Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.computer.security
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 01-19-2007, 06:28 AM
Jane_G
Guest
 
Posts: n/a
Default What is a good Windows XP file to store encrypted volumes

What is a good filespec to hold an encrypted volume on WinXP?

Based on extensive googling, I installed the TrueCrypt freeware disk
encryption to safeguard my private files on a rather public computer.

TrueCrypt requires a file name to contain the rather large encrypted volume
file even if a hidden volume is used inside the regular encrypted volume.
For example, the file name containing the encrypted volume could be
C:\Documents and Settings\Administrator\My TrueCrypt Encrypted Volume.bin

To contain the TrueCrypt encrypted volume, I can choose any file name and
location that doesn't already exist. But, my question is what file name and
location would arouse the least suspicion were a coworker to be snooping
around looking for my personal data on my WinXP computer?

Specifically what binary file could reasonable be expected to be a few
megabytes in size, yet have a normal sounding name in a normal sounding
location containing "gibberish" (ie encrypted data) that would not arouse
suspicions that it is actually a TrueCrypt encrypted volume?

Reply With Quote
  #2 (permalink)  
Old 01-19-2007, 02:28 PM
nemo_outis
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

Jane_G <janes_email@optusnet.com.au> wrote in
news:cii4jiyaflyn.1teukog10u1f2.dlg@40tude.net:

> What is a good filespec to hold an encrypted volume on WinXP?
>
> Based on extensive googling, I installed the TrueCrypt freeware disk
> encryption to safeguard my private files on a rather public computer.
>
> TrueCrypt requires a file name to contain the rather large encrypted
> volume file even if a hidden volume is used inside the regular
> encrypted volume. For example, the file name containing the encrypted
> volume could be C:\Documents and Settings\Administrator\My TrueCrypt
> Encrypted Volume.bin
>
> To contain the TrueCrypt encrypted volume, I can choose any file name
> and location that doesn't already exist. But, my question is what file
> name and location would arouse the least suspicion were a coworker to
> be snooping around looking for my personal data on my WinXP computer?
>
> Specifically what binary file could reasonable be expected to be a few
> megabytes in size, yet have a normal sounding name in a normal
> sounding location containing "gibberish" (ie encrypted data) that
> would not arouse suspicions that it is actually a TrueCrypt encrypted
> volume?
>




The following will not fool a sysadmin (well, not a good one) but it works
very well against casual or inept snoops.

Hide the Truecrypt file as an "alternate file stream" attached to some
other file (which could itself be perfectly functional, such as an Excel
file). The hidden stream will not show in any normal system operation
(directory listings, etc.) although some (by no means all) antivirus
software may report it.

If the ordinary file you wish to use is, say, C:\directorypath\somefile.xls
then create (and subsequently mount and use) the Truecrypt file as, say, C:
\directorypath\somefile.xls:tc (i.e., the alternate file name - extent,
really - is defined as prefixed by the regular file name and a colon)

Regards,




Reply With Quote
  #3 (permalink)  
Old 01-19-2007, 03:29 PM
vedaal
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

Jane_G wrote:

> To contain the TrueCrypt encrypted volume, I can choose any file name and
> location that doesn't already exist. But, my question is what file name and
> location would arouse the least suspicion were a coworker to be snooping
> around looking for my personal data on my WinXP computer?
>
> Specifically what binary file could reasonable be expected to be a few
> megabytes in size, yet have a normal sounding name in a normal sounding
> location containing "gibberish" (ie encrypted data) that would not arouse
> suspicions that it is actually a TrueCrypt encrypted volume?



a .dll file in the windows system folder
[not high on the curious co-worker list of snoop folders ;-) ]
and there are so many of them that most people have no idea of what
they do,
or if they are legitimately required to be there

you can call it something benign and not unexpected, like
'AdobeUPD.dll'
(although i don't remember ever seeing a dll file 5mb or greater)


vedaal


Reply With Quote
  #4 (permalink)  
Old 01-19-2007, 03:56 PM
=?ISO-8859-1?Q?j=F8rgen?=
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

Jane_G wrote:
> What is a good filespec to hold an encrypted volume on WinXP?



If using NTFS, check up on alternate data streams

Reply With Quote
  #5 (permalink)  
Old 01-19-2007, 04:01 PM
=?ISO-8859-1?Q?j=F8rgen?=
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

jørgen wrote:
> If using NTFS, check up on alternate data streams


Just know, if they snoop around with special utilities, hidden files in
alternate streams will be found rather quickly

Reply With Quote
  #6 (permalink)  
Old 01-19-2007, 04:34 PM
David Eather
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

nemo_outis wrote:
> Jane_G <janes_email@optusnet.com.au> wrote in
> news:cii4jiyaflyn.1teukog10u1f2.dlg@40tude.net:
>
>> What is a good filespec to hold an encrypted volume on WinXP?
>>
>> Based on extensive googling, I installed the TrueCrypt freeware disk
>> encryption to safeguard my private files on a rather public computer.
>>
>> TrueCrypt requires a file name to contain the rather large encrypted
>> volume file even if a hidden volume is used inside the regular
>> encrypted volume. For example, the file name containing the encrypted
>> volume could be C:\Documents and Settings\Administrator\My TrueCrypt
>> Encrypted Volume.bin
>>
>> To contain the TrueCrypt encrypted volume, I can choose any file name
>> and location that doesn't already exist. But, my question is what file
>> name and location would arouse the least suspicion were a coworker to
>> be snooping around looking for my personal data on my WinXP computer?
>>
>> Specifically what binary file could reasonable be expected to be a few
>> megabytes in size, yet have a normal sounding name in a normal
>> sounding location containing "gibberish" (ie encrypted data) that
>> would not arouse suspicions that it is actually a TrueCrypt encrypted
>> volume?
>>

>
>
>
> The following will not fool a sysadmin (well, not a good one) but it works
> very well against casual or inept snoops.
>
> Hide the Truecrypt file as an "alternate file stream" attached to some
> other file (which could itself be perfectly functional, such as an Excel
> file). The hidden stream will not show in any normal system operation
> (directory listings, etc.) although some (by no means all) antivirus
> software may report it.
>
> If the ordinary file you wish to use is, say, C:\directorypath\somefile.xls
> then create (and subsequently mount and use) the Truecrypt file as, say, C:
> \directorypath\somefile.xls:tc (i.e., the alternate file name - extent,
> really - is defined as prefixed by the regular file name and a colon)
>
> Regards,
>
>
>

So, your saying it is OK that your security is not based on a
mathematical proof or a conjecture of the computational bounds of an
adversary, but rather based on the hope that the adversary is incompetent.

Do you see anything wrong with that?

Reply With Quote
  #7 (permalink)  
Old 01-19-2007, 04:38 PM
Someone Else
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

In Message-ID:<cii4jiyaflyn.1teukog10u1f2.dlg@40tude.net>,
Jane_G <janes_email@optusnet.com.au> wrote:

>To contain the TrueCrypt encrypted volume, I can choose any file name and
>location that doesn't already exist. But, my question is what file name and
>location would arouse the least suspicion were a coworker to be snooping
>around looking for my personal data on my WinXP computer?
>
>Specifically what binary file could reasonable be expected to be a few
>megabytes in size, yet have a normal sounding name in a normal sounding
>location containing "gibberish" (ie encrypted data) that would not arouse
>suspicions that it is actually a TrueCrypt encrypted volume?


Do a search on your own computer for all files larger than <some
value>. On mine, I found some 50MB CAB files and a gigabyte swap
file.

You could put another CAB file into the same directory or create
an "orphaned" swap file.

But, these are examples from *my* system. You should find what's
not unusual on your own. (Have you considered a thumb drive,
instead?)

Of course, this is the practical side. There are also the legal
and ethical sides: The computer is owned by your company, and
they might believe they have some say in what goes on it. They
might even have a written policy about installing unauthorized
software or about keeping personal files on work computers.

Reply With Quote
  #8 (permalink)  
Old 01-19-2007, 06:25 PM
nemo_outis
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

David Eather <eather@tpg.com.au> wrote in
news:45b10117@dnews.tpgi.com.au:

> nemo_outis wrote:

....
>> The following will not fool a sysadmin (well, not a good one) but it
>> works very well against casual or inept snoops.
>>
>> Hide the Truecrypt file as an "alternate file stream" attached to
>> some other file (which could itself be perfectly functional, such as
>> an Excel file). The hidden stream will not show in any normal system
>> operation (directory listings, etc.) although some (by no means all)
>> antivirus software may report it.
>>
>> If the ordinary file you wish to use is, say,
>> C:\directorypath\somefile.xls then create (and subsequently mount
>> and use) the Truecrypt file as, say, C:
>> \directorypath\somefile.xls:tc (i.e., the alternate file name -
>> extent, really - is defined as prefixed by the regular file name and
>> a colon)
>>
>> Regards,
>>
>>
>>

> So, your saying it is OK that your security is not based on a
> mathematical proof or a conjecture of the computational bounds of an
> adversary, but rather based on the hope that the adversary is
> incompetent.
>
> Do you see anything wrong with that?



Short answer: No, I see nothing wrong with that.

Longer answer:

The OP framed her question in terms of using nothing stronger than an
inconspicuous file. Compared to that, an alternate data stream is
leagues ahead.

Going further, the OP's threat model is coworkers who casually snoop,
folks who are, if not outright incompetent, clearly without special
resources or competence.

Against a sufficiently competent, well-funded, and motivated adversary -
especially one who has repeated unobserved direct access to the machine
as could happen in a work environment - I fell confident in saying there
is NO satisfactory method of disguising the use of Truecrypt.

So, the task is not to overdesign the system inordinately in a misguided
attempt to thwart the NSA. Instead, as with most security questions, the
real task is to implement a scheme appropriate to the specified threat
model.

And this is exactly what my suggested use of ADS in these circumstances
does. It is a convenient, readily implemented method that is entirely
suitable and appropriate for the described threat model.

Regards,



Reply With Quote
  #9 (permalink)  
Old 01-19-2007, 08:23 PM
nemo_outis
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

Sebastian Gottschalk <seppi@seppig.de> wrote in
news:51cmfcF1jjf5gU1@mid.dfncis.de:

> nemo_outis wrote:
>
>>> So, your saying it is OK that your security is not based on a
>>> mathematical proof or a conjecture of the computational bounds of an
>>> adversary, but rather based on the hope that the adversary is
>>> incompetent.
>>>
>>> Do you see anything wrong with that?

>>
>> Short answer: No, I see nothing wrong with that.

>
> Then I pity you for not understanding what security is, but still
> posting in a.c.s . Security requires reliability, at least to a
> certain point, which is the pure contrary of unjustified hope.
>
>> And this is exactly what my suggested use of ADS in these
>> circumstances does. It is a convenient, readily implemented method
>> that is entirely suitable and appropriate for the described threat
>> model.

>
> It isn't. Just run LADS, Streams or one of those many many other
> utilities and you'll easily see a very suspicious ADS.
>



Thank you for your response. My confidence in the accuracy of my answer
is now greatly increased.

You see, Sebastian, you are what can be characterized as an "intelligent
fool." While not actually stupid, you are nonetheless so reliably and
consistenly wrong that sensible folks treat you as an amazingly accurate
"contrary indicator" and regard your condemnation instead as rock-solid
validation of their views.

You invariably want to use a sledgehammer to crack a peanut, and this
produces solutions that are so tiresome and onerous that no one would
ever be bothered implementing and using them (assuming, that is, that
they would work at all in spite of their needless complication and
intricacy). Your grandiose and overworked "solutions" are never suitable
to the problem. No, you propose them only in a puerile - and failed! -
attempt to seem knowledgeable.

So, yes, Sebastian, of course streams can be detected! Any hiding or
mislabelling technique is only suitable against casual adversaries. But,
of course, those were precisely the type of adversaries that were
specified!

However, as a variant of the "hiding" genre, using ADS is vastly superior
to using grossly oversized mislabelled file types. It is a highly
effective technique against casual (and some not-so-casual) snoops.

Regards,



Reply With Quote
  #10 (permalink)  
Old 01-19-2007, 10:42 PM
nemo_outis
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

Sebastian Gottschalk <seppi@seppig.de> wrote in
news:51ctiuF1jllc1U1@mid.dfncis.de:

> nemo_outis wrote:
>
>> of course streams can be detected! Any hiding or
>> mislabelling technique is only suitable against casual adversaries.
>> But, of course, those were precisely the type of adversaries that
>> were specified!

>
> Then you just got the specification wrong.



Congratulations, Sebastian! Your perfect record as a "contrary
indicator" who always gets it wrong has been extended.

No, Sebastian, it was NOT I who specified the type of adversaries but
rather the OP - to whom I then responded with an appropriate solution.


>> However, as a variant of the "hiding" genre, using ADS is vastly
>> superior to using grossly oversized mislabelled file types.

>
> Nonsense, since using such a bogus but well-known feature makes it way
> more suspicious.



Goddammit, you're thick, Sebastian! The original question posed was how
to make Truecrypt files less obvious to casual snoops at the OP's
workplace, not thwart the NSA.

If the adversaries suspecting use of Truecrypt had even minimal
competence they would first try, NOT to pore through the HD looking for
oversized mislabelled nonfunctional files (and, of course, far less for
ADS) but rather look for the presence of the Truecrypt driver and its
registry fingerprint which is blatantly there for anyone of non-casual
competence to see and which is awkward for an unskilled person, such as
the OP apparently is, to remove and replace regularly (sitting as it does
as a legacy driver in currentcontrolset).

We are, as the OP originally posed the problem, looking at adversaries
whose investigative repertoire does not even extend that far. And so I
guarantee that ADS will be far beyond the ability of such adversaries to
discover.

In short, Sebastian, the matter is settled; now all that remains is to
see how long you foolishly persist in your truculent stupidity.

Regards,


Reply With Quote
  #11 (permalink)  
Old 01-20-2007, 01:43 AM
Wraeth
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

Jane_G wrote:
> What is a good filespec to hold an encrypted volume on WinXP?
>
> Based on extensive googling, I installed the TrueCrypt freeware disk
> encryption to safeguard my private files on a rather public computer.
>
> TrueCrypt requires a file name to contain the rather large encrypted volume
> file even if a hidden volume is used inside the regular encrypted volume.
> For example, the file name containing the encrypted volume could be
> C:\Documents and Settings\Administrator\My TrueCrypt Encrypted Volume.bin
>
> To contain the TrueCrypt encrypted volume, I can choose any file name and
> location that doesn't already exist. But, my question is what file name and
> location would arouse the least suspicion were a coworker to be snooping
> around looking for my personal data on my WinXP computer?
>
> Specifically what binary file could reasonable be expected to be a few
> megabytes in size, yet have a normal sounding name in a normal sounding
> location containing "gibberish" (ie encrypted data) that would not arouse
> suspicions that it is actually a TrueCrypt encrypted volume?


Jane-G,

As you can no doubt see, there are a lot of suggestions for you to
follow up on regarding the solution to your problem. However, to find
the best solution applicable to your situation, it may be wise to
consider exactly what scenario you are trying to avoid.

From your post, you say that you don't want your co-workers, who
occasionally snoop around your computer, to even know that you have the
data. Therefore, it is not the content that you are hiding, but the
existence.

If this is the case, then perhaps it is not a wise idea to store the
data on a computer to which your co-workers have access; instead, as
suggested before, use a USB thumb drive, or burn the data to a removable
disc. This way, you remove the threat that a co-worker with above
average computer literacy (such as the IT administration or support
team) will notice an unusual file with a large file, or recognize
possibilities from the existence of TrueCrypt on the computer in question.

If, however, it is only the content that you are wishing to hide, not
the existence, then all you really need is a decent encryption program.
If the file you wish to encrypt is large, then perhaps you could place
the file into an archive and split the archive into separate files
before you encrypt it.

It would be a wise move, as also mentioned in a previous response, to
consider the policies in effect at your workplace regarding the use of
company computers for personal reasons. Another point is perhaps
securing the computer against unauthorized use by your co-workers (if
their use is constituted as unauthorized).

I hope that this helps you with your problem, and that you find a
solution that is manageable, practicable, and allows your data to remain
undiscovered.

Regards,
wraeth

Reply With Quote
  #12 (permalink)  
Old 01-20-2007, 02:41 AM
David Eather
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

nemo_outis wrote:
> David Eather <eather@tpg.com.au> wrote in
> news:45b10117@dnews.tpgi.com.au:
>
>> nemo_outis wrote:

> ...
>>> The following will not fool a sysadmin (well, not a good one) but it
>>> works very well against casual or inept snoops.
>>>
>>> Hide the Truecrypt file as an "alternate file stream" attached to
>>> some other file (which could itself be perfectly functional, such as
>>> an Excel file). The hidden stream will not show in any normal system
>>> operation (directory listings, etc.) although some (by no means all)
>>> antivirus software may report it.
>>>
>>> If the ordinary file you wish to use is, say,
>>> C:\directorypath\somefile.xls then create (and subsequently mount
>>> and use) the Truecrypt file as, say, C:
>>> \directorypath\somefile.xls:tc (i.e., the alternate file name -
>>> extent, really - is defined as prefixed by the regular file name and
>>> a colon)
>>>
>>> Regards,
>>>
>>>
>>>

>> So, your saying it is OK that your security is not based on a
>> mathematical proof or a conjecture of the computational bounds of an
>> adversary, but rather based on the hope that the adversary is
>> incompetent.
>>
>> Do you see anything wrong with that?

>
>
> Short answer: No, I see nothing wrong with that.
>
> Longer answer:
>
> The OP framed her question in terms of using nothing stronger than an
> inconspicuous file. Compared to that, an alternate data stream is
> leagues ahead.
>
> Going further, the OP's threat model is coworkers who casually snoop,
> folks who are, if not outright incompetent, clearly without special
> resources or competence.
>
> Against a sufficiently competent, well-funded, and motivated adversary -
> especially one who has repeated unobserved direct access to the machine
> as could happen in a work environment - I fell confident in saying there
> is NO satisfactory method of disguising the use of Truecrypt.
>
> So, the task is not to overdesign the system inordinately in a misguided
> attempt to thwart the NSA. Instead, as with most security questions, the
> real task is to implement a scheme appropriate to the specified threat
> model.
>
> And this is exactly what my suggested use of ADS in these circumstances
> does. It is a convenient, readily implemented method that is entirely
> suitable and appropriate for the described threat model.
>
> Regards,
>
>

The rub:

The adversary is not the NSA. You saw how quickly SG was onto the
faults in this idea. It will only take one person who knows what he is
doing, to show one script-kiddie what to do, who will show everyone else
and security becomes zero or even worse; the user still thinks they have
some security and may well be indiscreet.

Reply With Quote
  #13 (permalink)  
Old 01-20-2007, 04:06 AM
Bill
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes


Jane_G wrote:
> What is a good filespec to hold an encrypted volume on WinXP?
>
> Based on extensive googling, I installed the TrueCrypt freeware disk
> encryption to safeguard my private files on a rather public computer.
>
> TrueCrypt requires a file name to contain the rather large encrypted volume
> file even if a hidden volume is used inside the regular encrypted volume.
> For example, the file name containing the encrypted volume could be
> C:\Documents and Settings\Administrator\My TrueCrypt Encrypted Volume.bin
>
> To contain the TrueCrypt encrypted volume, I can choose any file name and
> location that doesn't already exist. But, my question is what file name and
> location would arouse the least suspicion were a coworker to be snooping
> around looking for my personal data on my WinXP computer?
>
> Specifically what binary file could reasonable be expected to be a few
> megabytes in size, yet have a normal sounding name in a normal sounding
> location containing "gibberish" (ie encrypted data) that would not arouse
> suspicions that it is actually a TrueCrypt encrypted volume?


Look at the _hidden_ uninstall service pack directories in a typical
Windows XP installation. They are in the \Windows directory, usually,
with folder names like '$NTUninstallKB999999_0$' and they typically
contain dll files. Create one that does not exist in real
life--probably a directory name starting with $NTUninstallKB0 since all
the current KB numbers are larger than that. Create the file as a
hidden .dll file there. Since the folder will not be listed as a
service pack in the registry, the system unistaller ought to ignore it,
AFAIK. And those directories are a hidden forest that almost nobody
but M$ understands :).


Reply With Quote
  #14 (permalink)  
Old 01-20-2007, 04:08 AM
nemo_outis
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

David Eather <eather@tpg.com.au> wrote in
news:45b18f89@dnews.tpgi.com.au:

> The adversary is not the NSA. You saw how quickly SG was onto the
> faults in this idea. It will only take one person who knows what he
> is doing, to show one script-kiddie what to do, who will show everyone
> else and security becomes zero or even worse; the user still thinks
> they have some security and may well be indiscreet.



Once again, with feeling:

The method I outlined is entirely appropriate to the threat model specified
by the OP: casual office snoopers. It is significantly superior to the
grossly oversized, non-functional, muslabelled file ruse. Moreover, it is
exceedingly straightforward and easy to implement since Truecrypt natively
supports it with nary a tweak required (an important aspect given the
obvious non-geekiness of the OP).

And here's a flash for you: There is NO satisfactory method of hiding
Truecrypt from a skilled adversary, especially on a workplace machine. As
just one example, Truecrypt leaves awkward-to-erase tracks in the registry.
An adversary of only modest skills using regedit would detect that
Truecrypt was being used in seconds rather than having to do a full HD scan
looking for ADS with special programs.

Regards,






Reply With Quote
  #15 (permalink)  
Old 01-20-2007, 06:27 AM
Paul Rubin
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

Jane_G <janes_email@optusnet.com.au> writes:
> Based on extensive googling, I installed the TrueCrypt freeware disk
> encryption to safeguard my private files on a rather public computer.


You should never store private files on a public computer. There's no
way to know whether the public computer's software or even hardware
has been modified to compromise your privacy (for example by recording
your keystrokes). If you want to work on private files away from
home, get a portable computer and keep your files on it. TrueCrypt is
a good product for encrypting your files on your own computer, in case
your computer falls into the wrong hands sometime after you've put
your files on it. It can't solve the situation of a computer that's
already in the wrong hands BEFORE you've put your files on it.

Reply With Quote
  #16 (permalink)  
Old 01-20-2007, 02:43 PM
nemo_outis
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

Sebastian Gottschalk <seppi@seppig.de> wrote in
news:51e1lhF1jbqjdU1@mid.dfncis.de:

> Bill wrote:
>
>> Look at the _hidden_ uninstall service pack directories in a typical
>> Windows XP installation. They are in the \Windows directory,
>> usually, with folder names like '$NTUninstallKB999999_0$' and they
>> typically contain dll files. Create one that does not exist in real
>> life--probably a directory name starting with $NTUninstallKB0 since
>> all the current KB numbers are larger than that.



> Non-admin users don't have write-access there.


You've gotten things wrong once again, Sebastian. You really are the
consummate "contrary indicator" and "intelligent fool."

We already KNOW AS A CERTAINTY that the OP has admin rights on the local
computer OR SHE COULDN'T HAVE INSTALLED TRUECRYPT IN THE FIRST PLACE!

What a doofus you are!

Regards,




Reply With Quote
  #17 (permalink)  
Old 01-20-2007, 03:22 PM
nemo_outis
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

Sebastian Gottschalk <seppi@seppig.de> wrote in
news:51e1inF1iic3oU1@mid.dfncis.de:

> nemo_outis wrote:
>
>> No, Sebastian, it was NOT I who specified the type of adversaries but
>> rather the OP



> And I told you that your misunderstood this specification. Now, what
> about reading comprehension? Go figure!




Here, you thick-as-a-brick moron, is a verbatim quote from the OP's post:
___

But, my question is what file name and location would arouse the least
suspicion were a coworker to be snooping around looking for my personal
data on my WinXP computer?"
___

"Snooping coworker," Sebastian! That's the specific threat model POSED
BY THE OP just as I said. It was the OP, not I, who specified the threat
model (and who additionally even confined the "solution space" only to
recommending the most inconspicuous file type and location).


>> If the adversaries suspecting use of Truecrypt had even minimal
>> competence they would first try, NOT to pore through the HD looking
>> for oversized mislabelled nonfunctional files

>
> Right. He would use Google to find a program which does that for him.



No ordinary "snooping coworker" would be installing and launching
forensic tools. Moreover, this hypothetical NSA-geek snooping coworker
would not know if there were mislabelled files, alternate data streams, a
hidden partition, an even-more-hidden partition in the HPA, files or
directories hidden by a rootkit, or even whether Truecrypt or some other
program was being used.

Nor does the snooper know what method is used to hide the OP's personal
info or even if any such hiding is being done. He's just snooping
around.

And, in the absence of specific info, the NSA-geek snooping coworker
would have no basis for limiting himself to searching for only one of
these stratagems but would either have to use a full-blown forensic tool
(e.g., Encase) to look for any and all of them or deploy a quiver of more
specific search tools. That isn't casual snooping, Sebastian!

No, a casual snoop will do just that: snoop around hoping to stumble upon
unsecured personal data or, failing that, to spot some anomaly that
catches his eye as a possible attempt to hide personal info. A slightly
less casual snoop may use some of the tools native to the environment
(e.g., regedit) but anything beyond that (e.g., installing and using
forensic ttools) is no longer casual snooping.

That's it, Sebastian. That's all the OP asked for: light-duty
camouflage. Nothing more.

But I'll go further, Sebastian, you doofus, in explaining that there is
NO satisfactory way of hiding Truecrypt from a skilled adversary, only
makeshift methods of hiding it from unskilled ones (such as the ones
asked for and given to the OP).

If you're of a mathematical bent call it a mini "existence proof" from
the makers of Truecrypt themselves. Perhaps it will even satisfy David
Eather's pretentious twaddle calling for "mathematical proof or a
conjecture of the computational bounds of an adversary."

You see, Sebastian, Truecrypt goes to great lengths to provide "plausible
deniability," even adding a nesting feature. But obviously "plausible
deniability: is a far weaker status that "undetectability of hidden data
in the first place." If the makers of Truecrypt thought there was an
effective way of providing undetectability they would not have futzed
around adding plausible deniability. QED

Regards,


Reply With Quote
  #18 (permalink)  
Old 01-27-2007, 01:34 AM
Lefty Bigfoot
Guest
 
Posts: n/a
Default Re: What is a good Windows XP file to store encrypted volumes

On Fri, 19 Jan 2007 01:28:41 -0600, Jane_G wrote
(in article <cii4jiyaflyn.1teukog10u1f2.dlg@40tude.net>):

> What is a good filespec to hold an encrypted volume on WinXP?


Copy it to another operating system that's not put out by
Microsoft.




--
Lefty
All of God's creatures have a place..........
..........right next to the potatoes and gravy.
See also: http://www.gizmodo.com/gadgets/images/iProduct.gif


Reply With Quote
Reply


« DCPP | group for computer forensics in general »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Acer Aspire 5000 laptop DVD drive does not burn DVDs correctly - Unspecified Recorder Error Sid B alt.comp.hardware 4 03-16-2007 11:31 PM
Page file Jaap Telschouw alt.comp.hardware 59 01-24-2007 06:34 PM
Why do I need a software firewall? om.newsgroup@gmail.com comp.security.misc 60 10-15-2005 01:10 AM
best practices to secure home's network strutsng@gmail.com alt.internet.wireless 31 10-14-2005 10:22 AM
Takes a good 6 minutes to load Windows.. HP Pavilion notebook paul814@excite.com alt.comp.hardware 4 10-14-2005 02:54 AM


All times are GMT. The time now is 11:18 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45