Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forensics Tool Finds Headerless Encrypted Files

Posted by timothy on from the sir-there's-an-anomaly-here dept.

gurps_npc writes "Forensics Innovations claims to have for sale a product that detects headerless encrypted files, such as TrueCrypt Dynamic files. It does not decrypt the file, just tells you that it is in fact an encrypted file. It works by detecting hidden patterns that don't exist in a random file. It does not mention steganography, but if their claim is true, it seems that it should be capable of detecting stenographic information as well."

4 of 374 comments (clear)

  1. Yet another scam by trifish · · Score: 5, Interesting

    Wow, the quality of Slashdot has really been going down lately. Now any random fraud can submit his misleading material and it gets accepted to front page just because it sounds interesting? Is this actually tabloid or serious news for nerds who understand what the talk about?

    In short, this is yet another lame attempt to make money by posting bogus claims about a popular product.

    First, hidden volumes are the only kind of steganography that TrueCrypt offers. Second, if you read the TrueCrypt documentation, you'll learn the following about hidden volumes vs. dynamic:

    On Linux or Mac OS X, if you intend to create a hidden volume within a file-hosted TrueCrypt volume, make sure that the volume is not sparse-file-hosted (the Windows version of TrueCrypt verifies this and disallows creation of hidden volumes within sparse files).

    Furthermore, when I try to create a dynamic TrueCrypt volume, TrueCrypt displays a big warning saying that dynamic volumes are insecure. That's right. Insecure.

    So again, I demote this story as total and utter bogus motivated by the vision commercial gain.

    1. Re:Yet another scam by gurps_npc · · Score: 4, Interesting
      I am the poster. I have ZERO connection to the company mentioned I read about because I do computer programming for a law firm.

      The article may in fact just be an advertisement, created for commercial gain.

      But it was posted because I personally read it and was interested in it.

      --
      excitingthingstodo.blogspot.com
  2. Re:Don't worry by SerpentMage · · Score: 3, Interesting

    What I think they are doing and I think it would indicate an encrypted drive is distribution analysis.

    If you have truly random data then there is a specific pattern. If you have deleted or unused blocks there will be a specific pattern.

    But if you have an encrypted block the distribution will not be like any of the other pieces of data. This is your indicator.

    Think of it as follows. You are driving on the highway and somebody on the highway drives the speed limit exactly, stays in the center lane, and does not switch lanes at all. Even though that would seem to be right, it is actually quite wrong and it would make police suspicious.

    --

    "You can't make a race horse of a pig"
    "No," said Samuel, "but you can make very fast pig"
  3. Re:Don't worry by FutureDomain · · Score: 4, Interesting

    The company has "innovations" in it's name, so their product probably won't work.

    I actually tried it with a Truecrypt volume and a random file (/dev/urandom) and it seems to work. The Truecrypt is identified as "Encrypted Data (Headerless)" and the random file is identified as "Data File (Unknown)".

    --
    Hydraulic pizza oven!! Guided missile! Herring sandwich! Styrofoam! Jayne Mansfield! Aluminum siding! Borax!