Throughout this course many software packages have been discussed as far as their usefulness and application in a computer forensics environment. I have chosen to write about encryption, as well as anti-spyware software. Specifically I will discuss TrueCrypt and Spybot – Search and Destroy.
TrueCrypt is a freely available disk encryption package. It is also open-source, which allows independent developers to legally change/modify and/or expand upon the software at their discretion, so long as all applicable terms and conditions of the TrueCrypt license are met. TrueCrypt also happens to be multi-platform, so it is not operating-system dependent. It supports Windows, Mac OS X, as well as Linux distributions. TrueCrypt volumes are also platform independent and can be mounted on different operating-systems.
There are several different methods of utilizing TrueCrypt to provide encryption for sensitive files, as well as to provide a layer of privacy. TrueCrypt can be used to encrypt entire hard drives, flash drives, as well as partitions. It can be used to force pre-boot authentication, by encrypting the drive or partition that an operating-system is installed on. The end-user of TrueCrypt can also provide fake boot error messages during the pre-boot authentication phase when the encryption password is incorrectly input.
TrueCrypt also has a semi-portable mode, in which TrueCrypt does not have to be installed in order to be executed. However, this requires administrative privileges in Windows due to driver requirements and has the potential to leave behind tracks in Windows registry. If this is a problem, TrueCrypt also allows the end-user to create hidden operating systems and hidden volumes. These offer the end-user potential plausible deniability in legal proceedings, as well as dealing with extortion. This is a very useful feature when dealing with U.S. legal proceedings, as there has yet to be precedent set regarding encryption and whether being compelled to provide an encryption password is a breach of a U.S. Fifth Amendment rights.
Hidden volumes in TrueCrypt allow the end-user to nest a volume, referred to as the hidden volume, inside of a standard TrueCrypt volume. This allows the end-user to give up the password for the standard volume, while not revealing the hidden volume inside. A similar concept is used when creating hidden operating-systems. Upon entering pre-boot authentication, two passwords would be setup. One password to launch a fake or 'decoy' operating system and the other to launch the hidden operating-system contained inside a hidden volume.
TrueCrypt provides support for several encryption algorithms, as well as several hash algorithms in order for the end-user to choose his/her algorithm and hash of preference. TrueCrypt also provides support to cascade several different encryption algorithms together in order to provide more layers of encryption security. TrueCrypt also allows the end-user to salt...