Via 8
Bits I discovered Forensic
Innovations' blog. What especially interested me was that they found
a method for detecting TrueCrypt (and other headerless) encrypted data.
Up till now TrueCrypt containers were the hardest to detect, as they
don't have a specific file header that gives away their presence.
Forensic Innovations have created a tool to find these containers based
on certain patterns they recognised, and included it in their FITOOLS
kit as of version 2.23. Just use the 'Encrypted Data (Headerless)'
option and let it search the hard disk. Of course it can't decrypt the
container, but detecting it is nevertheless very very useful indeed. I
wish I had this tool at hand during a certain practical exam for a
forensics cert ;)
