Internet privacy and security course
About translation
Previous Next

Chapter 109

Creation of double-bottom cryptocontainers

If you decide to configure the integrated security of your devices and for this purpose you are reading our course, you should have already switched to using cryptocontainers. All information which you regularly work on a computer with should be decomposed into cryptocontainers, as this is a fundamental rule.

But surely you have information that you would like to hide especially reliably, because in the arsenal of malefactors there are many ways of hacking cryptocontainers. There are two ways to solve this problem: the first is the masking of cryptocontainers, the second is the use of double-bottom cryptocontainers.

The essence of a double-bottom cryptocontainer is extremely simple, when you enter one password, it displays one information, and when you enter another, you will get other information. With the help of software and hardware, it is impossible to prove the existence of a double bottom, but if access is demanded and you cannot deny, you can issue access to “public” content, and no one will know about the presence of a double bottom and its content (I will show based on a life example that this is a myth).

When preparing the material, I read the common opinion that the hidden area of the cryptocontainer can be identified by clearing the open part and checking the free space. If there is a hidden area there, it will take up space, and it will become obvious that the cryptocontainer has a double bottom.

This is actually a myth. The presence of a hidden cryptocontainer does not affect the main one, even if the size takes huge part. If you place to a cryptocontainer a file that is larger than the free area of the cryptocontainer, it will be placed over the hidden part, without giving out its presence.

Double bottom cryptocontainers are created in the same way on TrueCrypt and VeraCrypt, the same on all operating systems. We will show VeraCrypt on macOS as an example.

From the main program window, click Create Volume.

Vera Crypt

Next, select the creation of the file container by Create an encrypted file container.

Vera Crypt

And in the next screen, we already select the creation of a hidden cryptocontainer VeraCrypt

Hidden VeraCrypt volume.

Vera Crypt

Next comes the creation of a normal cryptocontainer, we have already described this procedure, and I see no reason to repeat it.

When the formatting is complete, we will see the offer to open the created area by pressing Open Outer Volume. I draw your attention to the fact that we are talking about the discovery of not hidden area yet.

There it is proposed to place the files that will be issued for the contents of the cryptocontainer in case of force majeure. If you don’t want to do this now, it can be done at any time later. After saving the files there, go back to VeraCrypt and click Next.

The next step is to create the hidden part. I recommend allocating the hidden part of not more than 15% of the total memory, although it certainly depends on what size of files you put in the main storage of the cryptocontainer. I see no point in describing the next steps; if you have ever created a cryptocontainer, you will not find anything new.

Now you have a double-bottom cryptocontainer. When mounting a cryptocontainer, you will open a public or hidden part depending on which password you enter.

At the end of the material I want to tell you the case told to me by a specialist in the field of forensics, who often had to go to arrest the criminals. At the beginning of his career, he was searching up in the apartment of bank fraudsters, after the work of riot police, they let him in to the apartment, and he immediately went to the computer of the detainees.

It was the usual desktop computer with Windows 7, the system is turned off, but not encrypted, it took 10 minutes to break into such a system. Upon logging in, the expert saw a fairly clean desktop and user folders, which is always suspicious. An unpleasant discovery was the installed TrueCrypt and one large cryptocontainer on the desktop.

The owner of the computer who observed the search immediately agreed to issue a password, although nobody had asked for it yet. The password was suitable, three useless files appeared in the cryptocontainer, which were opened last time more than six months ago. At the same time, the cryptocontainer itself was opened at night.

The size of all files found by the expert was just over 7 MB, and the size of the cryptocontainer was 25 GB. According to the data obtained from the operating system, TrueCrypt was launched on the computer regularly, and there were no other cryptocontainers.

An analysis of the logs of the system showed that the portable browser Thor, the Firefox browser, the popular instant messengers were launched on the computer, and some documents were opened, which indicated the existence of a cryptocontainer. At the same time, the browser preinstalled in the system was never used.

Previously, Internet traffic of this apartment was under control, which also indicated about regular use of the Tor network, but no installed Tor browser was found on the computer.

But this is not the main thing. In the process of conducting forensic analysis, the headers of documents opened on the computer were found, some of which did not require explanations, such as Microsoft Word documents “list of banks”, “estimates” and “instruction for Trojan”.

It is more interesting that there were the miniatures of the opened images that are stored on the computer, even if the file itself is in a cryptocontainer or on an external medium. On miniatures, photos of bank cards and bank documents were well distinguishable.

In "Secrets of safe work with cryptocontainers" we told you how to delete this data, but those hackers did not read it. Of course, the expert wrote his conclusion, where he indicated the presence of a hidden part, programs launched, documents opened, images, and an attempt to mislead them.

As you can see, for the specialist it is not so difficult to detect a trick, that is why I remain a supporter of emergency erasure systems. You can use the hardware complex of electromagnetic data destruction, put the key to the cryptocontainer on the microSD card and destroy it in case of force majeure or install the Panic Button emergency data erasure system.

Previous
4300
Next