Thursday, September 5, 2013

Plausible deniability of a hidden OS - Part 1

So just in case you are like a spy or just extremely paranoid, I've got a post for you on how to create a system with TrueCrypt (free) that dual boots between an encrypted decoy Windows operating system and an encrypted hidden Windows operating system. Such a hidden system in theory cannot even be proven to exist by the best computer forensics investigation techniques in use at the time of this post. By employing this particular type of encryption, one can potentially achieve plausible deniability in regards to the presence of a hidden operating system.



Now if you want to find a quick tutorial online on how to do this, Google will serve you well. There are quite a few. But if you want to fully understand the anatomy and architecture of this technology and a full explanation of the many confusing dialog boxes you will encounter during your adventure, this is place for you. I will strive to explain in detail while still keeping things as straightforward and simple as possible.

This will be in four parts:
Part 1 - (Un)boring intro with all the snazzy info -- you're reading this now!
Part 2 - Setup your second partition
Part 3 - Setup your first partition (sounds backwards, I know)
Part 4 - Other cool stuff -- COMING SOON

So why use a hidden operating system or why even use encryption at all? Well, let's look at your choices...

1. No encryption at all: Not good. Anybody can boot your computer into a Linux live CD like Knoppix or whatever and view all your flat files to their heart's content. If your laptop is stolen or lost, you are toast.

2. Encrypt a volume: You can encrypt a volume on your computer with something like TrueCrypt. This amounts to a file being created which is actually an encrypted container for your files. This will protect only the files you put into it. The container is mounted by simply opening the TrueCrypt application, mounting the container file and providing the password. Without the password, no one can see your stuff.

3. Encrypt a hidden volume: When setting up #2 (above), you can additionally set up an encrypted hidden volume inside of the of the normal encrypted outer volume. Although someone could forensically deduct that the outer volume exists and potentially force you to reveal the password, they would not be able to tell that there was a hidden volume inside of it. Even if they were familiar with this technology and suspected that there was a hidden volume, in theory they would not be able to prove forensically that it existed and you could plausibly deny it's existence. When mounting the volume, you can use one of 2 passwords: Using one mounts the normal outer volume; Using the other mounts the hidden volume.


A custom fake boot error which is really a TrueCrypt password prompt

4. Encrypt the operating system partition:
This involves encrypting your entire Windows installation so that a password is required in order to even boot. If someone removes your hard drive and slaves it into their computer or boots your computer to a live CD, they will still not be able to recover your data because it is encrypted. When you boot your computer, a boot loader will come up and ask for the password before you can boot into Windows. Also, the bootloader password prompt can be hidden or a fake error can be displayed in it's place if you really wanna go paranoid. For added security/paranoia, some even prefer to copy the TrueCrypt bootloader to external media and then securely wipe it from the hard drive so that even the best analyst could potentially not prove that there was any encryption in place at all, even if they suspected it. In this case, the external media would contain the bootloader but the hard drive itself would contain no definitive evidence of encryption. A forensic analysis in that situation would simply show random bits on the disk. That last part's a little outside of the scope of this post, however, except to say that the presence of random bits on a disk are not evidence enough to definitely prove the existence of encrypted data. Many virtual data shredding applications write random bits when wiping disks, for instance.

(click to enlarge)

5. Encrypt a hidden operating system: You can have your computer dual boot to both a decoy operating system and a hidden operating system. An attacker theoretically would not be able to tell that a hidden operating system can even be booted to because it's totally based on what password you type during boot up. The password prompt in the bootloader knows to send you to the right operating system depending on what password is inputed. If you were forced to provide access to the computer by revealing the password, you could simply provide the password to the decoy operating system. The attacker could then boot into the decoy operating system and if they were savvy, they could see that there was an apparently empty 2nd partition on your hard drive. If skilled in forensics, they could see that the 2nd partition was populated with what appears to be random data. Although theoretically no technology currently exists for them to prove the presence of a hidden operating system (or that the secondary partition is even encrypted at all), the presence of this mysterious partition may cause them to question as to whether there is a hidden operating system. However, the architecture of the secondary partition is thus that there is an outer volume and an inner volume, similar to #3 above. The victim would thus have an additional decoy mechanism by placing fake sensitive data on the outer volume of the second partition. If questioned about the presence of random data on the second partition, the victim could simply claim that they wiped the whole drive to DoD specifications with 3 passes of random data using a disk shredding software tool. Still, if they were coerced (think gun to your head situation) into admitting the presence of encrypted data on the secondary partition, they could simply provide the password to the outer volume on the secondary partition and plausibly deny any suggestions that a hidden volume exists on the secondary partition. (Yes, there are a total of 3 passwords in this scenario!: One to a decoy operating system on the first partition, one to an outer volume on second partition and one to an additional hidden volume on the second partition.) The attacker still could suspect that there is a hidden operating system and ask you why you put your data into a secondary partition. You could say that this partition was so that you could keep your data files separate from your system files, as many admins do. Or you could say that you wanted to have a separate level of security for your top secret data. They theoretically would not be able to prove that the hidden operating system exists. You may be wondering what type of situations this could possibly be useful for. Well, among other scenarios, think of an American spy detained by an unfriendly government who finds themselves a defendant in an espionage case. In this situation, the defendant could potentially be protected by the plausible deniability afforded in this setup.


System bootup in a hidden OS scenario and how all 3 volumes are accessed


So to recap, even in the most secure scenario, they could boot up your computer and suspect that you have encrypted data but if they forced you to grant access you could just provide access to the decoy operating system. At that point, if they also forced you to grant access to the suspected secondary encrypted partition, you could do so without granting access to the hidden operating system. If they suspected the presence of a hidden operating system, in theory you could plausibly deny its existence much easier than you could deny the existence of the decoy operating system on the first partition and the outer volume of the secondary partition. Even in the case of an official government investigation or court case, there would theoretically be no way to prove beyond a shadow of a doubt that a hidden operating system is on a given computer. An investigation involving the best available forensics software publicly known in our time could not prove it. (The NSA or others may have technology that is not known to the public, etc. but in multiple cases the government has not been able to successfully decrypt TrueCrypt volumes.) The whole plausible deniability concept here is based on the idea they can prove the likely existence of the outer volume on the second parition but they can't prove the existence of the inner volume on the second partition. What benefit is there to solution #5 above solution #3 when they both offer plausible deniability of hidden data? Among other things, #5 offers that even installed applications and all locally stored logs and traces of activity would be hidden in the event of a situation in which the victim is being coerced to provide access or is in a hostile situation of that nature. (Again, think gun to your head.)


A few disclaimers:

-I'm not suggesting that you hide things from the government or law enforcement, etc. There are many situations where this technology could be used for good or for evil. Please don't use it for evil. Just good. (Duh.) Also, when I use the term government, keep in mind that there are good people who may need hide data from evil foreign governments so don't jump to the conclusion that I am trying to help bad people.

-With solution #5, you need to boot into the decoy operating system regularly and use it or the logs will show it hasn't been used in a while, which could give away the fact that you've been using a hidden operating system.

-The computer may be connected to a network (including the Internet) only when the decoy operating system is running. When the hidden operating system is running, the computer should not be connected to any network, including the Internet. Adhering to this is imperative, as the hidden operating system could be logged on a network, therefore giving away its existence.

-It's very hard to maintain a hidden operating system. It works in theory but is a very difficult setup to maintain, so watch yourself carefully.

-None of this blog post (or anything on this blog, for that matter) are meant as legal advice. I am not a legal professional, and this post is not intended to answer your legal questions. (Duh.)

In my next posts (coming soon), I will be providing instructions on how to setup a hidden operating system. I'm only going to give you the instructions for #5 (above), as it is the most challenging and least documented. But the good news is that it's not that hard, due to the amazing job that the developers have done with TrueCrypt!

Click here to go to Part 2 - Setup your second partition

Links to each section:
Part 1 - (Un)boring intro with all the snazzy info -- you're reading this now!
Part 2 - Setup your second partition
Part 3 - Setup your first partition (sounds backwards, I know)
Part 4 - Other cool stuff -- COMING SOON

No comments:

Post a Comment

Spammy/foul language comments or those with an explicit avatar will be tossed in a 55 gallon drum and a match thrown in after them. (Oooo, now I can warm my hands!!)