A Truecrypt Trick

This may be old hat to some of you, but it may be new to others: it is
possible to create and/or mount an ADS (alternate data stream) as an
encrypted Truecrypt container file.

For instance, if the file C:\somepath\sometext.txt already exists on your
system (or create it and fill it with some text) then you would create a
ADS Truecrypt volume invisibly "attached" to it (called "hidden" for
illustration but you may wish to call it something more bland, perhaps a
Kaspersky antivirus ADS name) by doing the following:

Invoke Truecrypt and, when prompted for the name of the file to create as a
Truecrypt container file, enter:

C:\somepath\sometext.txt:hidden

That is, append a colon and then the name of your-soon-to-be-created-ADS
Truecrypt file to the existing visible file name.

Same for mounting.

Incidentally, do not use the file explorer dialog box (which will choke);
instead type the name directly into the Truecrypt file name entry box.

Regards,

PS Obviously, the visible host file could be other than a text file - any
file type will do. For instance, the devious may use a not-easily-deleted
system file. Or the even more devious can use a directory rather than a
file. (Yes, directories and not just files can have ADSs; those attached to
the root directory of a drive are especially hard to detect - or get rid
of!)

PPS For manipulating ADS additional extents (the proper name for the
hidden piggyback files) the best program I've come across is NTFS Streams
Info. Nothing to do with encryption, just revealing, creating, deleting,
etc.

PPPS ADS streams are becoming better known but are still not well-known -
even to some sysadmins. Their day is passing as a useful trick. Passing,
but not yet past

"nemo_outis" <> wrote in
news:Xns9837B47BD70FCabcxyzcom@127.0.0.1:

> This may be old hat to some of you, but it may be new to others:
> it is possible to create and/or mount an ADS (alternate data
> stream) as an encrypted Truecrypt container file.
>
> For instance, if the file C:\somepath\sometext.txt already
> exists on your system (or create it and fill it with some text)
> then you would create a ADS Truecrypt volume invisibly
> "attached" to it (called "hidden" for illustration but you may
> wish to call it something more bland, perhaps a Kaspersky
> antivirus ADS name) by doing the following:
>
> Invoke Truecrypt and, when prompted for the name of the file to
> create as a Truecrypt container file, enter:
>
> C:\somepath\sometext.txt:hidden
>
> That is, append a colon and then the name of
> your-soon-to-be-created-ADS Truecrypt file to the existing
> visible file name.
>
> Same for mounting.
>
> Incidentally, do not use the file explorer dialog box (which
> will choke); instead type the name directly into the Truecrypt
> file name entry box.
>
> Regards,
>
> PS Obviously, the visible host file could be other than a text
> file - any file type will do. For instance, the devious may use
> a not-easily-deleted system file. Or the even more devious can
> use a directory rather than a file. (Yes, directories and not
> just files can have ADSs; those attached to the root directory
> of a drive are especially hard to detect - or get rid of!)
>
> PPS For manipulating ADS additional extents (the proper name
> for the hidden piggyback files) the best program I've come
> across is NTFS Streams Info. Nothing to do with encryption,
> just revealing, creating, deleting, etc.
>
> PPPS ADS streams are becoming better known but are still not
> well-known - even to some sysadmins. Their day is passing as a
> useful trick. Passing, but not yet past
>
>

This does nothing but hide it from the casual observer. That type
of observer can be fooled by just naming it to look like a system
file. If your computer is seized, the stream will be found. Any
forensics specialist worth his salt will find it very easily as
well as any admin even slightly knowledgable. It stands out like a
red flag with the tools available. I'd have to say that you make
it even easier to find by hiding it in a stream.

Redwood <> wrote in news:QM3KT5C738967.8576851852
@twistycreek.com:

> "nemo_outis" <> wrote in
> news:Xns9837B47BD70FCabcxyzcom@127.0.0.1:
>
>> This may be old hat to some of you, but it may be new to others:
>> it is possible to create and/or mount an ADS (alternate data
>> stream) a
[snip]
>>
ADS streams are becoming better known but are still not
>> well-known - even to some sysadmins. Their day is passing as a
>> useful trick. Passing, but not yet past
>
> This does nothing but hide it from the casual observer. That type
> of observer can be fooled by just naming it to look like a system
> file. If your computer is seized, the stream will be found. Any
> forensics specialist worth his salt will find it very easily as
> well as any admin even slightly knowledgable. It stands out like a
> red flag with the tools available. I'd have to say that you make
> it even easier to find by hiding it in a stream.

I agree, it's protection against your kid sister only - security through
obscurity, and we all know what that means! (Yuck!)

Incidently, this isn't a truecrypt "feature"; practically any OTFE system
will most likely allow this - not to mention conventional encryption
systems.

Redwood <> wrote in news:QM3KT5C738967.8576851852
@twistycreek.com:

> "nemo_outis" <> wrote in
> news:Xns9837B47BD70FCabcxyzcom@127.0.0.1:
>
>> This may be old hat to some of you, but it may be new to others:
>> it is possible to create and/or mount an ADS (alternate data
>> stream) as an encrypted Truecrypt container file.
>>
>> For instance, if the file C:\somepath\sometext.txt already
>> exists on your system (or create it and fill it with some text)
>> then you would create a ADS Truecrypt volume invisibly
>> "attached" to it (called "hidden" for illustration but you may
>> wish to call it something more bland, perhaps a Kaspersky
>> antivirus ADS name) by doing the following:
>>
>> Invoke Truecrypt and, when prompted for the name of the file to
>> create as a Truecrypt container file, enter:
>>
>> C:\somepath\sometext.txt:hidden
>>
>> That is, append a colon and then the name of
>> your-soon-to-be-created-ADS Truecrypt file to the existing
>> visible file name.
>>
>> Same for mounting.
>>
>> Incidentally, do not use the file explorer dialog box (which
>> will choke); instead type the name directly into the Truecrypt
>> file name entry box.
>>
>> Regards,
>>
>> PS Obviously, the visible host file could be other than a text
>> file - any file type will do. For instance, the devious may use
>> a not-easily-deleted system file. Or the even more devious can
>> use a directory rather than a file. (Yes, directories and not
>> just files can have ADSs; those attached to the root directory
>> of a drive are especially hard to detect - or get rid of!)
>>
>> PPS For manipulating ADS additional extents (the proper name
>> for the hidden piggyback files) the best program I've come
>> across is NTFS Streams Info. Nothing to do with encryption,
>> just revealing, creating, deleting, etc.
>>
>> PPPS ADS streams are becoming better known but are still not
>> well-known - even to some sysadmins. Their day is passing as a
>> useful trick. Passing, but not yet past
>>
>>
>
> This does nothing but hide it from the casual observer. That type
> of observer can be fooled by just naming it to look like a system
> file. If your computer is seized, the stream will be found. Any
> forensics specialist worth his salt will find it very easily as
> well as any admin even slightly knowledgable. It stands out like a
> red flag with the tools available. I'd have to say that you make
> it even easier to find by hiding it in a stream.


The use of ADS is not intended to hide the Truecrypt file from a thorough
search; it is intended to not obtrude the existence of a multi-gigabyte
file to casual inspection (including casual *automated* inspection of the
sort of simplistic "HD inventory" done in many corporate environments, or
the quicky scan done by customs at many border points). It is a
complement, for instance, to using the Traveller mode of Truecrypt which
also has a similar goal: not of being absolutely undetectable but of
being unobvious. The goal of not coming to someone's attention in the
first place, rather than resisting disclosure afterwards, is not one to
be sneered at.

And, no, nothing is lost by using this method. And, of course, there is
no detriment to the actual security of the file's encrypted contents,
should its existence be detected. The method doesn't try to do
Truecrypt's job of encryption; it is instead a complement to it.

I say, without fear of contradiction, that there is NO method of
unsuspiciously hiding a multi-gigabyte encrypted file from a *thorough*
search - this just makes it easier to pass undetected through a less than
thorough search (or, better yet, to avoid a search in the first place).
In fact, I strongly suspect that, until I disclosed this approach, you
would not have looked for it. It, like most conjurer's tricks, is one of
subterfuge and misdirection. And, like a conjurer's trick, it is totally
simple and obvious - but only AFTER it has been explained!

Used judiciously, the method lends itself to other tricks as well. For
instance, use of ADS escapes the Windows disk quota system. This, for
instance, permits one to stash a multi-gigabyte file on a network drive
where one supposedly only has, say, 5 meg allotted. Chances are high (in
many environments) that such a drive is not even checked for such things
- I say this from experience in a large number of clients' environments,
including several that flattered themselves that they ran tight ships.

Regards,

PS While many virus and trojan checkers now look for ADS (they didn't
until just a few years ago even though ADS has been around since about
1990) there are still several which cannot detect an ADS attached to the
*root* directory of a drive (attached, not to a file *in* the root
directory, but to the root directory itself).

PPS Personally, I have now moved away from this method to using the
still-not-widely-known method of hiding files in the HPA. Most ordinary
tools, including even some of the lesser forensic ones, will only look
for hidden partitions and the like in the accessible part of the HD,
cheerfully accepting the hardware-level under-reporting of the HD's true
capacity.

(Phoenix and some others are now screwing this up for hackers by using
such partitions for backup/recovery, which is widening the appreciatioon
of the HPA. Sic transeunt hacks

Cascading methods can also be helpful. Would you like to guess how many
tools currently support looking for an ADS attached to a file in the HPA?
That's right: none!

"nemo_outis" <> wrote in
news:Xns9837E1A9AD038abcxyzcom@204.153.244.170:

> Cascading methods can also be helpful. Would you like to guess
> how many tools currently support looking for an ADS attached to
> a file in the HPA? That's right: none!
>

http://www.md5.uk.com/prodiscover_incidentresponse.htm
http://www.winhex.com/forensics/
http://vidstrom.net/stools/taft/
http://www.guidancesoftware.com/products/ef_AddOn.asp

Are a few that will do this. As you mentioned now even AV detect
and flag streams due to their utilization by viruses and older
rootkits, soon they'll be scanning the HPA as well. This may have
been useful years ago but now you are effectively tying a huge red
flag to the file. As you mentioned, it's basically impossible to
hide a file, better to disguise it than cause a second closer look
because it was flagged for being an ADS (yes, even in the HPA, it's
not immune anymore).

Redwood <> wrote in news:2615EJ3J38968.1544097222
@twistycreek.com:

> "nemo_outis" <> wrote in
> news:Xns9837E1A9AD038abcxyzcom@204.153.244.170:
>
>> Cascading methods can also be helpful. Would you like to guess
>> how many tools currently support looking for an ADS attached to
>> a file in the HPA? That's right: none!
>>
>
> http://www.md5.uk.com/prodiscover_incidentresponse.htm
> http://www.winhex.com/forensics/
> http://vidstrom.net/stools/taft/
> http://www.guidancesoftware.com/products/ef_AddOn.asp
>
> Are a few that will do this. As you mentioned now even AV detect
> and flag streams due to their utilization by viruses and older
> rootkits, soon they'll be scanning the HPA as well. This may have
> been useful years ago but now you are effectively tying a huge red
> flag to the file. As you mentioned, it's basically impossible to
> hide a file, better to disguise it than cause a second closer look
> because it was flagged for being an ADS (yes, even in the HPA, it's
> not immune anymore).


I think you will find you have overstated your case. Yes, many forensic
tools can locate ADS and, yes, some now will access the HPA, but they do
not look for ADS in the HPA (commonly, but not universally, the HPA is
set up as a Linux ext2 - or variant - file system rather than NTFS and
the question of ADS does not even arise).

Moreover, even within the conventionally accessible area of a hard disk,
some of the forensic tools have trouble picking up some ADSs (such as my
trick of attaching an ADS to the root directory rather than a file). The
X-ways page you refer to above itself notes this very point (while gently
slagging off their competitors) in the following bullet:

"Easy detection of and access to NTFS alternate data streams (ADS), even
where Encase 5.05 and ILook fail"

As for anti-virus programs, many now look for viruses within ADSs but
few, in standard configuration, report the ADS if the ADS is (ostensibly)
benign. That's because thare are a few (just a few, but that's enough)
entirely legitmate uses of ADS. Examples include thumbnails, extended
document properties, and Kaspersky antivirus scan markings (yes, an
antivirus program itself uses ADS!). A (Truecrypt) ADS named and
attached to an appropriate host file as one of these legitimate types
will almost certainly not be reported by an antivirus program. (I say
this as a corporate version of TrendMicro has passed over my ADS
collection - for the umpteenth time - without reporting anything amiss.)

But I'm not here to "sell" you on the method (I get no commission
I'm not pretending this is the whole toolbox, merely one tool in it -
that's why I labelled it a trick in the first place. I impart the
information to be added to the toolbox of hackers and sysadmins alike to
increase the defensive or offensive repertoire of both.

Regards,

"nemo_outis" <> wrote in message
news:Xns9837B47BD70FCabcxyzcom@127.0.0.1...
> This may be old hat to some of you, but it may be new to others: it
> is
> possible to create and/or mount an ADS (alternate data stream) as an
> encrypted Truecrypt container file.
>
> For instance, if the file C:\somepath\sometext.txt already exists on
> your
> system (or create it and fill it with some text) then you would
> create a
> ADS Truecrypt volume invisibly "attached" to it (called "hidden" for
> illustration but you may wish to call it something more bland,
> perhaps a
> Kaspersky antivirus ADS name) by doing the following:
>
> Invoke Truecrypt and, when prompted for the name of the file to
> create as a
> Truecrypt container file, enter:
>
> C:\somepath\sometext.txt:hidden
>
> That is, append a colon and then the name of
> your-soon-to-be-created-ADS
> Truecrypt file to the existing visible file name.
>
> Same for mounting.
>
> Incidentally, do not use the file explorer dialog box (which will
> choke);
> instead type the name directly into the Truecrypt file name entry
> box.
>
> Regards,
>
> PS Obviously, the visible host file could be other than a text
> file - any
> file type will do. For instance, the devious may use a
> not-easily-deleted
> system file. Or the even more devious can use a directory rather
> than a
> file. (Yes, directories and not just files can have ADSs; those
> attached to
> the root directory of a drive are especially hard to detect - or get
> rid
> of!)
>
> PPS For manipulating ADS additional extents (the proper name for
> the
> hidden piggyback files) the best program I've come across is NTFS
> Streams
> Info. Nothing to do with encryption, just revealing, creating,
> deleting,
> etc.
>
> PPPS ADS streams are becoming better known but are still not
> well-known -
> even to some sysadmins. Their day is passing as a useful trick.
> Passing,
> but not yet past
>

Data streams is a feature of the NT file system (NTFS), not of
TrueCrypt. Data streams have been around since NTFS was invented. It
is sometimes used but not often. In fact, Kaspersky used it as a
means of speeding up their on-demand scans by saving a hash code of
the file in a data stream which it would compare when scanning the
file. If the file hadn't changed, the hash was the same so they could
skip scanning that file for viruses. Unfortunately that meant when
you uninstalled KAV that you ended up with lots of files with remnant
data streams.

Unless you are the only user of the host, and if you are willing to
ignore warnings from malware scanners that check for ADS, it could
easily disappear, especially if seen as a junk file or something no
longer wanted. Hiding the .tc file in a data stream is not going to
hide it from anyone except neophytes since anyone interrogating your
system will find it, especially due to the disk space usage.

If you wanted to hide what is in the TrueCrypt volume, why not use
their hidden volume trick. You use a password for the unhidden part
which you divulge under pressure or threat but the hidden stuff uses a
different password. You could use steganography to hide content
within files so users would just see the pretty picture but hidden
within is your secret data but if you save a huge amount of data in
the picture file than its size makes it suspect.

"Vanguard" <> wrote in
news::


> Data streams is a feature of the NT file system (NTFS), not of
> TrueCrypt. Data streams have been around since NTFS was invented. It
> is sometimes used but not often. In fact, Kaspersky used it...


You're coming a little late to the party - I have already noted these
points.

As for steganography, it is readily detectable unless the payload is less
than a few percent (i.e., the ratio of hidden to host data). While now
rather long in the tooth, you could start with reading the history of such
things as OutGuess and stegdetect. Then move on to the Crypto conferences
(published by Springer).

Regards,

nemo_outis wrote:

> Or the even more devious can use a
> directory rather than a file. (Yes, directories and not just files
> can have ADSs

Dr. Pedantic says: Directories ARE files.

wrote:

> I agree, it's protection against your kid sister only - security
> through obscurity, and we all know what that means! (Yuck!)

Here we go... Can you name some type of security that ISN'T making use
of obscurity? The lock to your car and house require an
obscurely-patterned key to fit. Every one of your passwords works
because it is obscure. And on and on... And your anonymous remailer
adds privacy and security by using obscurity.