Saturday, September 7, 2013

Plausible deniability of a hidden OS - Part 3

This is Part 3 of a 4 part post on using TrueCrypt to create a hidden operating system.

Links to each section:
Part 1 - (Un)boring intro with all the snazzy info
Part 2 - Setup your second partition
Part 3 - Setup your first partition (sounds backwards, I know) -- you are here
Part 4 - Other cool stuff -- COMING SOON


Part 3 - Setup your first partition


~So now that you have copied your operating system from Partition 1 to the inner volume of Partition 2 we need to securely wipe the contents of Partition 1. Otherwise, even if you reinstall Windows on Partition 1, someone with forensic capabilities may be able to recover the previous Windows installation Partition 1 and thereby build a case that you have a hidden operating system, etc.



~Using the default Department of Defense standard of 3 passes of random ones and zeros for wiping is quite adequate in my opinion. For utter paranoia, try additional passes -- though that could put your wipe time at days or weeks!...



~Click Wipe:



~Click OK here:



~More mouse fun! The more you move your mouse, the more securely and randomly Partition 1 will be wiped!


~Wiping in some cases can take all day/night, even at 3 passes. Other factors of course include the size and speed of your drive.


 ~Here is the success dialog:



 ~Click Exit:



~So now it is time to go ahead and install a fresh copy of Windows on Partition 1 as a decoy operating system. Just pop a Windows disc in there and install on Partition 1. (Don't accidentally install onto or delete Partition 2!!) Once that's done, download TrueCrypt onto the fresh decoy install and choose Create Volume. Then choose Normal since this will be the decoy installation and press Next:




~Choose Encrypt the Windows system partition...




~Choose Single-boot



~Make sure you select the same encryption algorithm here that you did when you created the inner volume on Partition 2. They must be the same because both the decoy and hidden operating systems use the same bootloader and there is a different bootloader for each algorithm.




 ~More mouse fun! Great to feel like you are a part of the process, huh? :-) Move that mouse for the greater good of your encryption strength!



~Click Next...




~Somewhere in there it asks you for the password. Can't remember at which point. (Oopsie.) Anyway, when it does, you need to enter Password A for the decoy operating system. Do you need any more sermons about secure passphrases and whatnot? Didn't think so. ;)





~It will also ask you about creating a rescue disc. Creating a rescue disc is pretty important, as you can see below. It might sound scary to have it laying around, but your system will still require the password even when using the rescue disc. It's not really a vulnerability any more than the presence of the bootloader itself which is put on your hard drive. Just make sure you put it in a safe place so you don't lose it.



~TrueCrypt creates an ISO and then helps you burn it to optical media as a rescue disc:


~The rescue disc is verified to make sure it was a good burn:


 ~Now we are going to tell TrueCrypt how we want the data wiped from Partition 1. Wiped again, you say? Yup. The last time we wiped Partition 1 was to wipe operating system from it that was copied to the inner volume of Partition 2. This time TrueCrypt is going to encrypt the decoy operating system and wipe the unencrypted version of it. If it didn't, then someone could potentially do forensics on Partition 1 and recover the unencrypted version of the decoy operating system. This would be especially bad for those who use their decoy system for activities which are of a lower level of sensitivity but sensitive, nevertheless. As stated earlier, the default of 3 passes should be quite adequate.



~As stated, this will take a while once it actually starts which will happen later...


~TrueCrypt is going to test everything before doing the final encryption and wipe. Click Test:


 ~TrueCrypt informs you that this is not the real thing and that actual encryption will not take place. However, if the test fails, then Window may fail to start. If this does occur, you can come back here and read the various options for repair. Hopefully, you will be good though.



~I scrolled down and took another photo:




~Time to test, then. Click Yes and then when your computer reboots it will prompt you for Password A. If you have any trouble, see the 2 previous images.



~After you've rebooted and typed Password A, hopefully this is what you are now looking at. TrueCrypt warns here that in the event of power loss or a system crash during the encryption process, data on the decoy operating system may be gone forever. I didn't mention backups sooner because I am assuming that you followed my advice in Part 2 and used a clean system with a fresh Windows install. So hopefully, you don't even need backups. If you do, read the instructions here on how to defer, backup data and then resume. If you don't need to make backups, then click Encrypt.



~The next 3 photos provide instructions on how to troubleshoot any potential future booting issues with the rescue disc... Press OK.





~TrueCrypt is now encrypting your decoy operating system on Partition 1! Folks, this is even more amazing than it may seem. It's actually quite remarkable. Think about it. What's happening here is that while booted into Windows (not a live environment!) TrueCrypt is encrypting the currently booted Windows AND wiping the non-encrypted version of it all on the fly without even rebooting. WHAT? How is that even possible? It's more magic from the TrueCrypt people!! If this doesn't make you feel like donating, what will???!!!




~If you want, you can setup additional non-system encrypted volumes to be mounted at boot up, but that is outside the scope of this article. 



~You can click Do not show this again here:



~But if you had clicked Show more information you would have seen this, which was shown earlier -- so not that big of a deal.


~Alright, let's test this baby! If you reboot, you should get the bootloader shown below. If you type Password A, you get the decoy operating system on Partition 1. If you type Password B, you will get the hidden operating system on the inner volume of Partition 2! Don't worry, if you press Escape it doesn't really bypass authentication as long as you have encrypted the drive (which you just did.) It would only work if you had a TrueCrypt bootloader sitting on top of an unencrypted system, which is not the case here.



~If instead of typing the password or Escape you press F8, you will get some options which you will hopefully never need. Most of these options are only there because this same bootloader gets copied to the rescue disc and would be run from there.



~Awesome! So you've set up your system! In Part 4 I will boot into a live CD just to prove out whether or not I can see the encrypted data and show you some cool stuff, so stay tuned!

Links to each section:
Part 1 - (Un)boring intro with all the snazzy info
Part 2 - Setup your second partition
Part 3 - Setup your first partition (sounds backwards, I know) -- you are here
Part 4 - Other cool stuff -- COMING SOON

Friday, September 6, 2013

Plausible deniability of a hidden OS - Part 2

This is Part 2 of a 4 part post on using TrueCrypt to create a hidden operating system.

Links to each section:
Part 1 - (Un)boring intro with all the snazzy info
Part 2 - Setup your second partition -- you are here
Part 3 - Setup your first partition (sounds backwards, I know)
Part 4 - Other cool stuff -- COMING SOON


Part 2 - Setup your second partition

This section guides you through setting up the outer and inner volumes on Partition 2. Some of the images are a little too small to read but all you have to do is click on them to enlarge. One other note: It can sometimes get confusing on blog posts whether the paragraph of text applies to the image above it, or the image below it. Well, in this case the paragraphs of text always apply to the image below, if there is one.

Throughout this processs you may want to refer back to this quick rundown of the passwords you will need to assign and their roles:

-Password A: This is the password that you will use for the decoy operating system on Partition 1.
-Password B: This is the password that you will use for the hidden operating system on the inner volume of Partition 2
-Password C: This is the password that you will use for the outer volume on Partition 2 which will contain decoy files (not the decoy operating system)

Okay, let's get started.


~~ First download and install TrueCrypt for Windows here. Note: TrueCrypt can only create an encrypted operating system boot setup for Windows. Mac and Linux are supported for encrypted volumes, but not an encrypted operating system. However, there are other options available for other operating systems, so hit up Google.

~~ Next, you need to setup your partitioning to prepare for the encryption like this:

First partition = Your current Windows installation which will later be moved to the second partition and hidden (The way TrueCrypt does things here is that as part of the wizard the current installation of Windows will be moved to the inner volume of the second partition and hidden. It may be a good idea to start with a fresh install of Windows.)
Second partition = At least 2.1 times larger than the first partition

Here's how I set mine up (click the image to enlarge):

(click to enlarge)

NOTE: You may do better finding a partitioning scheme that doesn't potentially give away that you are using a hidden partition. If someone coerces you into giving them access to the decoy operating system and they see that the second partition is 2.1 times larger that the first partition, this could be a give away -- though it's still technically plausibly deniable. Try using a partitioning scheme that makes the second partition more like 2.5 or 3 times larger. As long as it is at least 2.1 times larger, you are okay.

While we're on the topic of partitioning, if at some point near the beginning of the encryption wizard you get the dialog shown below then click yes, reboot and start over. Paging files on a non-system partitions is a no-go in an encrypted setup.


Also, in order to get your partitioning the way you want it, you may need to shrink your system partition. If you have Windows 7, this is actually pretty easy to do through Disk Management. Check Google. Can't remember if you can shrink Vista, but who really cares, right? ;) If you get errors when shrinking your system partition, their are some tricks you can do to correct that including running a defrag, etc. That's outside the scope of this article, so please check Google. Oh, and shrinking XP without system damage is next to impossible, though not completely.

~~ Okay, so once you've got your partitioning in order, go ahead and open TrueCrypt and choose System>Create Hidden Operating System


~~ Read the happy little dialog about someone holding a gun to your head and then click OK:

~~ Below is actually one of the most useful informational dialogs we will see during the wizard and explains the anatomy pretty well! Read and click next of course...


(click to enlarge)
~~ So basically this next dialog is saying that your current installation of Windows is going to be moved to the hidden volume on Partition 2 and that you will have to reinstall Windows from scratch onto Partition 1. If you have Windows installation media, click yes.





~~ The next dialog is mainly telling you that whenever you are booted into your hidden operating system, you will not be able to write to any unencrypted filesystems that you may happen to have. This is a good thing because if you did mount an unencrypted file system, later forensics may be performed on the unencrypted file system to determine if it was mounted from a different operating system other than the decoy operating system. This could give away your hidden operating system.





~~ Here you need to choose Single-boot even though we are going to setup 2 separate operating systems. Setting up Multi-boot is actually a whole different thing and is outside the scope of this article:




~~ Make sure Windows is activated before you proceed. You don't want to be activating a hidden operating system with Microsoft's servers when it is supposed to be invisible. Don't blow your cover!:



~~ This dialog may seem a little confusing but take a look at the chart shown in Part 1 and it should make a lot more sense. On most systems, the wording "first partition behind the system partition" will simply translate to mean your second partition.


~~ Going with the defaults should be fine here. But if you want to geek out on different algorithms, go for it!



 ~~ Double check that the partitioning looks right:



 ~~ Here you will create Password C. If you can't remember which is Password C, check the big diagram in Part 1.



~~ Do you intend to store files larger than 4 GB on the outer volume of the second partition? (Probably not. Remember, this is the volume containing decoy flat files.)


~~ I would go with the defaults here:




~~ Just double checking! Are you sure you don't have anything stored on the second partition that you don't want deleted?!


~~ This may take a while...


~~ So if you are coerced into giving up Password A for the decoy operating system installed on Partition 1, an adversary may notice Partition 2 and plausibly deduct that it contains encrypted data. Then they may force you to give them Password C. Not to fear, however. Password C only gives them access to the outer volume of Partition 2 which will contain fake data in the form of flat files which are only a decoy. It's now time for you to go ahead and create some fake files and copy them over to the outer volume on Partition 2. This is kind of funny. Um. Okay. How about a file that has a fake plan of attack? Or maybe a list of bogus secret contacts? Of course, keep in mind that your adversaries have Google, too, and if they read this blog post then they may be looking for these, lol. So be creative. Go on...Create some fake files already!

Oh, you may wondering, "If they see a second partition and coerce me into revealing the password to the outer volume, can't they accuse me of having an inner volume, too? Won't they know I have a hidden operating system?" Good thinking. They can certainly try to guess that this is the case but you will be able to plausibly deny it. The decoy OS can't be plausibly denied because of the password prompt at boot (unless you removed it) and because most people have an operating system on their computer, of course. The outer volume on the second partition can't quite be plausibly denied because the it doesn't make a lot of sense to have a second partition just sitting there with random ones and zeros. The inner volume on the second partition can be plausibly denied because the outer volume on the second partition is a plausible explanation for the random ones and zeros on the second partition. Getting confused? Read this paragraph 3 times slowly. ;)

The way this all works is that the inner volume on Partition 2 uses the free space of the outer volume on Partition 2. Genius, huh? However, this means that if you write too many files onto the outer file you could corrupt the inner volume. Once you get everything setup, TrueCrypt has a handy checkbox for protecting the inner volume when mounting. For now though, you need to read the dialog carefully and take note of the space limits. (This will be covered more in Part 4.) Then click Open Outer Volume and create/copy your decoy flat files. Leave the TrueCrypt wizard open while you do this. Return to the wizard when you are done and click next.

NOTE: What about a data forensics expert noticing that the free space on the outer volume of the second partition contains random ones and zeros instead of say, being zeroed out? The hidden operating system is still plausibly deniable because the claim could be made by the victim that at one point they shredded data in that location with a software tool that overwrites with random bits, per common practice. Thus, random bits were left on that volume.




~~ We've completed the outer volume on the second partition and placed decoy files in it. Now it's time to create the inner volume on the second partition and copy the operating system from Partition 1 to the inner volume of Partition 2. Click Next here:



~Make sure you write down what algorithm you use in the next steps! (Wasn't important for previous steps.)  The decoy operating system on Partition 1 must use the same encryption algorithm as the hidden operating system on the inner volume of Partition 2. This is because there is a different TrueCrypt bootloader for each encryption algorithm.



~Going with the default encryption algorithms should be fine, just remember which one you used!!:




~Remember, this whole setup is pointless if you don't use a Fort Knox kinda password. For all three passwords, consider using a passphrase that is at least 20 characters long and contains uppercase, lowercase, numerals and symbols. Don't take hours and hours setting up a hidden operating system and then use the name of your dog in h4x0R. Please. Also, don't use similar passwords for Password A, Password B and Password C. Otherwise, if an adversary suspects a hidden operating system and you have already given them Password A and Password C, they may be able to derive Password B.



~Oh, and please don't write this on a post it note and put it on your wall or under your keyboard. Sigh. If you are going to use spy-level technology, you are going to have to be a good spy. This means being a good memorizer. :) ...Enter Password B:




 ~Time for some mouse fun! TrueCrypt uses your mouse movements within this dialog to increase the strength of the encryption. Draw some stick figures. Pretend you are a post modern painter gone wild with their brush. How long? Oh, maybe 2 minutes? Up to you...


~Okay, the encrypted inner volume on Partition 2 has been created:


~Now you need to copy the operating system from Partition 1 to the inner volume of Partition 2. This is going to take place after a reboot from a TrueCrypt live environment (not Windows). I don't recommend interrupting it. Click Start.



~Click Yes.



~Enter Password B:




 ~Go do a little yard work or something:


~Cool! It's done...Enter Password B:




 ~So once you've booted into your hidden operating system, pull up Disk Management and be freaked out. It looks like you are booted to Partition 1! You're not, don't worry. This is just the behavior of a TrueCrypt hidden operating system. This next dialogue explains further:


~This next huge dialog is basically reminding you that you can only write to encrypted filesystems when booted to the hidden operating system. Writing to unencrypted filesystems could give away the presence of the hidden operating system by leaving traces in those filesystems. Down at the bottom, it tells you how to securely transfer files from the decoy operating system to the hidden operating system.




After you click OK on the window above, the next dialog guides you through tasks for Partition 1. Hang tight and continue onto Part 3 for that by clicking here.

Click here to go to Part 3 - Setup your first partition

Links to each section:
Part 1 - (Un)boring intro with all the snazzy info
Part 2 - Setup your second partition -- you are here
Part 3 - Setup your first partition (sounds backwards, I know)
Part 4 - Other cool stuff -- COMING SOON