9

If I have a TrueCrypt container with a capacity of 2 GB which I use to fill 1 GB with real, hidden data, and leave the other GB for decoy data, then if I need to reveal a password and give out the decoy password, can't the attacker simply fill the container with junk until it's full, then compare the full size with the total container size and determine that if the full size is smaller than the container size, then it must have hidden data?

rid
  • 329
  • 2
  • 8

1 Answers1

8

No, but it will overwrite your hidden volume.

The hidden OS doesn't signal to the "primary" OS that there is any hidden volume. Instead it just looks like blank, free space available for the taking. A FAT filesystem won't use space at the end of the drive until it needs to, but if it gets to that, it will.

So you still have plausible deniability, but your encrypted volume is now completely overwritten.

Aw well.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • Overwriting is actually the goal. If you start up the outer TC volume without enabling inner volume protection (by entering the inner volume's password) it'll damage the inner volume. This is a scenario used for situations where an attacker forces a password from you. You give them the outer volume password, they mount it, and it kills your inner data before they can read it. Of course, they *can* mount it read-only, but that's no fun! – Polynomial Sep 24 '12 at 06:03
  • @Polynomial, but if TC takes additional steps to kill the inner data (instead of doing nothing special), can't that be detected? – rid Sep 24 '12 at 06:45
  • @Radu It doesn't take any extra steps. When you mount it as a writeable drive, the OS sets a bunch of metadata and start prefetching the files, writing last accessed dates, etc. It's highly likely that such changes would trash the drive. – Polynomial Sep 24 '12 at 08:14
  • @Polynomial, ah, I see, sounds good. – rid Sep 24 '12 at 08:49
  • If your outer volume is formatted FAT (which it has to be), you should be reasonably safe with limited use of the outer OS. This is in fact **why** NTFS is not allowed on the outer volume, since NTFS (like most modern filesystems) sprays data all over the disk. Keeping your outer OS "used" (updating timestamps, etc) helps maintain the illusion that this *is* your only OS. If you want to kill the inner volume, defrag the outer one. That'll probably do it. – tylerl Sep 24 '12 at 16:40