Editing TrueCrypt (section)

=== Identifying TrueCrypt volumes ===
When analyzed, TrueCrypt volumes appear to have no header and contain random data.<ref>Piccinelli, Mario, and Paolo Gubian. "Detecting Hidden Encrypted Volume Files via Statistical Analysis." International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3.1 (2014): 30-37.</ref> TrueCrypt volumes have sizes that are multiples of 512 due to the block size of the cipher mode<ref name=modes/> and key data is either 512 bytes stored separately in the case of system encryption or two 128&nbsp;kB headers for non-system containers.<ref>{{cite web | title =TrueCrypt Volume Format Specification | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/volume-format-specification | archive-url =https://archive.today/20130619023456/http://www.truecrypt.org/docs/volume-format-specification | url-status =dead | archive-date =19 June 2013 | access-date =24 May 2014}}</ref> Forensics tools may use these properties of file size, apparent lack of a header, and [[randomness test]]s to attempt to identify TrueCrypt volumes.<ref>{{cite web |url=http://16s.us/software/TCHunt/tchunt_faq.txt |title=Archive |url-status=dead |archive-url=https://archive.today/20140507093925/http://16s.us/software/TCHunt/tchunt_faq.txt |archive-date=7 May 2014 |access-date=2 March 2017 |df=dmy-all }}</ref> Although these features give reason to suspect a file to be a TrueCrypt volume, there are, however, some programs which exist for the purpose of securely erasing files by employing a method of overwriting file contents, and free disk space, with purely random data (i.e. "shred" & "scrub"<ref>{{cite web | title = diskscrub - disk overwrite utility - Google Project Hosting | url= http://code.google.com/p/diskscrub/ |access-date=16 July 2014}}</ref>), thereby creating reasonable doubt to counter pointed accusations declaring a file, made of statistically random data, to be a TrueCrypt file.<ref name=deniability/><ref>{{cite web | title =Plausible Deniability | publisher =[[FreeOTFE]] | url =http://www.freeotfe.org/docs/Main/plausible_deniability.htm#level_3_heading_2 | archive-url = https://web.archive.org/web/20130124091432/http://freeotfe.org/docs/Main/plausible_deniability.htm#level_3_heading_2 | archive-date = 24 January 2013}}</ref>

If a system drive, or a partition on it, has been encrypted with TrueCrypt, then only the data on that partition is deniable. When the TrueCrypt [[boot loader]] replaces the normal boot loader, an offline analysis of the drive can positively determine that a TrueCrypt boot loader is present and so lead to the logical inference that a TrueCrypt partition is also present. Even though there are features to obfuscate its purpose (i.e. displaying a BIOS-like message to misdirect an observer such as, "Non-system disk" or "disk error"), these reduce the functionality of the TrueCrypt boot loader and do not hide the content of the TrueCrypt boot loader from offline analysis.<ref>[http://www.truecrypt.org/faq TrueCrypt FAQ] - see question
''I use pre-boot authentication. Can I prevent a person (adversary) that is watching me start my computer from knowing that I use TrueCrypt?''</ref> Here again, the use of a hidden operating system is the suggested method for retaining deniability.<ref name=hiddenOS/>