Forensics and security teams often encounter TrueCrypt (TC) containers during a security investigation. These are notoriously difficult to identify and to access. TrueCrypt is just one of many freely available advanced encryption systems obtainable from the internet that can be used to conceal data making it inaccessible to anyone other than the password/key holder.
With TC development ceasing in 2014 and its integrity verified in 2015, nefarious uses of the system are still carried out due to the confidence provided by there being no new adaptations and so no risk of implemented backdoors. As documents leaked by Snowden showed in 2013 [1], intelligence agencies were unable to access TC containers further bolstering its reputation [2, 3].
With no backdoors to TCs, smuggling data, malicious programs eluding detection or plausibly denying malicious activities (through hidden encryption files) are still being employed by criminals, confident that, if detected, their activities will be inaccessible.
TCrunch has been developed at the University of Greenwich to detect and access TC containers. It comprises a detection system (client application), a control server and attack application. The client application is a fully functional TC detection system, optimised through threading and file fragmentation. It employs a byte distribution analysis, chi square test and Monte Carlo pi test in a cascading method.
By employing file fragmentation in the detection system the process is further optimised. All files are passed through an initial scan which processes only a small file fragment of a suspect file. If the initial test is successful, a larger fragment is extracted and an in-depth scan is conducted with a far more stringent success threshold.
These two tests are run in separate threads with a new thread per directory for the initial scan and for the in-depth scan, due to its increased resource requirements. These two tests run in separate threads with a new thread per directory for the initial scan and the in-depth scan, due to its increased resource requirements.
Testing TCrunch was carried out using three different computers, ranging from high performance to relatively low performance. The performance of TCrunch was also compared to two commercially available programmes, TChunt [4] and FIT [5].
Detecting
To test TCrunch eighteen varying sized TC containers were created using different encryption methods. To simulate a typical scenario a number of random files were also created. These included a number of different sized containers using various encryptions, general system files, image files, video files and document files representing commonly encountered data.
Encrypted folders were also created using 7zip and AxCrypt to test the system’s capacity to distinguish between different encryption systems. Finally, a number of random data files were added in order to further test the system’s ability to distinguish between encrypted and random data files, which is a known issue in encryption detection. This dataset comprised two hundred and fifty nine files. Each test was repeated five times and the average time was recorded, see Table 1.
Specificity to sensitivity was determined using the number of TC containers correctly identified against those ignored or other file types incorrectly identified (false positives and false negatives). TCrunch and FIT systems demonstrated consistent scan durations. The time taken by TCrunch is due to it employing a cascading analytical system.
Similarly the FIT system was developed to determine all the file types in a target directory (rather than only one type of file). TChunt is consistently low at under one second, but this may be due in part to the limited number of analytical techniques employed. Therefore, the more features employed with regards to identification, the greater the scan duration, which is a trade-off between accuracy and the processing time.
| High spec Machine | Medium spec Machine | Low spec Machine | |
|---|---|---|---|
| TCrunch | 16.55 | 16.52 | 176.54 |
| TChunt | 0.182 | 0.136 | 0.918 |
| FIT | 19.552 | 20.816 | 296.336 |
Table 1 - Average Time take (in seconds)
The number of false negatives (FN), false positives (FP), true positives (TP) and true negatives (TN) was recorded against the known contents of the data, see Table 2. This was then used to calculate the specificity and sensitivity of each detector.
| Accuracy | TCrunch | TChunt | FIT |
|---|---|---|---|
| False negatives | 1 | 12 | 14 |
| False positives | 6 | 10 | 2 |
| True positives | 17 | 6 | 4 |
| True negatives | 235 | 231 | 239 |
Table 2 - Accuracy Testing
Sensitivity measures the probability that the programme will correctly identify a file as being a TC container. Specificity measures the probability of correctly identifying files that are not TC containers. In order to calculate these values the following formula were used.
| TP TP + FN |
Formula 1 - Sensitivity |
| TN FP + TN |
Formula 2 - Specificity |
The results in Table 3 clearly show that the specificity is consistent for all three, whereas the sensitivity greatly varies. During the test, both TChunt and FIT omitted a number of small TC containers which were identified by the TCrunch system.
| TCrunch | TChunt | FIT | |
|---|---|---|---|
| Sensitivity | 92.31 | 33.00 | 22.22 |
| Specificity | 97.56 | 95.85 | 99.17 |
Table 3 - Sensitive and Specificity Results
TCrunch was able to process the dataset to distinguish between TC containers, other non-TrueCrypt encrypted files and random data files with a sensitivity rating of 92.31 per cent and specificity of 97.69 per cent. Overall the results demonstrate that TCrunch outperformed TChunt and FIT, with better accuracy and the highest probability of correctly identifying TC containers, while only being marginally less effective than the FIT system in identifying non TC containers.
Cracking containers
To open the TC container, TCrunch employs a heterogeneous distributed system with dynamic node addition/removal capabilities. Once identified, a file fragment is extracted, including the encryption header which is then transmitted to the control server. This server then distributes the fragment to all attack nodes, which conduct a brute force or dictionary attack. Using the previous machines the times per attempt ranged from 2.12 to 23.07 seconds.
Due to the distributed nature of TCrunch, the higher spec machines had a throughput per minute of 357 passwords. With the capacity for dynamic addition and removal of nodes without loss of progress, the system allows greater flexibility of available resources without having to dedicate specific machines.
An all in one solution
TCrunch has been designed so that minimal technical knowledge is needed to execute and deploy it. Once configured, a simple GUI provides all available feature controls as well as email notification for attack results.
TCrunch’s superior accuracy means greater assurance on discovery of encrypted containers by security/forensics teams in analysed data and transmissions. This aids the prevention of actions such as malicious programmes (malware) infiltration or valuable data exfiltration in the case of a malicious insider.
Due to container sizes varying greatly their use to disguise documents or programs would be simple and would not necessarily trigger standard defences or be detected by existing TC detection systems. However, TCrunch provides great accuracy for containers of all sizes, as well as a method of accessing the contents, providing an all-in-one solution to the TC issue.
