Thread: A Truecrypt Trick
View Single Post
  #2 (permalink)  
Old 09-08-2006, 12:35 AM
Redwood
Guest
  
Posts: n/a
Default Re: A Truecrypt Trick
"nemo_outis" <abc@xyz.com> wrote in
news:Xns9837B47BD70FCabcxyzcom@127.0.0.1:

> This may be old hat to some of you, but it may be new to others:
> it is possible to create and/or mount an ADS (alternate data
> stream) as an encrypted Truecrypt container file.
>
> For instance, if the file C:\somepath\sometext.txt already
> exists on your system (or create it and fill it with some text)
> then you would create a ADS Truecrypt volume invisibly
> "attached" to it (called "hidden" for illustration but you may
> wish to call it something more bland, perhaps a Kaspersky
> antivirus ADS name) by doing the following:
>
> Invoke Truecrypt and, when prompted for the name of the file to
> create as a Truecrypt container file, enter:
>
> C:\somepath\sometext.txt:hidden
>
> That is, append a colon and then the name of
> your-soon-to-be-created-ADS Truecrypt file to the existing
> visible file name.
>
> Same for mounting.
>
> Incidentally, do not use the file explorer dialog box (which
> will choke); instead type the name directly into the Truecrypt
> file name entry box.
>
> Regards,
>
> PS Obviously, the visible host file could be other than a text
> file - any file type will do. For instance, the devious may use
> a not-easily-deleted system file. Or the even more devious can
> use a directory rather than a file. (Yes, directories and not
> just files can have ADSs; those attached to the root directory
> of a drive are especially hard to detect - or get rid of!)
>
> PPS For manipulating ADS additional extents (the proper name
> for the hidden piggyback files) the best program I've come
> across is NTFS Streams Info. Nothing to do with encryption,
> just revealing, creating, deleting, etc.
>
> PPPS ADS streams are becoming better known but are still not
> well-known - even to some sysadmins. Their day is passing as a
> useful trick. Passing, but not yet past :-)
>
>

This does nothing but hide it from the casual observer. That type
of observer can be fooled by just naming it to look like a system
file. If your computer is seized, the stream will be found. Any
forensics specialist worth his salt will find it very easily as
well as any admin even slightly knowledgable. It stands out like a
red flag with the tools available. I'd have to say that you make
it even easier to find by hiding it in a stream.



































Reply With Quote