International Journal of Research

People are increasingly using data encryption software to ensure data confidentiality. One application which facilitates data encryption is the freely available and open-source software named TrueCrypt. Merely detecting encrypted data can be challenging for the digital forensic investigator as its content appears random when viewed. TrueCrypt magnitudes this difficulty by implementing two features, a hidden volume and a hidden operating system. When these features are used not only does the software provide data confidentiality through encryption, it lets people deny that data exists and this is often difficult for the forensic investigator to disprove.

Where use of data encryption is suspected, forensic investigators will typically try to gain access to the suspect’s computer whilst it is powered on. In its powered on state, recovery from memory of password and key material may be possible or it could allow direct access to the data in a decrypted state. In this thesis, a security analysis of TrueCrypt, we examine a worst case scenario. In the scenario the forensic investigator only has access to the suspect computer’s hard disk after the machine had been switched off for a considerable length of time and thus a memory capture or access to the data in a decrypted state was not possible. This research paper begins by evaluating existing statistical tests for their suitability in differentiating the encrypted TrueCrypt data from other non-encrypted data. A process model is defined which could be used by the forensic investigator to identify the encrypted data solely by analysis of the suspect hard disk’s raw byte data content. The process model is applied to the problem of detecting a hidden volume or hidden operating system. In application and verification of the process model this thesis establishes a revised volume layout of the actual TrueCrypt volume, but ultimately the hidden volume and hidden operating system remained undetectable. Using existing forensic investigation techniques, this thesis examines the leaking of information which could aid the forensic investigator in establishing use of TrueCrypt to further strengthen the case against the suspect. Finally, I conclude that detection of the hidden volume and hidden operating system solely from analysis of the suspect computer’s hard disk is still problematic for the forensic investigator.