Methods for collecting evidence after TrueCrypt Encryption

TrueCrypt-encrypted files cannot be cracked. Therefore, when investigating and collecting evidence, consider the following methods: 4.1 analyze and check whether TrueCrypt-encrypted files exist. (A) files encrypted by TrueCrypt do not have fixed features. If the encryptor saves such files as files in common formats, analyze file features using software such as Encase, Winhex, and forensic master to analyze unmatched files and check whether the files are encrypted. (B) search for the software installed in the system, including historical installation records, check whether there are traces of installing TrueCrypt software; (c) Search for large files, as an encrypted container, usually stores multiple files. Therefore, A large file may be more likely, but it does not rule out the possibility of separately encrypting especially important files. 4.2 TrueCrypt can be set to double-layer encryption, that is, hiding another encrypted volume in an encrypted volume is "nested" in a common encrypted volume. When a user is forced to decrypt the encrypted volume, the user can decrypt the General encrypted volume hidden in the encrypted volume, revealing some irrelevant information, the truly protected information is hidden in the hidden volume, and the data is protected. Shows the encryption volume loading process. In this case, you must first consider whether the password of the hidden volume can be obtained. If not, back up the data, the useless data Filling Method overwrites the free space of a common volume, which can damage the data disguised in the common volume, so that the encryption can no longer restore the hidden data. 4.3 TrueCrypt performs data operations in the memory (RAM). Therefore, the software is not sure whether to store passwords, master keys, and unencrypted data in the computer's memory. The latest research results show that even after the computer is shut down, the stored memory data, including the security lock and password of the encryption program, can be up to several minutes, through the frozen computer memory chip, it can also extend the time for storing temporary data in the memory, explained Phil Teng, a research team lead by a computer security expert from Princeton University, As long as liquid nitrogen (Celsius-196 degrees) the frozen computer chip can remain in the memory for at least several hours even if the power supply has been interrupted. Then install the chip back to the computer to read the information in it. 4.4 install or use a spyware or monitoring program on the user's machine and run it automatically upon startup. Use the keyboard to record the hook to record the TrueCrypt volume loading password. In addition, policies and social engineering methods (such as obtaining passwords from other accounts or other information to analyze the passwords of encrypted files) can also be used to obtain passwords, check whether the password of the hidden volume can be obtained. 5. Summary TrueCrypt is a world-renowned open-source encryption software. It has the advantages of Security, ease of use, powerful functions, and is also suitable for encryption of removable storage devices. With the promotion of applications in China, it is increasingly difficult to obtain evidence of computer data encrypted using the software. Therefore, it is necessary to strengthen research on this aspect and summarize the laws to improve the efficiency of evidence collection.