What is a good Windows XP file to store encrypted volumes
What is a good filespec to hold an encrypted volume on WinXP?
Based on extensive googling, I installed the TrueCrypt freeware disk
encryption to safeguard my private files on a rather public computer.
TrueCrypt requires a file name to contain the rather large encrypted volume
file even if a hidden volume is used inside the regular encrypted volume.
For example, the file name containing the encrypted volume could be
C:\Documents and Settings\Administrator\My TrueCrypt Encrypted Volume.bin
To contain the TrueCrypt encrypted volume, I can choose any file name and
location that doesn't already exist. But, my question is what file name and
location would arouse the least suspicion were a coworker to be snooping
around looking for my personal data on my WinXP computer?
Specifically what binary file could reasonable be expected to be a few
megabytes in size, yet have a normal sounding name in a normal sounding
location containing "gibberish" (ie encrypted data) that would not arouse
suspicions that it is actually a TrueCrypt encrypted volume?
Re: What is a good Windows XP file to store encrypted volumes
Jane_G <janes_email@optusnet.com.au> wrote in
news:cii4jiyaflyn.1teukog10u1f2.dlg@40tude.net:
> What is a good filespec to hold an encrypted volume on WinXP?
>
> Based on extensive googling, I installed the TrueCrypt freeware disk
> encryption to safeguard my private files on a rather public computer.
>
> TrueCrypt requires a file name to contain the rather large encrypted
> volume file even if a hidden volume is used inside the regular
> encrypted volume. For example, the file name containing the encrypted
> volume could be C:\Documents and Settings\Administrator\My TrueCrypt
> Encrypted Volume.bin
>
> To contain the TrueCrypt encrypted volume, I can choose any file name
> and location that doesn't already exist. But, my question is what file
> name and location would arouse the least suspicion were a coworker to
> be snooping around looking for my personal data on my WinXP computer?
>
> Specifically what binary file could reasonable be expected to be a few
> megabytes in size, yet have a normal sounding name in a normal
> sounding location containing "gibberish" (ie encrypted data) that
> would not arouse suspicions that it is actually a TrueCrypt encrypted
> volume?
>
The following will not fool a sysadmin (well, not a good one) but it works
very well against casual or inept snoops.
Hide the Truecrypt file as an "alternate file stream" attached to some
other file (which could itself be perfectly functional, such as an Excel
file). The hidden stream will not show in any normal system operation
(directory listings, etc.) although some (by no means all) antivirus
software may report it.
If the ordinary file you wish to use is, say, C:\directorypath\somefile.xls
then create (and subsequently mount and use) the Truecrypt file as, say, C:
\directorypath\somefile.xls:tc (i.e., the alternate file name - extent,
really - is defined as prefixed by the regular file name and a colon)
Re: What is a good Windows XP file to store encrypted volumes
Jane_G wrote:
> To contain the TrueCrypt encrypted volume, I can choose any file name and
> location that doesn't already exist. But, my question is what file name and
> location would arouse the least suspicion were a coworker to be snooping
> around looking for my personal data on my WinXP computer?
>
> Specifically what binary file could reasonable be expected to be a few
> megabytes in size, yet have a normal sounding name in a normal sounding
> location containing "gibberish" (ie encrypted data) that would not arouse
> suspicions that it is actually a TrueCrypt encrypted volume?
a .dll file in the windows system folder
[not high on the curious co-worker list of snoop folders ;-) ]
and there are so many of them that most people have no idea of what
they do,
or if they are legitimately required to be there
you can call it something benign and not unexpected, like
'AdobeUPD.dll'
(although i don't remember ever seeing a dll file 5mb or greater)
Re: What is a good Windows XP file to store encrypted volumes
nemo_outis wrote:
> Jane_G <janes_email@optusnet.com.au> wrote in
> news:cii4jiyaflyn.1teukog10u1f2.dlg@40tude.net:
>
>> What is a good filespec to hold an encrypted volume on WinXP?
>>
>> Based on extensive googling, I installed the TrueCrypt freeware disk
>> encryption to safeguard my private files on a rather public computer.
>>
>> TrueCrypt requires a file name to contain the rather large encrypted
>> volume file even if a hidden volume is used inside the regular
>> encrypted volume. For example, the file name containing the encrypted
>> volume could be C:\Documents and Settings\Administrator\My TrueCrypt
>> Encrypted Volume.bin
>>
>> To contain the TrueCrypt encrypted volume, I can choose any file name
>> and location that doesn't already exist. But, my question is what file
>> name and location would arouse the least suspicion were a coworker to
>> be snooping around looking for my personal data on my WinXP computer?
>>
>> Specifically what binary file could reasonable be expected to be a few
>> megabytes in size, yet have a normal sounding name in a normal
>> sounding location containing "gibberish" (ie encrypted data) that
>> would not arouse suspicions that it is actually a TrueCrypt encrypted
>> volume?
>>
>
>
>
> The following will not fool a sysadmin (well, not a good one) but it works
> very well against casual or inept snoops.
>
> Hide the Truecrypt file as an "alternate file stream" attached to some
> other file (which could itself be perfectly functional, such as an Excel
> file). The hidden stream will not show in any normal system operation
> (directory listings, etc.) although some (by no means all) antivirus
> software may report it.
>
> If the ordinary file you wish to use is, say, C:\directorypath\somefile.xls
> then create (and subsequently mount and use) the Truecrypt file as, say, C:
> \directorypath\somefile.xls:tc (i.e., the alternate file name - extent,
> really - is defined as prefixed by the regular file name and a colon)
>
> Regards,
>
>
>
So, your saying it is OK that your security is not based on a
mathematical proof or a conjecture of the computational bounds of an
adversary, but rather based on the hope that the adversary is incompetent.
Re: What is a good Windows XP file to store encrypted volumes
In Message-ID:<cii4jiyaflyn.1teukog10u1f2.dlg@40tude.net>,
Jane_G <janes_email@optusnet.com.au> wrote:
>To contain the TrueCrypt encrypted volume, I can choose any file name and
>location that doesn't already exist. But, my question is what file name and
>location would arouse the least suspicion were a coworker to be snooping
>around looking for my personal data on my WinXP computer?
>
>Specifically what binary file could reasonable be expected to be a few
>megabytes in size, yet have a normal sounding name in a normal sounding
>location containing "gibberish" (ie encrypted data) that would not arouse
>suspicions that it is actually a TrueCrypt encrypted volume?
Do a search on your own computer for all files larger than <some
value>. On mine, I found some 50MB CAB files and a gigabyte swap
file.
You could put another CAB file into the same directory or create
an "orphaned" swap file.
But, these are examples from *my* system. You should find what's
not unusual on your own. (Have you considered a thumb drive,
instead?)
Of course, this is the practical side. There are also the legal
and ethical sides: The computer is owned by your company, and
they might believe they have some say in what goes on it. They
might even have a written policy about installing unauthorized
software or about keeping personal files on work computers.
Re: What is a good Windows XP file to store encrypted volumes
David Eather <eather@tpg.com.au> wrote in
news:45b10117@dnews.tpgi.com.au:
> nemo_outis wrote:
....
>> The following will not fool a sysadmin (well, not a good one) but it
>> works very well against casual or inept snoops.
>>
>> Hide the Truecrypt file as an "alternate file stream" attached to
>> some other file (which could itself be perfectly functional, such as
>> an Excel file). The hidden stream will not show in any normal system
>> operation (directory listings, etc.) although some (by no means all)
>> antivirus software may report it.
>>
>> If the ordinary file you wish to use is, say,
>> C:\directorypath\somefile.xls then create (and subsequently mount
>> and use) the Truecrypt file as, say, C:
>> \directorypath\somefile.xls:tc (i.e., the alternate file name -
>> extent, really - is defined as prefixed by the regular file name and
>> a colon)
>>
>> Regards,
>>
>>
>>
> So, your saying it is OK that your security is not based on a
> mathematical proof or a conjecture of the computational bounds of an
> adversary, but rather based on the hope that the adversary is
> incompetent.
>
> Do you see anything wrong with that?
Short answer: No, I see nothing wrong with that.
Longer answer:
The OP framed her question in terms of using nothing stronger than an
inconspicuous file. Compared to that, an alternate data stream is
leagues ahead.
Going further, the OP's threat model is coworkers who casually snoop,
folks who are, if not outright incompetent, clearly without special
resources or competence.
Against a sufficiently competent, well-funded, and motivated adversary -
especially one who has repeated unobserved direct access to the machine
as could happen in a work environment - I fell confident in saying there
is NO satisfactory method of disguising the use of Truecrypt.
So, the task is not to overdesign the system inordinately in a misguided
attempt to thwart the NSA. Instead, as with most security questions, the
real task is to implement a scheme appropriate to the specified threat
model.
And this is exactly what my suggested use of ADS in these circumstances
does. It is a convenient, readily implemented method that is entirely
suitable and appropriate for the described threat model.
Re: What is a good Windows XP file to store encrypted volumes
Sebastian Gottschalk <seppi@seppig.de> wrote in
news:51cmfcF1jjf5gU1@mid.dfncis.de:
> nemo_outis wrote:
>
>>> So, your saying it is OK that your security is not based on a
>>> mathematical proof or a conjecture of the computational bounds of an
>>> adversary, but rather based on the hope that the adversary is
>>> incompetent.
>>>
>>> Do you see anything wrong with that?
>>
>> Short answer: No, I see nothing wrong with that.
>
> Then I pity you for not understanding what security is, but still
> posting in a.c.s . Security requires reliability, at least to a
> certain point, which is the pure contrary of unjustified hope.
>
>> And this is exactly what my suggested use of ADS in these
>> circumstances does. It is a convenient, readily implemented method
>> that is entirely suitable and appropriate for the described threat
>> model.
>
> It isn't. Just run LADS, Streams or one of those many many other
> utilities and you'll easily see a very suspicious ADS.
>
Thank you for your response. My confidence in the accuracy of my answer
is now greatly increased.
You see, Sebastian, you are what can be characterized as an "intelligent
fool." While not actually stupid, you are nonetheless so reliably and
consistenly wrong that sensible folks treat you as an amazingly accurate
"contrary indicator" and regard your condemnation instead as rock-solid
validation of their views.
You invariably want to use a sledgehammer to crack a peanut, and this
produces solutions that are so tiresome and onerous that no one would
ever be bothered implementing and using them (assuming, that is, that
they would work at all in spite of their needless complication and
intricacy). Your grandiose and overworked "solutions" are never suitable
to the problem. No, you propose them only in a puerile - and failed! -
attempt to seem knowledgeable.
So, yes, Sebastian, of course streams can be detected! Any hiding or
mislabelling technique is only suitable against casual adversaries. But,
of course, those were precisely the type of adversaries that were
specified!
However, as a variant of the "hiding" genre, using ADS is vastly superior
to using grossly oversized mislabelled file types. It is a highly
effective technique against casual (and some not-so-casual) snoops.
Re: What is a good Windows XP file to store encrypted volumes
Sebastian Gottschalk <seppi@seppig.de> wrote in
news:51ctiuF1jllc1U1@mid.dfncis.de:
> nemo_outis wrote:
>
>> of course streams can be detected! Any hiding or
>> mislabelling technique is only suitable against casual adversaries.
>> But, of course, those were precisely the type of adversaries that
>> were specified!
>
> Then you just got the specification wrong.
Congratulations, Sebastian! Your perfect record as a "contrary
indicator" who always gets it wrong has been extended.
No, Sebastian, it was NOT I who specified the type of adversaries but
rather the OP - to whom I then responded with an appropriate solution.
>> However, as a variant of the "hiding" genre, using ADS is vastly
>> superior to using grossly oversized mislabelled file types.
>
> Nonsense, since using such a bogus but well-known feature makes it way
> more suspicious.
Goddammit, you're thick, Sebastian! The original question posed was how
to make Truecrypt files less obvious to casual snoops at the OP's
workplace, not thwart the NSA.
If the adversaries suspecting use of Truecrypt had even minimal
competence they would first try, NOT to pore through the HD looking for
oversized mislabelled nonfunctional files (and, of course, far less for
ADS) but rather look for the presence of the Truecrypt driver and its
registry fingerprint which is blatantly there for anyone of non-casual
competence to see and which is awkward for an unskilled person, such as
the OP apparently is, to remove and replace regularly (sitting as it does
as a legacy driver in currentcontrolset).
We are, as the OP originally posed the problem, looking at adversaries
whose investigative repertoire does not even extend that far. And so I
guarantee that ADS will be far beyond the ability of such adversaries to
discover.
In short, Sebastian, the matter is settled; now all that remains is to
see how long you foolishly persist in your truculent stupidity.
Re: What is a good Windows XP file to store encrypted volumes
Jane_G wrote:
> What is a good filespec to hold an encrypted volume on WinXP?
>
> Based on extensive googling, I installed the TrueCrypt freeware disk
> encryption to safeguard my private files on a rather public computer.
>
> TrueCrypt requires a file name to contain the rather large encrypted volume
> file even if a hidden volume is used inside the regular encrypted volume.
> For example, the file name containing the encrypted volume could be
> C:\Documents and Settings\Administrator\My TrueCrypt Encrypted Volume.bin
>
> To contain the TrueCrypt encrypted volume, I can choose any file name and
> location that doesn't already exist. But, my question is what file name and
> location would arouse the least suspicion were a coworker to be snooping
> around looking for my personal data on my WinXP computer?
>
> Specifically what binary file could reasonable be expected to be a few
> megabytes in size, yet have a normal sounding name in a normal sounding
> location containing "gibberish" (ie encrypted data) that would not arouse
> suspicions that it is actually a TrueCrypt encrypted volume?
Jane-G,
As you can no doubt see, there are a lot of suggestions for you to
follow up on regarding the solution to your problem. However, to find
the best solution applicable to your situation, it may be wise to
consider exactly what scenario you are trying to avoid.
From your post, you say that you don't want your co-workers, who
occasionally snoop around your computer, to even know that you have the
data. Therefore, it is not the content that you are hiding, but the
existence.
If this is the case, then perhaps it is not a wise idea to store the
data on a computer to which your co-workers have access; instead, as
suggested before, use a USB thumb drive, or burn the data to a removable
disc. This way, you remove the threat that a co-worker with above
average computer literacy (such as the IT administration or support
team) will notice an unusual file with a large file, or recognize
possibilities from the existence of TrueCrypt on the computer in question.
If, however, it is only the content that you are wishing to hide, not
the existence, then all you really need is a decent encryption program.
If the file you wish to encrypt is large, then perhaps you could place
the file into an archive and split the archive into separate files
before you encrypt it.
It would be a wise move, as also mentioned in a previous response, to
consider the policies in effect at your workplace regarding the use of
company computers for personal reasons. Another point is perhaps
securing the computer against unauthorized use by your co-workers (if
their use is constituted as unauthorized).
I hope that this helps you with your problem, and that you find a
solution that is manageable, practicable, and allows your data to remain
undiscovered.
Re: What is a good Windows XP file to store encrypted volumes
nemo_outis wrote:
> David Eather <eather@tpg.com.au> wrote in
> news:45b10117@dnews.tpgi.com.au:
>
>> nemo_outis wrote:
> ...
>>> The following will not fool a sysadmin (well, not a good one) but it
>>> works very well against casual or inept snoops.
>>>
>>> Hide the Truecrypt file as an "alternate file stream" attached to
>>> some other file (which could itself be perfectly functional, such as
>>> an Excel file). The hidden stream will not show in any normal system
>>> operation (directory listings, etc.) although some (by no means all)
>>> antivirus software may report it.
>>>
>>> If the ordinary file you wish to use is, say,
>>> C:\directorypath\somefile.xls then create (and subsequently mount
>>> and use) the Truecrypt file as, say, C:
>>> \directorypath\somefile.xls:tc (i.e., the alternate file name -
>>> extent, really - is defined as prefixed by the regular file name and
>>> a colon)
>>>
>>> Regards,
>>>
>>>
>>>
>> So, your saying it is OK that your security is not based on a
>> mathematical proof or a conjecture of the computational bounds of an
>> adversary, but rather based on the hope that the adversary is
>> incompetent.
>>
>> Do you see anything wrong with that?
>
>
> Short answer: No, I see nothing wrong with that.
>
> Longer answer:
>
> The OP framed her question in terms of using nothing stronger than an
> inconspicuous file. Compared to that, an alternate data stream is
> leagues ahead.
>
> Going further, the OP's threat model is coworkers who casually snoop,
> folks who are, if not outright incompetent, clearly without special
> resources or competence.
>
> Against a sufficiently competent, well-funded, and motivated adversary -
> especially one who has repeated unobserved direct access to the machine
> as could happen in a work environment - I fell confident in saying there
> is NO satisfactory method of disguising the use of Truecrypt.
>
> So, the task is not to overdesign the system inordinately in a misguided
> attempt to thwart the NSA. Instead, as with most security questions, the
> real task is to implement a scheme appropriate to the specified threat
> model.
>
> And this is exactly what my suggested use of ADS in these circumstances
> does. It is a convenient, readily implemented method that is entirely
> suitable and appropriate for the described threat model.
>
> Regards,
>
>
The rub:
The adversary is not the NSA. You saw how quickly SG was onto the
faults in this idea. It will only take one person who knows what he is
doing, to show one script-kiddie what to do, who will show everyone else
and security becomes zero or even worse; the user still thinks they have
some security and may well be indiscreet.
Re: What is a good Windows XP file to store encrypted volumes
Jane_G wrote:
> What is a good filespec to hold an encrypted volume on WinXP?
>
> Based on extensive googling, I installed the TrueCrypt freeware disk
> encryption to safeguard my private files on a rather public computer.
>
> TrueCrypt requires a file name to contain the rather large encrypted volume
> file even if a hidden volume is used inside the regular encrypted volume.
> For example, the file name containing the encrypted volume could be
> C:\Documents and Settings\Administrator\My TrueCrypt Encrypted Volume.bin
>
> To contain the TrueCrypt encrypted volume, I can choose any file name and
> location that doesn't already exist. But, my question is what file name and
> location would arouse the least suspicion were a coworker to be snooping
> around looking for my personal data on my WinXP computer?
>
> Specifically what binary file could reasonable be expected to be a few
> megabytes in size, yet have a normal sounding name in a normal sounding
> location containing "gibberish" (ie encrypted data) that would not arouse
> suspicions that it is actually a TrueCrypt encrypted volume?
Look at the _hidden_ uninstall service pack directories in a typical
Windows XP installation. They are in the \Windows directory, usually,
with folder names like '$NTUninstallKB999999_0$' and they typically
contain dll files. Create one that does not exist in real
life--probably a directory name starting with $NTUninstallKB0 since all
the current KB numbers are larger than that. Create the file as a
hidden .dll file there. Since the folder will not be listed as a
service pack in the registry, the system unistaller ought to ignore it,
AFAIK. And those directories are a hidden forest that almost nobody
but M$ understands :).
Re: What is a good Windows XP file to store encrypted volumes
David Eather <eather@tpg.com.au> wrote in
news:45b18f89@dnews.tpgi.com.au:
> The adversary is not the NSA. You saw how quickly SG was onto the
> faults in this idea. It will only take one person who knows what he
> is doing, to show one script-kiddie what to do, who will show everyone
> else and security becomes zero or even worse; the user still thinks
> they have some security and may well be indiscreet.
Once again, with feeling:
The method I outlined is entirely appropriate to the threat model specified
by the OP: casual office snoopers. It is significantly superior to the
grossly oversized, non-functional, muslabelled file ruse. Moreover, it is
exceedingly straightforward and easy to implement since Truecrypt natively
supports it with nary a tweak required (an important aspect given the
obvious non-geekiness of the OP).
And here's a flash for you: There is NO satisfactory method of hiding
Truecrypt from a skilled adversary, especially on a workplace machine. As
just one example, Truecrypt leaves awkward-to-erase tracks in the registry.
An adversary of only modest skills using regedit would detect that
Truecrypt was being used in seconds rather than having to do a full HD scan
looking for ADS with special programs.
Re: What is a good Windows XP file to store encrypted volumes
Jane_G <janes_email@optusnet.com.au> writes:
> Based on extensive googling, I installed the TrueCrypt freeware disk
> encryption to safeguard my private files on a rather public computer.
You should never store private files on a public computer. There's no
way to know whether the public computer's software or even hardware
has been modified to compromise your privacy (for example by recording
your keystrokes). If you want to work on private files away from
home, get a portable computer and keep your files on it. TrueCrypt is
a good product for encrypting your files on your own computer, in case
your computer falls into the wrong hands sometime after you've put
your files on it. It can't solve the situation of a computer that's
already in the wrong hands BEFORE you've put your files on it.
Re: What is a good Windows XP file to store encrypted volumes
Sebastian Gottschalk <seppi@seppig.de> wrote in
news:51e1lhF1jbqjdU1@mid.dfncis.de:
> Bill wrote:
>
>> Look at the _hidden_ uninstall service pack directories in a typical
>> Windows XP installation. They are in the \Windows directory,
>> usually, with folder names like '$NTUninstallKB999999_0$' and they
>> typically contain dll files. Create one that does not exist in real
>> life--probably a directory name starting with $NTUninstallKB0 since
>> all the current KB numbers are larger than that.
> Non-admin users don't have write-access there.
You've gotten things wrong once again, Sebastian. You really are the
consummate "contrary indicator" and "intelligent fool."
We already KNOW AS A CERTAINTY that the OP has admin rights on the local
computer OR SHE COULDN'T HAVE INSTALLED TRUECRYPT IN THE FIRST PLACE!
Re: What is a good Windows XP file to store encrypted volumes
Sebastian Gottschalk <seppi@seppig.de> wrote in
news:51e1inF1iic3oU1@mid.dfncis.de:
> nemo_outis wrote:
>
>> No, Sebastian, it was NOT I who specified the type of adversaries but
>> rather the OP
> And I told you that your misunderstood this specification. Now, what
> about reading comprehension? Go figure!
Here, you thick-as-a-brick moron, is a verbatim quote from the OP's post:
___
But, my question is what file name and location would arouse the least
suspicion were a coworker to be snooping around looking for my personal
data on my WinXP computer?"
___
"Snooping coworker," Sebastian! That's the specific threat model POSED
BY THE OP just as I said. It was the OP, not I, who specified the threat
model (and who additionally even confined the "solution space" only to
recommending the most inconspicuous file type and location).
>> If the adversaries suspecting use of Truecrypt had even minimal
>> competence they would first try, NOT to pore through the HD looking
>> for oversized mislabelled nonfunctional files
>
> Right. He would use Google to find a program which does that for him.
No ordinary "snooping coworker" would be installing and launching
forensic tools. Moreover, this hypothetical NSA-geek snooping coworker
would not know if there were mislabelled files, alternate data streams, a
hidden partition, an even-more-hidden partition in the HPA, files or
directories hidden by a rootkit, or even whether Truecrypt or some other
program was being used.
Nor does the snooper know what method is used to hide the OP's personal
info or even if any such hiding is being done. He's just snooping
around.
And, in the absence of specific info, the NSA-geek snooping coworker
would have no basis for limiting himself to searching for only one of
these stratagems but would either have to use a full-blown forensic tool
(e.g., Encase) to look for any and all of them or deploy a quiver of more
specific search tools. That isn't casual snooping, Sebastian!
No, a casual snoop will do just that: snoop around hoping to stumble upon
unsecured personal data or, failing that, to spot some anomaly that
catches his eye as a possible attempt to hide personal info. A slightly
less casual snoop may use some of the tools native to the environment
(e.g., regedit) but anything beyond that (e.g., installing and using
forensic ttools) is no longer casual snooping.
That's it, Sebastian. That's all the OP asked for: light-duty
camouflage. Nothing more.
But I'll go further, Sebastian, you doofus, in explaining that there is
NO satisfactory way of hiding Truecrypt from a skilled adversary, only
makeshift methods of hiding it from unskilled ones (such as the ones
asked for and given to the OP).
If you're of a mathematical bent call it a mini "existence proof" from
the makers of Truecrypt themselves. Perhaps it will even satisfy David
Eather's pretentious twaddle calling for "mathematical proof or a
conjecture of the computational bounds of an adversary."
You see, Sebastian, Truecrypt goes to great lengths to provide "plausible
deniability," even adding a nesting feature. But obviously "plausible
deniability: is a far weaker status that "undetectability of hidden data
in the first place." If the makers of Truecrypt thought there was an
effective way of providing undetectability they would not have futzed
around adding plausible deniability. QED
What is a good Windows XP file to store encrypted volumes 
Linear Mode
