Welcome Guest.   Make a donation to an author on the site October 21, 2014, 03:45:45 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Check out and download the GOE 2007 Freeware Challenge productivity tools.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Help/Advice with TrueCrypt (and free space wiping)?  (Read 7789 times)
wreckedcarzz
Charter Member
***
Posts: 1,620



Happy wolfie ^_^

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: June 14, 2009, 12:28:19 AM »

Okay, I'm going to try and explain this in the least confusing way that I can tongue and see if someone can provide me with some guidance, as this is my first attempt at really locking down data and utilizing a form of encryption for important use (not experimentation).

I have a FAT32 formatted 16GB flash drive that I carry around with me everywhere. Over the last couple of months I've saved some important data onto it that I can't have anyone unauthorized getting to. I'm looking for advice as to what I can do in addition to what I am doing now, and what precautions I should take. Basically, if anyone were to get hold of my flash drive at this point, it would not be very difficult (although not exactly easy, either) to get access to ~75 passwords, data files, personal info and other stuff I have stored away on it.

What I have done so far:

  • Downloaded TrueCrypt and extracted it via the installer, than fired up the Traveler Disk Setup and plopped TC into my PortableApps directory, allowing me to run it easily from Geek.menu or the PortableApps Launcher.
  • Started it up and created a hidden volume (invisible, encrypted volume inside a volume) with the external ("decoy") volume size being 2.5GB, FAT (10 char alpha password and AES-Twofish-Serpent encryption and the Whirlpool hash algorithm).
  • Created the internal/hidden volume, using a 22 character alpha-numeric password, at a size of 2.0GB with the same AES-Twofish-Serpent/Whirlpool setup.
  • Moved the sensitive data to the hidden volume with TeraCopy

What I need to do/know:

  • I need to wipe the "real" drive's free space contents beyond recovery (as well as my C:\ drive); I plan on using Eraser to do that, however it is a flash drive and I don't want to wear the read/write cycles out too quickly - what deletion technique is most effective, and how many times should it be run (for a flash drive, and a regular hard drive)? I have read that a single, all-zero free space pass proves to be unrecoverable, but I need to ensure that this data can not be recovered and read from the "real" drive. undecided
  • Also, can tools like Eraser and Defraggler/<your defragment tool of choice here> work on TC volumes, or will those possibly corrupt/cripple the volume? tellme
  • And a final, and very important question, how can I make sure that the TC volume (and the program itself) cannot be deleted under any circumstances (ignoring formatting, unless that can be blocked, too? tellme) unless the command comes from my user account on my home computer? I would assume it would be permissions-based, but I don't know how that would work on other computers... suggestions? read

For those of you wondering why I do not simply encrypt the whole drive and be done with it, it is because that would deny me access to the contents of the drive when I am on a machine with Limited/Standard user privileges (ex: school) and that would defeat a large purpose of the drive (as well as TC being on the drive in question... kind of like locking your keys in your car, except your car has a briefcase of papers that you need really badly, sitting on the back seat taunting you tongue).


Guidance, anyone? Anything I can change, do better, modify? I'm open to anything that will help smiley
Logged

New website! With a fancy domain name and everything! *gasp*
http://www.wreckedcarzz.com/
wr975
Charter Member
***
Posts: 369



View Profile Give some DonationCredits to this forum member
« Reply #1 on: June 14, 2009, 05:30:09 AM »

> I have read that a single, all-zero free space pass proves to be unrecoverable, but I need to ensure that this data can not be recovered and read from the "real" drive.

According to this study a plain format (writing zeros, one pass) makes it impossible to recover any data.

http://www.h-online.com/n...write-will-do-it--/112432

You can use File Scavenger (http://www.quetek.com/prod02.htm) to make sure your data is unrecoverable.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: June 14, 2009, 10:28:25 AM »

Yeah, don't bother with the silly "military grade" wiping, a simple single pass of zeroes will be fine smiley

Also, why the chained encryption algorithm? There's not much point in using anything besides AES.
Logged

- carpe noctem
Innuendo
Charter Member
***
Posts: 1,924

View Profile Give some DonationCredits to this forum member
« Reply #3 on: June 14, 2009, 12:34:23 PM »

Modern-day forensic data recovery software is making remarkable strides in being able to recover data on drives that have been wiped. However, if you come across someone with such software and they have a keen interest in what is on your encrypted volume you will have far larger worries than worrying about someone checking out your passwords.

As long as you are not doing anything illegal you should be fine with a standard wipe. I recommending using DBAN (Darik's Boot And Nuke).
Logged
wreckedcarzz
Charter Member
***
Posts: 1,620



Happy wolfie ^_^

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: June 14, 2009, 03:43:37 PM »

Okay, I'll go with a simple one-pass, all-zero wipe on the free space for both drives. I don't need to completely wipe all the data (DBAN), but I might make a backup of the data and do it anyways. Not sure yet. Nothing illegal (I'm not storing like a GB of torrents or something, but I know some that do huh) or anything that would cause legal issues; just taxes, (almost all of my+parents+computer) passwords, important data files, etc. Stuff that has the potential to wreck the family's online, and offline, assets. Hence the reason I'm trying to be as thorough as possible.

@f0dder: I did the multiple-algorithm setup because it appeared to be the most "secure" of the options, providing what (if I read correctly) appears to be 3 layers of 512-bit cryptic security. But I could be completely off on that- this is new ground for me (haven't tinkered with encryption for the last 5 years or so).
Logged

New website! With a fancy domain name and everything! *gasp*
http://www.wreckedcarzz.com/
40hz
Supporting Member
**
Posts: 10,722



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: June 14, 2009, 03:51:33 PM »

- A single-pass zero-overwrite will be more than sufficient for wiping anything other than nuclear weapon authorization codes.

- DBAN is probably the easiest and most effective full drive nuke utility. I'd go with the "quick" option, since even that is overkill. I agree with f0dder regarding the so-called "military grade" wipe options: Don't waste your time or put unnecessary wear & tear on your drives/USB keys.

- For zapping free space on a drive I like SysInternal's SDelete ( http://technet.microsoft....ysinternals/bb897443.aspx ). Eraser does the same, gives you a nice GUI, and also does it a bit more thoroughly.


Modern-day forensic data recovery software is making remarkable strides in being able to recover data on drives that have been wiped. However, if you come across someone with such software and they have a keen interest in what is on your encrypted volume you will have far larger worries than worrying about someone checking out your passwords.

As long as you are not doing anything illegal you should be fine with a standard wipe. I recommending using DBAN (Darik's Boot And Nuke).

+1 on that.  Grin

If you are doing something sufficiently "interesting" to garner the attentions of somebody with access to that level of technology, you're probably already under surveillance, so I doubt your hard drive is going to tell them anything they don't already know.

Suggestion regarding passwords - don't enter the passwords into your database in their true form. Always transpose the last three characters, add some bogus ones to the real password, or otherwise hash/obscure them. That way, should somebody crack your password container's master password, what they see still won't be the real passwords.

P.S. In the United States, judges can and do order defendants in criminal (and some civil) investigations to unlock files that they have password protected. So if you're "keeping company with naughty men," as Captain Malcolm Reynolds would say, your password "won't protect you much from Lawman."

. Cool

<EDIT-- Whoops! WC! You got in your reply before I posted. Feel free to disregard all of  the above except for the password tip. Grin >
« Last Edit: June 14, 2009, 03:55:18 PM by 40hz » Logged

Don't you see? It's turtles all the way down!
akx
Supporting Member
**
Posts: 20

View Profile Give some DonationCredits to this forum member
« Reply #6 on: June 14, 2009, 04:59:14 PM »

P.S. In the United States, judges can and do order defendants in criminal (and some civil) investigations to unlock files that they have password protected. So if you're "keeping company with naughty men," as Captain Malcolm Reynolds would say, your password "won't protect you much from Lawman."

Which is why a hidden volume was created. You can hand over the decryption keys to the outer volume and there's no naughty data at all. Wikipedia: Plausible deniability in cryptography
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: June 14, 2009, 05:09:44 PM »

Innuendo: software won't be able to do anything about a zero-wiped drive. There might be hardware that can do something, but as 40hz said - if somebody with access to that kind of technology is after you, you're pretty much SOL already smiley

wreckedcarzz: yeah, it's more secure in the sense that if somebody finds a fatal flaw in one of the encryption algorithms, your entire setup isn't broken. And it slows down bruteforce speed. But I find it pretty unlikely that an effective attack is found against AES anytime soon, and if somebody with enough computer power to bruteforce a 256bit AES key is after you... you're pretty much SOL already smiley
Logged

- carpe noctem
40hz
Supporting Member
**
Posts: 10,722



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: June 14, 2009, 05:38:04 PM »

P.S. In the United States, judges can and do order defendants in criminal (and some civil) investigations to unlock files that they have password protected. So if you're "keeping company with naughty men," as Captain Malcolm Reynolds would say, your password "won't protect you much from Lawman."

Which is why a hidden volume was created. You can hand over the decryption keys to the outer volume and there's no naughty data at all. Wikipedia: Plausible deniability in cryptography

Except there's still one little problem....

There's no such thing as a secret if it's really not a secret. And an "open secret" is just another oxymoron.

Since the makers of TrueCrypt were so good as to write an essay about "plausible deniability" with regard to the hidden volume feature, any investigator or prosecutor worthy of the name is going to make an argument for "reasonable cause" to believe that there is a "very strong likelihood" of such hidden volumes being present on any PC that has TrueCrypt installed.

Should that happen, you will be asked (under oath) whether there is such a volume on your drive. And at that point, you'll be faced with two alternatives:


  • Deny there is one, and risk facing a perjury or contempt charge   -or-
  • Admit that there is one, and very likely be ordered to decrypt it

So either way, it doesn't much help you. In fact, having TrueCrypt on your machine might sway the authorities to give you even less slack than they might have. Especially since your behavior could be interpreted as "going to extraordinary lengths" and/or "using sophisticated means" to hide something on your hard drive.

Like f0dder so aptly said: "You're pretty much SOL already" Grin

 Cool

Logged

Don't you see? It's turtles all the way down!
Innuendo
Charter Member
***
Posts: 1,924

View Profile Give some DonationCredits to this forum member
« Reply #9 on: June 14, 2009, 06:44:59 PM »

f0dder, I wasn't sure of the details that it required hardware as well (magnetic tips on cantilevers scanning drive platters. Ooo..fascinating), but i was trying to make wreckedcarzz aware that wiping a hard drive isn't going to save you if you have attracted the attention of The Man.

Now if you are trying to just keep parents, spouses, significant others, siblings, and friends from sticking their collective noses into your stuff then wipe away.

The only reason I brought this up at all is because he was talking about creating a container in a decoy container with a decoy password. That's usually only done for plausible deniability when you figure you are going to be demanded to give up the password and you figure you are going to have to do it or face significant consequences not like a friend wanting it and you can tell them to step off. Well, unless he's just trying to hide his midget porn from his parents or something similar.  Grin
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #10 on: June 14, 2009, 06:53:52 PM »

Innuendo: I see your point smiley

But even if you get the attention of The Man, I think it has to be the big man before they're bringing out electron microscopes to do magnetic residue analysis tongue
Logged

- carpe noctem
Innuendo
Charter Member
***
Posts: 1,924

View Profile Give some DonationCredits to this forum member
« Reply #11 on: June 14, 2009, 09:06:42 PM »

f0dder, I don't have any direct or indirect experience with any of this, but it strikes me that it doesn't matter how big the man is who is after you, but rather how big of an example they want to make out of you.  smiley
Logged
4wd
Supporting Member
**
Posts: 3,345



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #12 on: June 14, 2009, 10:44:12 PM »

So either way, it doesn't much help you. In fact, having TrueCrypt on your machine might sway the authorities to give you even less slack than they might have. Especially since your behavior could be interpreted as "going to extraordinary lengths" and/or "using sophisticated means" to hide something on your hard drive.

It likely wouldn't matter even if TrueCrypt wasn't apparently installed since you can run TCHunt over a drive to find likely TC containers.

And I'm sure any Federal Authorities would have even better versions of similar software.
Logged

I do not need to control my anger ... people just need to stop pissing me off!
wreckedcarzz
Charter Member
***
Posts: 1,620



Happy wolfie ^_^

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #13 on: June 15, 2009, 05:18:02 AM »

Out of curiosity (I'm not this insane/worried), could one create a TC volume contained within the hidden TC volume? (Thereby making a volume, in a volume, in a volume - it would be interesting tongue)

Also, TC is on the flash drive itself and not on any of my computers, so anyone that was looking for it would have to have the drive itself to find it. But I'm not hiding from the tall black men in the big black van that are "here to help you" Grin, just other overly-curious kids at school that have the want and knowledge to rummage through my data like it is a toy store (we have some high level tech classes that can be twisted to assist in hacking and the like, and I had a 120GB hard drive stolen (at school!) last year with some data on it), as well as simply losing the drive and not having to freak out because of the couple GB of personal data on the drive is now in someones possession.

f0dder, I don't have any direct or indirect experience with any of this, but it strikes me that it doesn't matter how big the man is who is after you, but rather how big of an example they want to make out of you.  smiley

Heh, that's true. But in that situation if you could turn the tables, you could make a complete idiot out of whomever was after you (look, he says this this and this, but it's not true because this this and this! <begin media attention swarm>)

...
you can run TCHunt over a drive to find likely TC containers.
And I'm sure any Federal Authorities would have even better versions of similar software.

TCH found my volume, but it also found about 15 more false positives. It also detected a couple corrupted files (in addition to those 15), making it somewhat arguable that your file is really just some corrupt data (and by creating corrupt data with it within the same folder, that would assist in the argument, would it not? Some whacked-out software went bananas on this folder and you're to blame because it looks like it could, possibly, hold encrypted data?? ohmy tongue).


Off-topic: I'm really absent minded... I started typing this reply about 12 hours ago and completely forgot about the tab ohmy embarassed
Logged

New website! With a fancy domain name and everything! *gasp*
http://www.wreckedcarzz.com/
Innuendo
Charter Member
***
Posts: 1,924

View Profile Give some DonationCredits to this forum member
« Reply #14 on: June 15, 2009, 08:37:59 AM »

Quote from: wreckedcarzz
Out of curiosity (I'm not this insane/worried), could one create a TC volume contained within the hidden TC volume? (Thereby making a volume, in a volume, in a volume - it would be interesting tongue)

I know TrueCrypt was not designed to do it and if you were to try it even if it did work it'd be an unsupported scenario. I could see some kind of obscure, esoteric infinite-loop bug popping up.


Quote
just other overly-curious kids at school that have the want and knowledge to rummage through my data like it is a toy store (we have some high level tech classes that can be twisted to assist in hacking and the like, and I had a 120GB hard drive stolen (at school!) last year with some data on it), as well as simply losing the drive and not having to freak out because of the couple GB of personal data on the drive is now in someones possession.

Then TrueCrypt will serve you well. I don't think anyone's been able to hack a TrueCrypt volume besides brute-force methods. Your data would be safe.

Quote
Off-topic: I'm really absent minded... I started typing this reply about 12 hours ago and completely forgot about the tab ohmy embarassed

And how is an absent-minded person going to remember his TrueCrypt passwords? Forgetting those would be a bad thing.
Logged
wreckedcarzz
Charter Member
***
Posts: 1,620



Happy wolfie ^_^

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #15 on: June 15, 2009, 01:17:58 PM »

And how is an absent-minded person going to remember his TrueCrypt passwords? Forgetting those would be a bad thing.

 Grin Repetition is my friend Thmbsup

Another question: I ran Eraser on the flash drive before bed last night (morning, was 3AM when i posted) and when I woke up it said that it had successfully wiped the free space, however it could not delete the folder entries and recommended I run CheckDisk on the drive. Is this something that I should be concerned about at all, and should I really run CD? I've read where some people here at DC have had less-than-positive experiences with it undecided
Logged

New website! With a fancy domain name and everything! *gasp*
http://www.wreckedcarzz.com/
40hz
Supporting Member
**
Posts: 10,722



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #16 on: June 15, 2009, 10:22:45 PM »

Another question: I ran Eraser on the flash drive before bed last night (morning, was 3AM when i posted) and when I woke up it said that it had successfully wiped the free space, however it could not delete the folder entries and recommended I run CheckDisk on the drive. Is this something that I should be concerned about at all, and should I really run CD?

I might be a tiny bit concerned. Or would be until after I ran a filecheck just to sure something didn't get hosed on my drive. I know Eraser used to warn about the free space wipe being a quasi-experimental feature. But I thought they had since gotten the kinks worked out.

I'm wondering if that 'warning' you got was because Eraser has the same limitation that SDelete has. SDelete can securely delete file data in the free space, but not the file names. This is because of the way the Windows interfaces with the NTFS directory structure. (Translation: It's not a bug!)

The following from the Sysinternals SDelete page explains it better:

Quote
The reason that SDelete does not securely delete file names when cleaning disk free space is that deleting them would require direct manipulation of directory structures. Directory structures can have free space containing deleted file names, but the free directory space is not available for allocation to other files. Hence, SDelete has no way of allocating this free space so that it can securely overwrite it.

-----

Quote
and should I really run CD? I've read where some people here at DC have had less-than-positive experiences with it

As far as chkdsk is concerned, I'm not aware of any problems that can be caused just by running it. I have run into situations where it couldn't fix a problem. But I've never heard of a situation where it actually caused one.

 Thmbsup



« Last Edit: June 15, 2009, 10:24:44 PM by 40hz » Logged

Don't you see? It's turtles all the way down!
wreckedcarzz
Charter Member
***
Posts: 1,620



Happy wolfie ^_^

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #17 on: June 24, 2009, 05:48:52 PM »

Late reply, have been getting backed up with email (8 accounts and AOL's spam filter sucks big time...) so I forgot about the notification embarassed

The flash drive is FAT32, not NTFS, so that limitation would be invalid... correct? I'll run a full Checkdisk on the drive tonight before bed just to make sure.
Logged

New website! With a fancy domain name and everything! *gasp*
http://www.wreckedcarzz.com/
Deozaan
Charter Member
***
Posts: 6,415



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #18 on: June 27, 2009, 02:38:46 PM »

Modern-day forensic data recovery software is making remarkable strides in being able to recover data on drives that have been wiped. However, if you come across someone with such software and they have a keen interest in what is on your encrypted volume you will have far larger worries than worrying about someone checking out your passwords.

This comes to mind:

Logged

Innuendo
Charter Member
***
Posts: 1,924

View Profile Give some DonationCredits to this forum member
« Reply #19 on: June 27, 2009, 03:06:49 PM »

Quote from: wreckedcarzz
Late reply, have been getting backed up with email (8 accounts and AOL's spam filter sucks big time...)

If you are on AOL you've got bigger problems than I thought.  cheesy
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #20 on: June 27, 2009, 08:21:58 PM »

Deozaan: xkcd <3 smiley

If you have anything really important to hide, that's what's going to happen - and plausible deniability is NO help whatsoever, then. If you have something remotely important to hide, you'll be accused of contempt when saying "oh, but I gave you the passphrase" which reveals 10gig of softporn on a 250gig drive...
Logged

- carpe noctem
wreckedcarzz
Charter Member
***
Posts: 1,620



Happy wolfie ^_^

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #21 on: June 28, 2009, 03:18:21 PM »

Quote from: wreckedcarzz
Late reply, have been getting backed up with email (8 accounts and AOL's spam filter sucks big time...)

If you are on AOL you've got bigger problems than I thought.  cheesy

No longer as my ISP (thank heavens Grin), but I do have 4 remaining e-mail accounts with them... undecided
Logged

New website! With a fancy domain name and everything! *gasp*
http://www.wreckedcarzz.com/
Innuendo
Charter Member
***
Posts: 1,924

View Profile Give some DonationCredits to this forum member
« Reply #22 on: June 29, 2009, 10:51:39 AM »

Quote from: wreckedcarzz
No longer as my ISP (thank heavens Grin), but I do have 4 remaining e-mail accounts with them... undecided

I think I'd be making transition plans to other, less restrictive email accounts if I were you.
Logged
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.056s | Server load: 0.14 ]