|
 |
Warp wrote:
> Just because you have navigated to a directory doesn't mean the directory
> was a TrueCrypt mount. It could have been anything.
You're looking at it from an inverted viewpoint. When they look at the
computer, they're not going to start with "Does he have a truecrypt
container?".
They'll likely browse your command history, and find something of
interest in a given directory. They navigate there to see it is empty.
Fine - let's say the person always did a rm -rf *. But they see you
repeatedly accessing stuff there time after time. It may raise eyebrows.
Not proof of anything, but perhaps enough to warrant a questioning.
> Last I checked, the TrueCrypt documentation clearly stated why you should
> use FAT as the file system, and why it is the default when nothing else is
> specified.
I don't see it in their online docs. They mention you can do NTFS and
FAT, but a quick glance did not show any discussion on what you should
use. And as the docs are quite geared towards Windows, one could get the
impression that it just has NTFS and FAT to target that audience. I
don't think they actually suggest anywhere *not* using any other FS.
(Edit: I just saw in the section about hidden containers that it says
not to use a journaling FS).
>> The area occupied by the hidden partition will have random stuff in
>> it, but will appear to be "free" space by the FS (as in space available
>> for writing). A contiguous block of 10 GB, especially with actual data
>> around it, will look suspicious. Regardless of whether that space has
>> random data.
>
> What do you mean "actual data"? Of course all the sectors will have "data".
> The ones which are free will have random garbage (or a hidden volume).
> There's no way of telling if that data is just random gargabe or something
> else.
See figure at http://www.truecrypt.org/docs/hidden-volume.php
Let the total area be 30 GB, and the hidden container be 10 GB.
You start off with nothing in either. You just created it.
So you slowly add stuff to both, as time goes by.
If anyone were to decrypt the outer container, they'd see at least 10
GB (typically more) of unallocated space. It has random bits in it, but
the FS reports it as available.
The 10 GB used by the hidden container, if contiguous (which I suspect
it is), will always appear as a 10 GB contiguous block of free space
when you decrypt the outer container.
A 10 GB contiguous unallocated block in a 30 GB partition is not
expected to exist over a long period. It's expected that one writes a
lot, and deletes a lot, resulting in fragmentation. The remaining 20 GB
will appear fragmented, but that 10 GB will always appear available,
with the FS reporting no data there.
Sure, it will have random bits, but nevertheless, it will all be one
contiguous, unallocated block.
How much this matters depends on your usage. If you just keep 1 GB of
stuff in the outer container, then this may not look weird.
I may be stretching, but I don't think I'm wrong. You pick your level
of paranoia as a user. When it comes to those who design the software,
though, they have to assume worst case scenarios.
Perhaps I'm totally wrong. I don't see a flaw, though. The following
page gives some precautions:
http://www.truecrypt.org/docs/hidden-volume-precautions.php
Frankly, the trouble I'd have to go through to follow all the advice on
that page is not worth it. I'm quite content at not trying to hide TC
(or any similar system) usage, and I'm more concerned about
non-law-enforcement accessing stuff on my HD (e.g. someone visiting my
house so that he cannot see financial records).
> Well, good luck for them to prove that you are indeed lying.
Interrogations can be surprisingly effective. Even the ones where they
don't do anything illegal.
--
DO NOT REMOVE THIS TAG (UNDER PENALTY OF LAW)
/\ /\ /\ /
/ \/ \ u e e n / \/ a w a z
>>>>>>mue### [at] nawaz org<<<<<<
anl
Post a reply to this message
|
|
