16 Systems ® |
All Rights Reserved. |
TCHunt - FAQDownload | FAQ | License | Request Translation | System Requirements | TrueCrypt Boot Loader | User's GuideQ. Can TCHunt break into TrueCrypt volumes? A. No. TCHunt only locates potential TrueCrypt volumes. Q. Does TrueCrypt contain backdoors? A. We have no knowledge of backdoors in TrueCrypt. Q. Can TCHunt locate sparse volumes? A. Yes. Q. Can TCHunt locate hidden volumes? A. Yes. However, TCHunt cannot differentiate between a standard volume and a hidden one. Q. Will TCHunt find volumes that lack file extensions or have fake file extensions? A. Yes. TCHunt ignores file names and file extensions. Q. Does it matter what version of TrueCrypt was used to create the volume? A. No. TCHunt can locate volumes created by any version of TrueCrypt up to 6.3a. Q. TCHunt found all of my TrueCrypt volumes. How does it work? A. TCHunt searches for four (4) file attributes:
Q. Does TCHunt run on Windows 7? A. Yes. See System Requirements for more information. Q. Why is 19 KB the minimum file size limit? A. Because that is the legacy minimum size of a TrueCrypt volume. It is not possible to create a volume smaller than that. Today, 275 KB is the minimum. While these sizes are not very useful for storing large amounts of data, they are a possibility. Q. Why are mounted TrueCrypt volumes not found? A. Mounted volumes are self-evident. Also, when a file is locked by another program or process, TCHunt skips it. Learn more about file locking here. Q. How can I tell when TCHunt has finished searching? Why is there no status bar shown? A. The window will update as new files are found. When TCHunt is finished, the word Finished will be written in bold red letters. See our users guide for more details. Q. What is the format of the report file? A. Standard HTML using ISO 8601 date and time. When saving a report, use .htm or .html as the file extension, or whatever file extension that associates with your web browser. To view the report, open it with your web browser. Q. Can TCHunt be translated to my language? A. Probably. TCHunt has been translated into several languages already. The output is simple and mostly involves accepting the license and viewing the results. You may offer language translations or suggest corrections to existing translations here. Q. Why write a program such as TCHunt? A. To demonstrate that while TrueCrypt volumes may be indistinguishable from random data created in one specific fashion that the volumes themselves can be easily distinguished from most other files. Many TrueCrypt users insist that their volumes are undetectable. We hope TCHunt will convince them otherwise, before they learn this fact the hard way. Most importantly, never claim that an encrypted TrueCrypt volume with a mp3 file extension (or whatever) is a corrupt file, etc. While that explanation may seem plausible to an average person, it will not stand up to forensic or legal scrutiny. Data corruption does not resemble AES encrypted data. Not even remotely. It's not possible. If disclosing the location of your TrueCrypt volumes may lead to legal issues, then say nothing and contact a competent lawyer. Q. Are you related to the TrueCrypt Foundation? Are you TrueCrypt developers? A. No. We have no relations. Q. Hey! TCHunt found some files that are not TrueCrypt volumes (false positive). Why? A. The algorithm may generate some false positives when testing millions of files. TCHunt takes a very conservative approach to locating TC files. We'd rather have false positives than false negatives as false positives can be easily dismissed if they are indeed false. Also, many false positives are either other forms of encrypted data (e.g. oembios.bin) or files that contain random data (e.g. dd with /dev/urandom as input). Q. Can TCHunt find encrypted files not created by TrueCrypt? A. Yes. So long as the files contain the TCHunt attributes. Formatted FreeOTFE volumes are one example. PGP/GPG and openssl encrypted files do not consistently create files that contain the attributes, but may occasionally. In addition to encrypted files, PRNGs that produce files with the attributes would be found too. Using dd with /dev/urandom as input is one example. Q. Can TCHunt false negative (miss an actual TrueCrypt volume)? A. It's possible, but not probable. We've tested several million volumes. TCHunt has found all but a few of them. Should a volume happen to be created with a common file header (and that is a possibility), then TCHunt would not find that volume. Q. Can TCHunt be executed from a floppy disk, USB drive or CD/DVD? A. Yes. Q. Does TCHunt have to be installed before I can use it? A. No. TCHunt is a self-contained, standalone program. Just execute it. To remove TCHunt, delete the executable. That's it. Q. Does TrueCrypt have to be installed before I can use TCHunt? A. No. Q. Does TCHunt connect to the Internet or phone home? A. No. A network connection is not required to use TCHunt. If you are concerned about this, use a packet sniffer such as Wireshark while using TCHunt. Q. Is TCHunt Open Source software? May I see the source code? Is it malware? A. No. We've released our methodology (others have copied it... you may too), but the source code to TCHunt is not publicly available. TCHunt binaries are signed with the 16 Systems PGP key and a Comodo Microsoft Authenticode Certificate. TCHunt contains no malware. Feel free to upload the executable to any of the free, online virus/malware scanning services such as virscan.org Q. I like TCHunt, may I get a custom version? A. As of Jan 1st. 2010, TCHunt is no longer being actively developed. No new versions are planned. Q. Why do you call it TCHunt? A. If someone renamed your TrueCrypt volumes and hid them among millions of files of similar size, file extension, modification time, etc. TCHunt would quickly and accurately find the actual TrueCrypt volumes. There can be false positives (as explained above) but they can be easily dismissed. Q. May I get a Mac, Linux or Unix version? A. No. Copy files from the computer in question (via CD, DVD, USB memory stick, etc.) to a Windows computer, then run TCHunt. |