You are on page 1of 1
Se rea =Irs “The Hagus, October 2013, “Inteligence Notation 008-2013, ‘ybercriminals using encryption - TRUECRYPT ‘What happened? Investigators had seized the laptop of a suspect and obtained the password. After booting the forenst copy however, the error message "Missing operating system" appeared, leading tiem to belave there was a fundamental problem with the laptop. In fact there wos nothing Weng With the laptop but the suspect had used software called TRUECRYPT to tigger a boges error ‘message during start up. The password simply had to be inserted on the black screen Aispaying the error message. The sole purpose af tis message was to fool law enforcement. How does it work? TRUECRYFT Is 2 freeware encryption application that can be used on Windows, Linux or CS X based computers. The softwara can be used to create an encrypted fle container, to eneype parttens or an entire hard-drive. When encrypting an entite harden (one disk encrypuse) fr the system partition {the one cantalaing the operating system) TRUECRYET Instais on the first sector of the hard-drive the TRUECRYPT oot Loader, The TRUECRYPT Boot Loader Is loaded before the operating system and it requires the Input of the password for accessing the hard-dive's dat, ‘Starting with version 6.1, TRUECRYPT Introduced a function to display a fake message upon booting by enabling the option "Do not show any texts in the pre-boot authentication screen” ‘and enter the fake error message In the corresponding ‘eld (for example, the “Missing ‘perating system” message, which ts normally dsplayed by the Windows boot loader i It finds ne Windows boot partition). For more information related to TRUECRYPT please visit waww.trueeryptrg, Why do you need to know? + Espacilly investigators without cyber training should be Informed about this so if they do have the password, they can try to Insert it as described above, W necessary ‘+ For proper exemination, a forensic copy or image should be made, The examiner must ‘check the first sector ofthe media. If that contains the message "Truccrypt Boat Losder, means that the hard-drwve or the system partion Is encrypted with TRUECRY®T. The forensic copy must be connected to a forensic computer preferably through write blocker device. After that, the most efficent salition fs to install and launen TRUECRYPT, press "Select Device" bution, choase the target hard-drive from thelist (not @ partion oF the hard-drive), mount it as read-only (as @ complementary safety measure) and Insert the Password. At this point TRUECRYPT maps all the partitions on the drive which can be Forensically examined PUBLIC | _Decurent mace pubiicon: | D4 SEP com | | [|