Comments on: TrueCrypt Volumes Still Undetectable

By: LogicWatcher

LogicWatcher — Sun, 18 Jul 2010 04:42:37 +0000

Excellent post; I’ve followed the company’s marketing, and the illogic behind it is almost startling. They repeatedly make the same obvious mistake in failing to limit with proper caution the claims that their software makes about random data and pseudorandom data that passes chi-square tests. The claims they’re making are irresponsible and, essentially, just wrong; they would be useful in practice only to an investigator who understood enough to know why what the defense of this product’s claims is logically incorrect.

By: PodeCoet

PodeCoet — Thu, 03 Jun 2010 04:14:38 +0000

Fantastic post!

By: Azu

Azu — Thu, 31 Dec 2009 17:20:58 +0000

I don’t usually respond to random blogs but.. my god Rob, are you actually trying to say that such a “detection” is “proof” that the owner of that computer wants to keep something private (which is a criminal offense)? Do you know what happened to another company that made an equally retarded assumption? It was called EvenBalance, and they made a program called PunkBuster and whenever it found a certain pattern in any files on somebody’s computer they considered it “proof” that they were “cheating”, and soon after people started spamming this pattern everywhere (in their avatars on forums, in text in IRC channels, etc) and thus everyone was flagged as a “cheater”.

The difference is, of course, that the severity of temporarily being unable to play a video game online is nothing in comparison to being convicted as having committed a criminal offense. So PLEASE tell me you were being sarcastic or something!

By: Wampiryczny blog

Wampiryczny blog — Wed, 02 Sep 2009 05:21:38 +0000

W poszukiwaniu kontenera TrueCrypt…

Pliki zawierające dane zaszyfrowane przy pomocy TrueCrypt (czyli właściwie kontener/wolumen) są, co do zasady, nie do odróżnienia od losowych danych. Informacje typu TrueCrypt is now Detectable są nie do końca ścisłe: TrueCrypt Volumes Still Undetectab…

By: Allan Doensen

Allan Doensen — Fri, 22 May 2009 05:22:36 +0000

I study forex movements (currency markets). The tick data from forex exchanges is used in live trading by ‘day traders’. Just 4 years worth of data on the USD Vs YEN cross is over 8Gb in size – so it does look like a trucrypt volume. The data is statistically random. People trading stocks and bonds often have similar data. My testing of this tool on my forex data detects it as a truecrypt volume – and it is not.

So Mr Rob Zirnstein, do you care to back up your claim above. I will bet you $10,000 USD that your tool will incorrectly identify my forex data as a trucrypt volume. Care for a real challenge?

By: Chris

Chris — Sat, 02 May 2009 16:00:45 +0000

@Rob Zirnstein: I think the confusion about FI TOOLS stems from the imprecision in describing what it is that the tool does. You say that it detects headerless encrypted data. What the tool actually does is flag files containing seemingly random data.

Headerless encrypted data files are only one example of seemingly random data. It may be that they’re the most common example in the real world. If that’s the case, then a tool identifying such data may be a useful starting point for investigation.

However, since the tool cannot distinguish between pseudo-random data and headerless encrypted data, a court cannot rely on its identification of files as headerless encrypted data files. What would happen if a court ordered a person to produce an encryption key to what was, in fact, a large file filled with pseudo-random data, such as a file used to securely wipe free space?

Wiping free space may be an anti-forensic use of such data, but that doesn’t change the fact that a file used for such a purpose contains no useful data itself and no key can be produced for it. That’s an important distinction for a court.

At best, the tool could inform a court that a file contains seemingly random data. The court could then draw inferences about what that means, perhaps with the help of expert witnesses who might testify that it could be headerless encrypted data or that it could be a file used to wipe free space or that it could be something else.

By: Rob Zirnstein

Rob Zirnstein — Fri, 01 May 2009 14:56:23 +0000

Theory: Headerless encrypted data (using a good cipher) can not be detected as being encrypted data.

Fact: The headerless encrypted file (random-3.dat) was correctly identified as being encrypted by FI TOOLS.
Fact: To date no one has been able to find a data file from a “real world” application (one that typical users might use) that is incorrectly identified as being encrypted by FI TOOLS.
Fact: To date, all independent testers have reported that every TrueCrypt encrypted file has been identified correctly. We are only claiming 90% accuracy, but that is 100% so far.
Fact: People with intent to trick a Computer Forensics tool, are able to create a random data file that can be identified incorrectly.
Fact: I can create a fake data file that tricks detection tools into thinking it is a Windows Bitmap. That doesn’t prove that their tool fails to identify Windows Bitmaps. It only proves that I can practice anti-forensics and interfere with an investigation or audit.

Challenge: Someone find an application, with no anti-forensic purpose, that is used by regular consumers and creates files that get identified as Headerless Encrypted Data by FI TOOLS. Then tell us how to reproduce your test results with that application.

If you can’t find such an application, then FI TOOLS accurately identifies headerless encrypted data in the real world. That would mean that if an investigator found files that created false positives from encrypted data, they can assume that the owner may be trying to hide encrypted data and is using anti-forensic means to do that. Courts don’t like it when people hold back data pertinent to a case.

Rob Zirnstein
President
Forensic Innovations, Inc.
http://www.ForensicInnovations.com