IFIP International Conference on Communications and Multimedia Security

CMS 2010: Communications and Multimedia Security pp 233-244

Detecting Hidden Encrypted Volumes

  • Christopher Hargreaves
  • Howard Chivers
Conference paper

DOI: 10.1007/978-3-642-13241-4_21

Volume 6109 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Hargreaves C., Chivers H. (2010) Detecting Hidden Encrypted Volumes. In: De Decker B., Schaumüller-Bichl I. (eds) Communications and Multimedia Security. CMS 2010. Lecture Notes in Computer Science, vol 6109. Springer, Berlin, Heidelberg

Abstract

Hidden encrypted volumes can cause problems in digital investigations since they provide criminal suspects with a range of opportunities for deceptive anti-forensics and a countermeasure to legislation written to force suspects to reveal decryption keys. This paper describes how hidden encrypted volumes can be detected, and their size estimated. The paper shows how multiple copies of an encrypted container can be obtained from a single disk image of Windows Vista and Windows 7 systems using the Volume Shadow Copy feature, and how the changes between shadow copies can be visualised to detect hidden volumes. The visualisation assists in the presentation of this information to a court, and exposes patterns of change which allows the size and file system of the hidden volume to be determined.

Keywords

Forensic Computing Encryption Hidden Volumes RIPA TrueCrypt 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Christopher Hargreaves
    • 1
  • Howard Chivers
    • 1
  1. 1.Centre for Forensic ComputingCranfield UniveristyShrivenhamUK