: TCHunt -d /folder_to_search 2> /dev/null. Q. How would I run TCHunt against an Encase E01 or dd forensic image? A. Mount a copy of the image (read-only, write-blocker, etc) and then run TCHunt against the files. There is no way to run TCHunt against the image itself. Q. How do I compile TCHunt? A. For convenience, a pre-built Microsoft Windows executable is available for download. However, Linux, Mac and BSD users should download and compile from source. A modern C++ compiler (such as g++) and the boost C++ libraries are required to compile TCHunt. The build scripts are straight-forward and easy to follow. Microsoft Windows users may elect to build from source as well. It's easy. Just follow the build scripts. Q. Can law enforcement determine if my hard drive is encrypted with TrueCrypt whole disk encryption? A. Yes. It's trivial to determine this. There are commercial tools written to do it. Q. Can TCHunt break encryption or brute-force my encrypted password? A. No. Q. Can TCHunt differentiate between encrypted data and random data? A. No. That's not possible. TCHunt locates files that have the four attributes listed below. That's all it does. Please read the source code to see this for yourself. There is no magic. Q. Can TCHunt locate encrypted sparse volumes? A. Yes. Q. Can TCHunt locate encrypted hidden volumes? A. Yes. However, TCHunt cannot differentiate between a standard volume and a hidden one. Q. Will TCHunt find encrypted volumes that lack file extensions or have fictitious file extensions? A. Yes. TCHunt completely ignores file names and file extensions. Q. Does it matter what version of TrueCrypt was used to create the encrypted volume? A. No. Q. TCHunt found all of my encrypted volumes. How does it work? A. TCHunt searches for four (4) file attributes. This is all TCHunt does: 1. The suspect file size modulo 512 must equal zero. 2. The suspect file size is at least 19 KB in size (although in practice this is set to 15 MB). 3. The suspect file contents pass a chi-square distribution test. 4. The suspect file must not contain a common file header. Q. Does TCHunt run on Windows 7 and Windows 8? A. Yes. Windows XP or newer Windows operating systems are supported. Q. Why is 19 KB the minimum file size limit? A. Because that is the legacy minimum size of a TrueCrypt volume. Q. Why are mounted volumes not found? A. Mounted volumes are self-evident. Q. Why write a program such as TCHunt? A. To demonstrate that while encrypted volumes may be indistinguishable from random data created in one specific fashion that the volumes themselves can be easily distinguished from most other files on your system. Many people insist that their encrypted volumes are undetectable. I hope TCHunt will convince them otherwise, before they learn this fact the hard way. More importantly, you should never claim that an encrypted volume with a mp3 file extension (or whatever) is a corrupt file, etc. While that explanation may seem plausible to an average person, it will not stand up to forensic or legal scrutiny. Data corruption does not resemble AES encrypted data. If disclosing the location of your encrypted volumes may lead to legal issues, then say nothing and contact a competent lawyer. Q. Hey! TCHunt found some files that are not encrypted volumes (false positive). Why? A. The algorithm may generate some false positives when testing millions of files. TCHunt takes a very conservative approach. I'd rather have false positives than false negatives as false positives can be easily dismissed if they are indeed false. Also, many false positives are either other forms of encrypted data (e.g. oembios.bin) or files that contain random data (e.g. dd with /dev/urandom as input). Q. Can TCHunt find encrypted files created by other software? A. Yes. So long as the files contain the TCHunt attributes listed above. Formatted FreeOTFE volumes are one example. PGP/GPG and openssl encrypted files do not consistently create files that contain the attributes, but may occasionally. In addition to encrypted files, PRNGs that produce files with the attributes would be found too. Using dd with /dev/urandom as input is one example. Q. Can TCHunt false negative (miss an actual encrypted volume)? A. It's possible, but not probable. I've tested several million volumes. TCHunt has found all but a few of them. Should a volume happen to be created with a common file header (and that is a possibility), then TCHunt would not find that volume. Download my testing scripts and generate thousands of encrypted volumes for testing. Q. Can TCHunt be executed from a floppy disk, USB drive or CD/DVD? A. Yes. Q. Does TCHunt have to be installed before I can use it? A. No. TCHunt is a self-contained, standalone program. Just download and then execute it. To remove TCHunt, delete the executable. That's it. There are no registry entries or files produced by TCHunt (unless you explicitly redirect output to a file). Q. Does other software have to be installed before I can use TCHunt? A. No. TCHunt does not require other software to operate. Q. Does TCHunt connect to the Internet or phone home? A. No. A network connection is not required to use TCHunt. If you are concerned about this, read the source code and use a packet sniffer such as Wireshark while using TCHunt. Q. Is TCHunt free software? May I see the source code? A. Yes. Q. Why do you call it TCHunt? A. If someone renamed your encrypted TrueCrypt volumes and hid them among millions of files of similar size, file extension, modification time, etc. TCHunt would quickly and accurately find the actual encrypted volumes. There can be false positives (as explained above) but they can be easily dismissed. Note: If the encrypted volumes are hidden among /dev/urandom created files via dd, they will not stand out. Q. May I get a Linux version of TCHunt? A. Yes, in addition to Microsoft Windows, TCHunt runs on Linux, Macs and BSD systems. End