Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt Detecting the use of TrueCrypt Clues that point a digital forensics investigator towards evidence of TrueCrypt data encryption software use by Andrew Davies, MSc (RHUL) and Allan Tomlinson, ISG, Royal Holloway THINKSTOCK Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt Forensic investigations: Detecting evidence of the use of TrueCrypt Criminals are increasingly using data encryption software to cover their tracks. Even detecting the use of encryption software can be a challenge for a digital forensics investigator. This article looks at the evidential material that can be found when TrueCrypt data encryption software has been used by Andrew Davies and Allan Tomlinson Forensic investigators conducting examinations need to be as sure as they can be that they have all the information they need to present a fair and unbiased report. If information is encrypted, redacted or not detected, the integrity of the study is compromised. Criminals are increasingly using data encryption software to ensure data confidentiality. It can be challenging just to detect whether encryption software has been used. When use of data encryption software is suspected, digital forensic investigators will typically try to gain access to the suspect’s computer while it is still powered on. Access to a powered-on computer can enable the Figure 1: TrueCrypt encrypted file container investigator to access memory resident material from random access memory (RAM), perhaps yielding the password used to encrypt or decrypt the data. It can also allow access to the data in an unencrypted form, or at least confirm that data encryption software is in use. So what happens if the suspect computer is found in a powered-off state? This article shows that, even in this case, there is still plenty of evidence that can be extracted to confirm whether or not data encryption software has been used. TrueCrypt is an example of popular data encryption software and about 30 million copies have been downloaded to date. Its popularity can be attributed to it being open source, freely available and its support on a number of major operating systems. TrueCrypt can create a “volume” to store encrypted data as a single file within the disk file system, as shown in Figure 1. As shown in Figure 2, TrueCrypt can also encrypt whole regions of a hard disk, including areas that contain the operating system start-up files. The encrypted data areas shown in figures 1 and 2 represent TrueCrypt’s normal mode of data encryption, the standard volume. In addition to the standard volume, which is often referred to as the outer volume, TrueCrypt also possesses a feature that allows users to hide the presence of an encrypted volume – the hidden volume. Worryingly for a forensic investigator, the hidden volume provides users with plausible reasons why such encrypted data could not exist. When the data is encrypted, it is difficult for investigators to view with normal forensics tools because it does not have an obvious structure and so may go undetected. However, even though the encrypted data might not initially be detected, TrueCrypt does leave a trail of evidence that could be examined. This supporting evidence could then be used in conjunction with the relevant laws to seek Figure 2: TrueCrypt partition and device access to the encrypted material in an unencrypted form. encryption -2- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt The evidence trail The amount of When TrueCrypt is used on a Microsoft Windows operating system, evidence evidence that can be that it has been used can be found in a number of locations. The amount of evidence that can be recovered depends on which volume mode, standard or recovered depends hidden, has been used to encrypt the data. Some examples of where evidence can be found that points to TrueCrypt’s use are: on which volume mode has been used n The Microsoft Windows Registry. n The Microsoft Windows IconCache.db file. to encrypt the data n The hard disk’s master boot record (MBR). Windows Registry evidence The Windows Registry is a hierarchical database represented by a number of files within the file system. It contains configuration information and settings for Windows and associated applications. It is commonly analysed as part of a host computer investigative process. The information within the Registry is categorised into sections containing root keys. Each key can contain sub-keys and various attribute data types, such as binary or string values. The UserAssist sub-key of the Windows Explorer application contains details of applications that have previously been executed on the running Windows system. An example of the UserAssist key’s location within the Registry is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\UserAssist\{GUID}\Count The data attributes of this sub-key, which can be viewed at the given location by running RegEdit, are encoded with a Caesar cipher whose shift or rotation is 13 places. This application of the cipher is commonly called rotate-13 or ROT-13 for short. Using ROT-13, the word “TrueCrypt” is encoded as the text “GehrPelcg” and this is the search term that can be used to locate the data key within the Registry. If the data is found, it is often stored with the full directory path that references the location of the TrueCrypt application executable within the file system. The full path data is again encoded with ROT-13. A pre- Windows 7 example of this is: HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Zl Qbphzragf\GehrPelcg7.1n\GehrPelcg.rkr Conversion of this from ROT-13 results in the following: UEME_RUNPATH:C:\Documents and Settings\Administrator\My Documents\TrueCrypt7.1a\TrueCrypt.exe This confirms the TrueCrypt application (TrueCrypt.exe) has existed on the hard disk volume C: and says where it was located at the time of being executed. Although not immediately obvious, the number of times the application has been executed can also be determined from the contents of the attribute’s value data, also found in the same UserAssist sub-key. An example of the contents are the hexadecimal values “02 00 00 00 09 00 00 00 C0 B4 CC 12 97 99 CE 01”. The fifth hexadecimal value “09” represents the number of times the application has been executed. The application execution count starts from “05”. Therefore, in this instance, the application has been started four times. Software applications exist that can determine the execution count automatically; one example is UserAssist. -3- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt One of the clearest indications of TrueCrypt use can be found in the Registry key “HKEY_LOCAL_MACHINE\system\MountedDevices”. This Registry entry What cannot be tracks the disk volumes that have been used within Windows. The values stored determined from this in the attribute called “data” at this location are the hexadecimal numbers of the corresponding ASCII character code. Conversion of the hexadecimal numbers information is what to the corresponding ASCII characters results in the text “TrueCryptVolume” followed by a letter that represents the drive volume letter assigned to the type of TrueCrypt mounted TrueCrypt container at the time of use. volume was used An example would be “TrueCryptVolumeT”, which means the TrueCrypt volume was mounted for use and, at the time, was assigned the drive volume letter “T”. So the data stored in this key confirms a TrueCrypt volume has been used on the host. What cannot be determined from this information is what type of TrueCrypt volume was used, whether a standard volume or a hidden one. Many Windows applications retain a list of recently accessed file names to allow users to return quickly to files they were working on. This information may also be stored in the Registry. Some of the applications include the full path location to precisely identify the file in the file system, including the name assigned to a disk volume. If the disk volume is inappropriately named, for example a TrueCrypt hidden volume has been labelled “secretstuff”, and this volume cannot be located, then this could add weight to the investigator’s assessment that data encryption has been used. IconCache.db As part of the Windows graphical user interface (GUI), applications are displayed in the GUI as icons or images that represent the file’s content or use. Windows caches icons on a per-user basis in a file called IconCache.db. When applications are executed, the icons, together with the owning application reference, are stored within this file. The contents can be viewed with a basic file editor capable of displaying binary files. So, if TrueCrypt has been used by a Windows user, a reference to TrueCrypt’s file location and name is cached in the IconCache.db file. Unlike ASCII, the reference within this file uses a 16-bit character set. Consequently, most editors will display the text with another character between each letter, commonly Figure 3: Analysis of IconCache.db -4- Royal Holloway Information Security Thesis Series | Detecting the use of TrueCrypt using a blank space or period. This can be seen in Figure 3. Therefore, when searching for the string “TrueCrypt” with your forensic software, you need to ensure that the correct character set is used. Using normal forensic file carving techniques, bitmap data representing an icon can also be extracted from IconCache.db. If TrueCrypt has been used, its icons will be cached. An example is also shown in Figure 3. Figure 4: The TrueCrypt boot loader screen Finding a match between TrueCrypt’s application icons and the cached icons contained within IconCache.db would provide additional supporting evidence for the forensic investigator.