Let’s move on to the next and final test. This means when we try to identify the file it won’t match any known header.To try to identify what kind of files the 3 previously mentioned files are we will use Marco Pontello’s excellent TrID tool ( homepage).Īs you can see TrID was unable to identify the moonraker file adding to the suspicion that this file might be encrypted volume. Since encrypted volumes seem to contain random data, they don’t have an identifiable file signature. Using this test alone wil leave you with a lot of false-positives, a lot of normal files will be dividable by 512. Here we see that moonraker, while it’s size look rather random, is dividable by 512, and might be an encrypted volume. If one of them is actually an encrypted volume created with TrueCrypt or VeraCrypt we should be able to divide it by 512.ĥ78.866.554 bytes / 512 = 1.130.598,73828125 Here I have taken 3 random files to test the file size check on. Because of this, the size of all containers is dividable by 512. Both TrueCrypt and VeraCrypt create containers that always are nice blocks of 512 bytes in size. Most users take a nice round number like 200MB, this means a large file of exactly 200MB is suspicious. The user is offered to enter the size in GB, MB or KB. When creating an encrypted volume, users are asked to enter the size of the new volume.
Finding a large 50GB file called “backup.bak” or “Archive.pst” might be a reason to suspect an encrypted volume, checking the file signature will confirm if the pst file is actually a pst file or something else.
Commonly an encrypted volume is a single large file stored on some random location. The first and most common technique to find encrypted volumes is by sorting all files on a system by size. The most common 3 things to look out for are: Luckily investigators have come up with several ways to identify possible encrypted volumes. Unless you know what you are looking for you might overlook this file. If the person creating the encrypted volume knows what he or she is doing they might want to store their encrypted volume along with some other large files, let’s say, the level files of a computer game. There are some telltale signs of encrypted volumes, a single 200GB file is quite suspicious, but unless you are able to decrypt this file and access it’s volume it’s nothing more than a 200GB file. Therefore unless the encrypted volume is named “MyEncryptedVolume.tc” you won’t be able to quickly identify these files. The problem is that these files are designed to be hidden, and won’t have an identifiable signature (header or footer). When you create an encrypted volume using TrueCrypt or VeraCrypt it is stored as a file (container) on your hard drive.
I suggest reading my post about TrueCrypt and Veracrypt ( Link) before reading this article, it explains the basics about the software and why it’s so hard to detect.