Detecting Hidden Encrypted Volumes

  • Christopher Hargreaves
  • Howard Chivers
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6109)


Hidden encrypted volumes can cause problems in digital investigations since they provide criminal suspects with a range of opportunities for deceptive anti-forensics and a countermeasure to legislation written to force suspects to reveal decryption keys. This paper describes how hidden encrypted volumes can be detected, and their size estimated. The paper shows how multiple copies of an encrypted container can be obtained from a single disk image of Windows Vista and Windows 7 systems using the Volume Shadow Copy feature, and how the changes between shadow copies can be visualised to detect hidden volumes. The visualisation assists in the presentation of this information to a court, and exposes patterns of change which allows the size and file system of the hidden volume to be determined.


Forensic Computing Encryption Hidden Volumes RIPA TrueCrypt 


  1. 1.
    Casey, E.: Practical Approaches to Recovering Encrypted Digital Evidence. International Journal for Digital Evidence 1 (2002)Google Scholar
  2. 2.
    Wolfe, H.B.: Encountering Encrypted Evidence (Potential). In: Proceedings of the 4th Conference on Information Technology Curriculum (2002)Google Scholar
  3. 3.
    Wolfe, H.: Encountering Encryption. Computers and Security 22, 388–391 (2003)CrossRefGoogle Scholar
  4. 4.
    Wolfe, H.: Penetrating Encrypted Evidence. Digital Investigation 1, 102–105 (2004)CrossRefGoogle Scholar
  5. 5.
    United Kingdom: Regulation of Investigatory Powers Act 2000. HMSO (2000)Google Scholar
  6. 6.
    Home Office: Investigation of Protected Electronic Information: Code of Practice (2007)Google Scholar
  7. 7.
    TrueCrypt: TrueCrypt Documentation (2009),
  8. 8.
    TrueCrypt: TrueCrypt Documentation: Hidden Volume (2009)Google Scholar
  9. 9.
    Czeskis, A., Hilaire, D.J.S., Koscher, K., Gribble, S.D., Kohno, T., Schneier, B.: Defeating encrypted and deniable file systems: TrueCrypt v5. 1a and the case of the tattling OS and applications (2008)Google Scholar
  10. 10.
    Craiger, J.P., Pollitt, M., Swauger, J.: Law Enforcement and Digital Evidence (2005),
  11. 11.
    Microsoft: Learn about the features: Shadow Copy (2007),
  12. 12.
    Microsoft: System Restore: frequently asked questions (2008)Google Scholar
  13. 13.
    Titheridge, D.: Microsoft Windows Vista Registry. MSc. Cranfield University (2009)Google Scholar
  14. 14.
    Carrier, B.: File System Forensic Analysis. Addison-Wesley, Reading (2005)Google Scholar
  15. 15.
    Sammes, T., Jenkinson, B.: Forensic Computing: A Practitioners Guide, 2nd edn. Springer, Heidelberg (2007)Google Scholar
  16. 16.
    Microsoft: Default cluster size for NTFS, FAT, and exFAT (2009),
  17. 17.
    Assange, J., Weinmann, R.P., Dreyfus, S.: Rubberhose, (Undated)
  18. 18.
    Hargreaves, C., Chivers, H.: Recovery of Encryption Keys from Memory Using a Linear Scan. In: The International Workshop on Digital Forensics, Barcelona, Spain (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Christopher Hargreaves
    • 1
  • Howard Chivers
    • 1
  1. 1.Centre for Forensic ComputingCranfield UniveristyShrivenhamUK

Personalised recommendations