API tools faq
paste
Guest User

http://16s.us/software/TCHunt/tchunt_faq.txt

a guest
May 7th, 2014
599
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.26 KB | None | 0 0
raw download clone embed print report
  1. TCHunt - FAQ
  2.  
  3. Q. How do I use TCHunt?
  4.  
  5. A. Download TCHunt. If you download source, compile it using one of the build
  6. scripts. Then, execute TCHunt: TCHunt -d /folder_to_search 2> /dev/null.
  7.  
  8.  
  9. Q. How would I run TCHunt against an Encase E01 or dd forensic image?
  10.  
  11. A. Mount a copy of the image (read-only, write-blocker, etc) and then run
  12. TCHunt against the files. There is no way to run TCHunt against the image
  13. itself.
  14.  
  15.  
  16. Q. How do I compile TCHunt?
  17.  
  18. A. For convenience, a pre-built Microsoft Windows executable is available for
  19. download. However, Linux, Mac and BSD users should download and compile from
  20. source. A modern C++ compiler (such as g++) and the boost C++ libraries are
  21. required to compile TCHunt. The build scripts are straight-forward and easy to
  22. follow. Microsoft Windows users may elect to build from source as well. It's
  23. easy. Just follow the build scripts.
  24.  
  25.  
  26. Q. Can law enforcement determine if my hard drive is encrypted with TrueCrypt
  27. whole disk encryption?
  28.  
  29. A. Yes. It's trivial to determine this. There are commercial tools written to
  30. do it.
  31.  
  32.  
  33. Q. Can TCHunt break encryption or brute-force my encrypted password?
  34.  
  35. A. No.
  36.  
  37.  
  38. Q. Can TCHunt differentiate between encrypted data and random data?
  39.  
  40. A. No. That's not possible. TCHunt locates files that have the four attributes
  41. listed below. That's all it does. Please read the source code to see this for
  42. yourself. There is no magic.
  43.  
  44.  
  45. Q. Can TCHunt locate encrypted sparse volumes?
  46.  
  47. A. Yes.
  48.  
  49.  
  50. Q. Can TCHunt locate encrypted hidden volumes?
  51.  
  52. A. Yes. However, TCHunt cannot differentiate between a standard volume and a
  53. hidden one.
  54.  
  55.  
  56. Q. Will TCHunt find encrypted volumes that lack file extensions or have
  57. fictitious file extensions?
  58.  
  59. A. Yes. TCHunt completely ignores file names and file extensions.
  60.  
  61.  
  62. Q. Does it matter what version of TrueCrypt was used to create the encrypted
  63. volume?
  64.  
  65. A. No.
  66.  
  67.  
  68. Q. TCHunt found all of my encrypted volumes. How does it work?
  69.  
  70. A. TCHunt searches for four (4) file attributes. This is all TCHunt does:
  71.  
  72. 1. The suspect file size modulo 512 must equal zero.
  73. 2. The suspect file size is at least 19 KB in size (although in practice
  74. this is set to 15 MB).
  75. 3. The suspect file contents pass a chi-square distribution test.
  76. 4. The suspect file must not contain a common file header.
  77.  
  78.  
  79. Q. Does TCHunt run on Windows 7 and Windows 8?
  80.  
  81. A. Yes. Windows XP or newer Windows operating systems are supported.
  82.  
  83.  
  84. Q. Why is 19 KB the minimum file size limit?
  85.  
  86. A. Because that is the legacy minimum size of a TrueCrypt volume.
  87.  
  88.  
  89. Q. Why are mounted volumes not found?
  90.  
  91. A. Mounted volumes are self-evident.
  92.  
  93.  
  94. Q. Why write a program such as TCHunt?
  95.  
  96. A. To demonstrate that while encrypted volumes may be indistinguishable from
  97. random data created in one specific fashion that the volumes themselves can be
  98. easily distinguished from most other files on your system. Many people insist
  99. that their encrypted volumes are undetectable. I hope TCHunt will convince them
  100. otherwise, before they learn this fact the hard way. More importantly, you
  101. should never claim that an encrypted volume with a mp3 file extension (or
  102. whatever) is a corrupt file, etc. While that explanation may seem plausible to
  103. an average person, it will not stand up to forensic or legal scrutiny. Data
  104. corruption does not resemble AES encrypted data. If disclosing the location of
  105. your encrypted volumes may lead to legal issues, then say nothing and contact a
  106. competent lawyer.
  107.  
  108.  
  109. Q. Hey! TCHunt found some files that are not encrypted volumes (false
  110. positive). Why?
  111.  
  112. A. The algorithm may generate some false positives when testing millions of
  113. files. TCHunt takes a very conservative approach. I'd rather have false
  114. positives than false negatives as false positives can be easily dismissed if
  115. they are indeed false. Also, many false positives are either other forms of
  116. encrypted data (e.g. oembios.bin) or files that contain random data (e.g. dd
  117. with /dev/urandom as input).
  118.  
  119.  
  120. Q. Can TCHunt find encrypted files created by other software?
  121.  
  122. A. Yes. So long as the files contain the TCHunt attributes listed above.
  123. Formatted FreeOTFE volumes are one example. PGP/GPG and openssl encrypted files
  124. do not consistently create files that contain the attributes, but may
  125. occasionally. In addition to encrypted files, PRNGs that produce files with the
  126. attributes would be found too. Using dd with /dev/urandom as input is one
  127. example.
  128.  
  129.  
  130. Q. Can TCHunt false negative (miss an actual encrypted volume)?
  131.  
  132. A. It's possible, but not probable. I've tested several million volumes. TCHunt
  133. has found all but a few of them. Should a volume happen to be created with a
  134. common file header (and that is a possibility), then TCHunt would not find that
  135. volume. Download my testing scripts and generate thousands of encrypted volumes
  136. for testing.
  137.  
  138.  
  139. Q. Can TCHunt be executed from a floppy disk, USB drive or CD/DVD?
  140.  
  141. A. Yes.
  142.  
  143.  
  144. Q. Does TCHunt have to be installed before I can use it?
  145.  
  146. A. No. TCHunt is a self-contained, standalone program. Just download and then
  147. execute it. To remove TCHunt, delete the executable. That's it. There are no
  148. registry entries or files produced by TCHunt (unless you explicitly redirect
  149. output to a file).
  150.  
  151.  
  152. Q. Does other software have to be installed before I can use TCHunt?
  153.  
  154. A. No. TCHunt does not require other software to operate.
  155.  
  156.  
  157. Q. Does TCHunt connect to the Internet or phone home?
  158.  
  159. A. No. A network connection is not required to use TCHunt. If you are
  160. concerned about this, read the source code and use a packet sniffer such as
  161. Wireshark while using TCHunt.
  162.  
  163.  
  164. Q. Is TCHunt free software? May I see the source code?
  165.  
  166. A. Yes.
  167.  
  168.  
  169. Q. Why do you call it TCHunt?
  170.  
  171. A. If someone renamed your encrypted TrueCrypt volumes and hid them among
  172. millions of files of similar size, file extension, modification time, etc.
  173. TCHunt would quickly and accurately find the actual encrypted volumes. There
  174. can be false positives (as explained above) but they can be easily dismissed.
  175.  
  176. Note: If the encrypted volumes are hidden among /dev/urandom created files via
  177. dd, they will not stand out.
  178.  
  179.  
  180. Q. May I get a Linux version of TCHunt?
  181.  
  182. A. Yes, in addition to Microsoft Windows, TCHunt runs on Linux, Macs and BSD
  183. systems.
  184.  
  185. End
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!