Se rea
=Irs
“The Hagus, October 2013,
“Inteligence Notation 008-2013,
‘ybercriminals using encryption - TRUECRYPT
‘What happened?
Investigators had seized the laptop of a suspect and obtained the password. After booting the
forenst copy however, the error message "Missing operating system" appeared, leading tiem
to belave there was a fundamental problem with the laptop. In fact there wos nothing Weng
With the laptop but the suspect had used software called TRUECRYPT to tigger a boges error
‘message during start up. The password simply had to be inserted on the black screen
Aispaying the error message. The sole purpose af tis message was to fool law enforcement.
How does it work?
TRUECRYFT Is 2 freeware encryption application that can be used on Windows, Linux or CS X
based computers. The softwara can be used to create an encrypted fle container, to eneype
parttens or an entire hard-drive. When encrypting an entite harden (one disk encrypuse)
fr the system partition {the one cantalaing the operating system) TRUECRYET Instais on the
first sector of the hard-drive the TRUECRYPT oot Loader, The TRUECRYPT Boot Loader Is
loaded before the operating system and it requires the Input of the password for accessing the
hard-dive's dat,
‘Starting with version 6.1, TRUECRYPT Introduced a function to display a fake message upon
booting by enabling the option "Do not show any texts in the pre-boot authentication screen”
‘and enter the fake error message In the corresponding ‘eld (for example, the “Missing
‘perating system” message, which ts normally dsplayed by the Windows boot loader i It finds
ne Windows boot partition).
For more information related to TRUECRYPT please visit waww.trueeryptrg,
Why do you need to know?
+ Espacilly investigators without cyber training should be Informed about this so if they do
have the password, they can try to Insert it as described above, W necessary
‘+ For proper exemination, a forensic copy or image should be made, The examiner must
‘check the first sector ofthe media. If that contains the message "Truccrypt Boat Losder,
means that the hard-drwve or the system partion Is encrypted with TRUECRY®T.
The forensic copy must be connected to a forensic computer preferably through write
blocker device. After that, the most efficent salition fs to install and launen TRUECRYPT,
press "Select Device" bution, choase the target hard-drive from thelist (not @ partion oF
the hard-drive), mount it as read-only (as @ complementary safety measure) and Insert the
Password. At this point TRUECRYPT maps all the partitions on the drive which can be
Forensically examined PUBLIC
| _Decurent mace pubiicon: |
D4 SEP com
|
|
[|