Is there any full disk encryption out there that does not have any forensic traces? Any effective method?

I've been testing quite a number of full disk encryptions but still new in computer forensic stuffs. I'm fully aware of decoy/hidden OS and cold boot attack though.

Even Truecrypt and Bestcrypt contain traces in the header, bootloader or MBR. Thus, this will raise suspicion and put you into complication like forcing you into giving password and so on. Some people had attempted to remove or modify the traces but ended up with damaged encrypted partition/volume.

Is there any effective method?

How did FBI know the suspects using Truecrypt?

Modify TrueCrypt Encryption Boot Loader Strings

desperado

Posted 2011-03-22T00:43:51.540

Reputation: 37

Related. – Hello71 – 2011-03-22T01:22:30.197

Also related.

– Hello71 – 2011-03-22T01:49:58.460

Answers

http://www.truecrypt.org/docs/?s=plausible-deniability

Until decrypted, a TrueCrypt partition/device appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it should be impossible to prove that a partition or a device is a TrueCrypt volume or that it has been encrypted (provided that the security requirements and precautions listed in the chapter Security Requirements and Precautions are followed).

When formatting a hard disk partition as a TrueCrypt volume (or encrypting a partition in place), the partition table (including the partition type) is never modified (no TrueCrypt "signature" or "ID" is written to the partition table).

There are methods to find files or devices containing random data (such as TrueCrypt volumes). Note, however, that this should not affect plausible deniability in any way. The adversary still should not be able to prove that the partition/device is a TrueCrypt volume or that the file, partition, or device, contains a hidden TrueCrypt volume (provided that you follow the security requirements and precautions listed in the chapter Security Requirements and Precautions and in the subsection Security Requirements and Precautions Pertaining to Hidden Volumes).

Other than inventing an invisible hard drive, this is as good as it gets.

Moab

Posted 2011-03-22T00:43:51.540

Reputation: 54 203

Agreed. One could embed an encrypted partition within a TrueCrypt partition, thereby having a "spoof" external partition with fake data to throw off any forensic analysis. – None – 2011-03-22T00:57:47.373

No offense intended here, I'm a Truecrypt fan too. I like to bring up some articles regarding my queries:

How did FBI know the suspects were using Truecrypt? http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/?intcmp=ros-md-acc-p-nws

Modify TrueCrypt Encryption Boot Loader Strings http://www.anti-forensics.com/modify-truecrypt-encryption-boot-loader-strings

– desperado – 2011-03-22T01:03:57.710

Doesn't the fact that it asks you for a password when booting from a Truecrypt-encrypted hard drive kinda make it obvious that one is using disk encryption? – emgee – 2011-03-22T01:17:02.940

+1 for the invisible hard drive. Of course, we all know security through obscurity is a poor idea... – skub – 2011-03-22T01:19:15.433

@emgee: I believe that can be changed. – Hello71 – 2011-03-22T01:20:38.827

@Moab: That only applies to individually encrypted files or partitions. The TrueCrypt bootloader still contains a signature that can be detected. – Hello71 – 2011-03-22T01:22:13.643

@Hello71, then go with the invisible hard drive. ;-> Granted Truecrypt makes no mention of the modified bootloader. – Moab – 2011-03-22T01:38:08.990

@desperado, that is because the FBI did not waterboard the Brazilian Banker. ;-> – Moab – 2011-03-22T01:44:02.190

emgee, with Truecrypt or Bestcrypt we can modify the pre-boot message to anything like "Missing operating system" or even blank. – desperado – 2011-03-22T01:51:03.183

If you are talking about an external hard drive containing a TrueCrypt Volume, then as cited in Moab's answer this shouldn't be distinguishable from a drive containing an un-formatted partition. Forensics would basically only know "it looks like random, so there is a real-world chance of XX percent that it is encrypted" ;-). I'd personally assume that XX>80.

However, if you want a full computer system to be bootable and encrypted, there is no way this could be completely untracable, since it needs to contain the computer code doing the decryption algorithm somewhere in unencrypted form; so if the attacker disassembles the boot loader and whatever code it calls, he/she will inevitably find out if any encryption is being used!

An exception would be if you had your decoy system installed with a normal boot loader and only access your TrueCrypt system using the Rescue Disk which contains the TrueCrypt Boot Loader. Of course you must not let the attacker find out that you own a TrueCrypt rescue disk, so you only moved your problem to a smaller, possibly more easily hidable storage device. If you want to go one step further, you re-download TrueCrypt every time you need it, create a Rescue Disk for booting and then erase it and all its traces afterwards ;-).

Jonas Heidelberg

Posted 2011-03-22T00:43:51.540

Reputation: 1 652