Thread: A Truecrypt Trick
View Single Post
  #4 (permalink)  
Old 09-08-2006, 04:11 AM
nemo_outis
Guest
  
Posts: n/a
Default Re: A Truecrypt Trick
Redwood <anon@comments.header> wrote in news:QM3KT5C738967.8576851852
@twistycreek.com:

> "nemo_outis" <abc@xyz.com> wrote in
> news:Xns9837B47BD70FCabcxyzcom@127.0.0.1:
>
>> This may be old hat to some of you, but it may be new to others:
>> it is possible to create and/or mount an ADS (alternate data
>> stream) as an encrypted Truecrypt container file.
>>
>> For instance, if the file C:\somepath\sometext.txt already
>> exists on your system (or create it and fill it with some text)
>> then you would create a ADS Truecrypt volume invisibly
>> "attached" to it (called "hidden" for illustration but you may
>> wish to call it something more bland, perhaps a Kaspersky
>> antivirus ADS name) by doing the following:
>>
>> Invoke Truecrypt and, when prompted for the name of the file to
>> create as a Truecrypt container file, enter:
>>
>> C:\somepath\sometext.txt:hidden
>>
>> That is, append a colon and then the name of
>> your-soon-to-be-created-ADS Truecrypt file to the existing
>> visible file name.
>>
>> Same for mounting.
>>
>> Incidentally, do not use the file explorer dialog box (which
>> will choke); instead type the name directly into the Truecrypt
>> file name entry box.
>>
>> Regards,
>>
>> PS Obviously, the visible host file could be other than a text
>> file - any file type will do. For instance, the devious may use
>> a not-easily-deleted system file. Or the even more devious can
>> use a directory rather than a file. (Yes, directories and not
>> just files can have ADSs; those attached to the root directory
>> of a drive are especially hard to detect - or get rid of!)
>>
>> PPS For manipulating ADS additional extents (the proper name
>> for the hidden piggyback files) the best program I've come
>> across is NTFS Streams Info. Nothing to do with encryption,
>> just revealing, creating, deleting, etc.
>>
>> PPPS ADS streams are becoming better known but are still not
>> well-known - even to some sysadmins. Their day is passing as a
>> useful trick. Passing, but not yet past :-)
>>
>>
>
> This does nothing but hide it from the casual observer. That type
> of observer can be fooled by just naming it to look like a system
> file. If your computer is seized, the stream will be found. Any
> forensics specialist worth his salt will find it very easily as
> well as any admin even slightly knowledgable. It stands out like a
> red flag with the tools available. I'd have to say that you make
> it even easier to find by hiding it in a stream.


The use of ADS is not intended to hide the Truecrypt file from a thorough
search; it is intended to not obtrude the existence of a multi-gigabyte
file to casual inspection (including casual *automated* inspection of the
sort of simplistic "HD inventory" done in many corporate environments, or
the quicky scan done by customs at many border points). It is a
complement, for instance, to using the Traveller mode of Truecrypt which
also has a similar goal: not of being absolutely undetectable but of
being unobvious. The goal of not coming to someone's attention in the
first place, rather than resisting disclosure afterwards, is not one to
be sneered at.

And, no, nothing is lost by using this method. And, of course, there is
no detriment to the actual security of the file's encrypted contents,
should its existence be detected. The method doesn't try to do
Truecrypt's job of encryption; it is instead a complement to it.

I say, without fear of contradiction, that there is NO method of
unsuspiciously hiding a multi-gigabyte encrypted file from a *thorough*
search - this just makes it easier to pass undetected through a less than
thorough search (or, better yet, to avoid a search in the first place).
In fact, I strongly suspect that, until I disclosed this approach, you
would not have looked for it. It, like most conjurer's tricks, is one of
subterfuge and misdirection. And, like a conjurer's trick, it is totally
simple and obvious - but only AFTER it has been explained!

Used judiciously, the method lends itself to other tricks as well. For
instance, use of ADS escapes the Windows disk quota system. This, for
instance, permits one to stash a multi-gigabyte file on a network drive
where one supposedly only has, say, 5 meg allotted. Chances are high (in
many environments) that such a drive is not even checked for such things
- I say this from experience in a large number of clients' environments,
including several that flattered themselves that they ran tight ships.

Regards,

PS While many virus and trojan checkers now look for ADS (they didn't
until just a few years ago even though ADS has been around since about
1990) there are still several which cannot detect an ADS attached to the
*root* directory of a drive (attached, not to a file *in* the root
directory, but to the root directory itself).

PPS Personally, I have now moved away from this method to using the
still-not-widely-known method of hiding files in the HPA. Most ordinary
tools, including even some of the lesser forensic ones, will only look
for hidden partitions and the like in the accessible part of the HD,
cheerfully accepting the hardware-level under-reporting of the HD's true
capacity.

(Phoenix and some others are now screwing this up for hackers by using
such partitions for backup/recovery, which is widening the appreciatioon
of the HPA. Sic transeunt hacks :-)

Cascading methods can also be helpful. Would you like to guess how many
tools currently support looking for an ADS attached to a file in the HPA?
That's right: none!


Reply With Quote