Royal Holloway Thesis Series | Detecting the use of TrueCrypt

Detecting the use of TrueCrypt Clues that point a digital forensics investigator towards evidence of TrueCrypt data software use

by Andrew Davies, MSc (RHUL) and Allan Tomlinson, ISG, Royal Holloway thinkstock Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt

Forensic investigations: Detecting evidence of the use of TrueCrypt

Criminals are increasingly using data to cover their tracks. Even detecting the use of encryption software can be a challenge for a digital forensics investigator. This article looks at the evidential material that can be found when TrueCrypt data encryption software has been used by Andrew Davies and Allan Tomlinson

Forensic investigators conducting examinations need to be as sure as they can be that they have all the information they need to present a fair and unbiased report. If information is encrypted, redacted or not detected, the integrity of the study is compromised.

Criminals are increasingly using data encryption software to ensure data confidentiality. It can be challenging just to detect whether encryption software has been used. When use of data encryption software is suspected, digital forensic investigators will typically try to gain access to the suspect’s while it is still powered on. Access to a powered-on computer can enable the Figure 1: TrueCrypt encrypted file container investigator to access memory resident material from random access memory (RAM), perhaps yielding the used to encrypt or decrypt the data. It can also allow access to the data in an unencrypted form, or at least confirm that data encryption software is in use.

So what happens if the suspect computer is found in a powered-off state? This article shows that, even in this case, there is still plenty of evidence that can be extracted to confirm whether or not data encryption software has been used.

TrueCrypt is an example of popular data encryption software and about 30 million copies have been downloaded to date. Its popularity can be attributed to it being open source, freely available and its support on a number of major operating systems.

TrueCrypt can create a “” to store encrypted data as a single file within the disk , as shown in Figure 1. As shown in Figure 2, TrueCrypt can also encrypt whole regions of a hard disk, including areas that contain the start-up files.

The encrypted data areas shown in figures 1 and 2 represent TrueCrypt’s normal mode of data encryption, the standard volume. In addition to the standard volume, which is often referred to as the outer volume, TrueCrypt also possesses a feature that allows users to hide the presence of an encrypted volume – the hidden volume.

Worryingly for a forensic investigator, the hidden volume provides users with plausible reasons why such encrypted data could not exist. When the data is encrypted, it is difficult for investigators to view with normal forensics tools because it does not have an obvious structure and so may go undetected.

However, even though the encrypted data might not initially be detected, TrueCrypt does leave a trail of evidence that could be examined. This supporting evidence could then be used in conjunction with the relevant laws to seek Figure 2: TrueCrypt partition and device access to the encrypted material in an unencrypted form. encryption

-2- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt

The evidence trail The amount of When TrueCrypt is used on a operating system, evidence evidence that can be that it has been used can be found in a number of locations. The amount of evidence that can be recovered depends on which volume mode, standard or recovered depends hidden, has been used to encrypt the data. Some examples of where evidence can be found that points to TrueCrypt’s use are: on which volume mode has been used n The Microsoft Windows Registry. n The Microsoft Windows IconCache.db file. to encrypt the data n The hard disk’s (MBR).

Windows Registry evidence

The Windows Registry is a hierarchical database represented by a number of files within the file system. It contains configuration information and settings for Windows and associated applications. It is commonly analysed as part of a host computer investigative process.

The information within the Registry is categorised into sections containing root keys. Each can contain sub-keys and various attribute data types, such as binary or string values. The UserAssist sub-key of the Windows Explorer application contains details of applications that have previously been executed on the running Windows system. An example of the UserAssist key’s location within the Registry is:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\UserAssist\{GUID}\Count

The data attributes of this sub-key, which can be viewed at the given location by running RegEdit, are encoded with a Caesar whose shift or rotation is 13 places. This application of the cipher is commonly called rotate-13 or ROT-13 for short. Using ROT-13, the word “TrueCrypt” is encoded as the text “GehrPelcg” and this is the search term that can be used to locate the data key within the Registry. If the data is found, it is often stored with the full directory path that references the location of the TrueCrypt application executable within the file system. The full path data is again encoded with ROT-13. A pre- Windows 7 example of this is:

HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Zl Qbphzragf\GehrPelcg7.1n\GehrPelcg.rkr

Conversion of this from ROT-13 results in the following:

UEME_RUNPATH::\Documents and Settings\Administrator\My Documents\TrueCrypt7.1a\TrueCrypt.exe

This confirms the TrueCrypt application (TrueCrypt.exe) has existed on the hard disk volume C: and says where it was located at the time of being executed.

Although not immediately obvious, the number of times the application has been executed can also be determined from the contents of the attribute’s value data, also found in the same UserAssist sub-key. An example of the contents are the hexadecimal values “02 00 00 00 09 00 00 00 C0 B4 CC 12 97 99 CE 01”.

The fifth hexadecimal value “09” represents the number of times the application has been executed. The application execution count starts from “05”. Therefore, in this instance, the application has been started four times. Software applications exist that can determine the execution count automatically; one example is UserAssist.

-3- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt

One of the clearest indications of TrueCrypt use can be found in the Registry key “HKEY_LOCAL_MACHINE\system\MountedDevices”. This Registry entry What cannot be tracks the disk volumes that have been used within Windows. The values stored determined from this in the attribute called “data” at this location are the hexadecimal numbers of the corresponding ASCII character . Conversion of the hexadecimal numbers information is what to the corresponding ASCII characters results in the text “TrueCryptVolume” followed by a letter that represents the drive volume letter assigned to the type of TrueCrypt mounted TrueCrypt container at the time of use. volume was used An example would be “TrueCryptVolumeT”, which means the TrueCrypt volume was mounted for use and, at the time, was assigned the drive volume letter “T”. So the data stored in this key confirms a TrueCrypt volume has been used on the host. What cannot be determined from this information is what type of TrueCrypt volume was used, whether a standard volume or a hidden one.

Many Windows applications retain a list of recently accessed file names to allow users to return quickly to files they were working on. This information may also be stored in the Registry. Some of the applications include the full path location to precisely identify the file in the file system, including the name assigned to a disk volume. If the disk volume is inappropriately named, for example a TrueCrypt hidden volume has been labelled “secretstuff”, and this volume cannot be located, then this could add weight to the investigator’s assessment that data encryption has been used.

IconCache.db

As part of the Windows graphical user interface (GUI), applications are displayed in the GUI as icons or images that represent the file’s content or use. Windows caches icons on a per-user basis in a file called IconCache.db. When applications are executed, the icons, together with the owning application reference, are stored within this file. The contents can be viewed with a basic file editor capable of displaying binary files.

So, if TrueCrypt has been used by a Windows user, a reference to TrueCrypt’s file location and name is cached in the IconCache.db file. Unlike ASCII, the reference within this file uses a 16-bit character set. Consequently, most editors will display the text with another character between each letter, commonly

Figure 3: Analysis of IconCache.db

-4- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt

using a blank space or period. This can be seen in Figure 3. Therefore, when searching for the string “TrueCrypt” with your forensic software, you need to ensure that the correct character set is used.

Using normal forensic techniques, bitmap data representing an icon can also be extracted from IconCache.db. If TrueCrypt has been used, its icons will be cached. An example is also shown in Figure 3. Figure 4: The TrueCrypt boot loader screen Finding a match between TrueCrypt’s application icons and the cached icons contained within IconCache.db would provide additional supporting evidence for the forensic investigator. It would confirm that TrueCrypt has, at some point, been used on this installation of Windows. The IconCache.db file would not contain such data by default.

TrueCrypt boot-loader

The previous examples all suppose that the forensic investigator can gain access to the file system and thus the registry files or IconCache.db file, which means the whole feature of TrueCrypt has not been used. In instances where whole disk encryption has been used, TrueCrypt can still leave evidence of its existence.

When whole disk encryption is used and the disk drive containing the operating system’s system files is also encrypted, TrueCrypt stores the files it requires to start in the master boot record (MBR) area of the hard disk. The MBR contains the TrueCrypt boot-loader. This is software that authenticates the user and, after successful , allows the TrueCrypt software to start. This, in turn, allows the normal operating system start sequence to proceed.

If the investigator is able to forensically start the duplicated working copy or image of the original hard disk in a virtualised environment, the TrueCrypt boot- loader should be visible on screen. An example is shown in Figure 4.

In instances where whole disk encryption has been used, TrueCrypt can still leave evidence

Figure 5: Evidence of the TrueCrypt boot-loader found in compressed data of its existence

-5- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt

The TrueCrypt boot-loader stores its code and data in compressed form using The hidden volume the GZIP archive compression format. As with the IconCache.db file, it is possible to use file-carving to extract the compressed data from the MBR area can still exist when using the hexadecimal file signature “1F 8B 08” of the GZIP archive format. much of the When the extracted code and data are decompressed, many references to the standard volume’s TrueCrypt software can be found, as shown in Figure 5 (page 5). The recovered data can be used to confirm data encryption has been used and this enables data has been the investigator to pursue other permitted legal methods to recover its contents. destroyed

TrueCrypt hidden volume

The hidden volume feature of TrueCrypt gives a user a plausible method to conceal the fact that TrueCrypt has been used. From reading the literature associated with the hidden volume, a reader could conclude the hidden volume is embedded inside a standard volume. Our research shows this is not the case.

The hidden volume is an entity that can exist in its own right. There are certain restrictions and relationships that do depend on the standard volume’s construct, but the hidden volume can still exist when much of the standard volume’s data has been destroyed. The layout of a TrueCrypt volume containing the standard volume and a hidden volume is shown in Figure 6. Our research shows that by using a combination of statistical tests, we can confidently identify where the encrypted file data of the standard volumes reside on the disk, but more research is needed to successfully target the hidden volume.

Conclusion

The amount of evidence that can be recovered which points to TrueCrypt’s use depends on the mode in which TrueCrypt was used. As with many Windows About the authors applications, clues are scattered over the file system and we have discussed only a few of them. For example, from the data found in the “UserAssist” Andrew Davies is an information Registry key and IconCache.db file, it is possible to confidently determine technology professional with many whether TrueCrypt has been started on the device at some point. years’ experience in the private sector gained in Europe, southern In our tests, just using standard Windows applications and functionality, Africa and, most recently, South-East multiple references were found that logged data accessed from locations Asia. He holds an MSc in information within a TrueCrypt volume, irrespective of whether it was a standard or hidden security (with distinction) from Royal volume. However, although references were found and recorded, the forensic Holloway plus numerous professional investigator would not definitively be able to attribute their location to a specific qualifications. He hopes to pursue TrueCrypt volume. The attribution to TrueCrypt would only be by inference; doctoral research on TrueCrypt. further research is needed on this issue. Allan Tomlinson is a senior lecturer Of greatest use to a forensic investigator is the Registry location “HKEY_ with the ISG at Royal Holloway. LOCAL_MACHINE \system\MountedDevices”. The data stored in this key could He has worked on secure NICAM confirm that a mounted volume is indeed a TrueCrypt volume. But it does not broadcasting for the Institute of differentiate between the standard and hidden TrueCrypt volume types. n Microelectronics at the National University of Singapore, and on the Digicipher II pay-TV system with the General Instrument Corporation in California. He was principal engineer at Barco Communications Systems, where he was responsible for developing the “Krypton” DVB video scrambler before joining the ISG. His current main research interests are trust and privacy in distributed systems security, mobile network security, and trusted computing. Figure 6: TrueCrypt volume layout of a standard and hidden volume

-6-