.NET Tutorials
Aug6

Written by:Timothy
8/6/2010 11:56 PM

** This tutorial uses some advanced file system concepts.  If your aren't familiar with such things as using a command prompt or formatting a drive, this tutorial may not be for you.  USE AT YOUR OWN RISK. **

You've probably heard stories of people who have had their car broken into and their laptop computer stolen, along with thousand of confidential customer records.  One way to help protect against this risk is to use a program called TrueCrypt to create securely encrypted files that can be mounted as a regular partition with transparent encryption/decryption.  You can find a tutorial on setting up a TrueCrypt volume here: http://www.guidingtech.com/1258/how-to-encrypt-computer-data-using-truecrypt/

The other day, I was trying to locate an article/video explaining how to embed a zipped archive within an image file (PNG, GIF, JPG, etc) as I had done it a long time back, but had forgotten how.  One example of how to do this can be found here: http://www.guidingtech.com/2241/hide-files-inside-jpeg-gif-png-images/ There are some drawbacks to this approach: The archive is read-only and if you want to change the contents, you have to extract the files, create a new zip archive with the modified/added files and recombine with the original image.

Then today I was setting up TrueCrypt on my new computer and I got this crazy idea that it would be really cool if you could embed a mountable encrypted volume into a picture, like you can with a compressed archive.  After a bunch of research and playing around, it turns out that you can, in fact, combine a regular image (I tested with a .GIF file) and a TrueCrypt volume and still have the TrueCrypt volume mountable and modifiable without destroying the image attached to it.

But first, some background information.  I started by using the "copy /B" command described in the article linked above to combine my picture and a regular TrueCrypt image, but it did not work.  Some research into the file structure of a TrueCrypt volume illuminated the reason why it didn't work.  A regular statically-sized TrueCrypt volume has a header that, once decrypted, defines the start and end points of the volume.  By combining with an image, the header is actually pushed to a later point in the file and TrueCrypt just assumes that the specified password was incorrectly entered.  Some further research into Hidden volume files gave me another idea.  As it turns out, a hidden volume is essentially a secondary "partition" in the file and has a separate header.  This header is randomly located within a certain byte range on the TrueCrypt volume and when you try to mount the Hidden volume, an attempt is first made to mount it as a standard volume and when that fails it does a second attempt against the Hidden header section and then scan for a valid header.  If a valid header is found, TrueCrypt will get the upper and lower ranges of the hidden volume so it can be mounted.  This hidden volume is the key to making TrueCrypt work while combined with a picture.

Enough talk, let's get into the details:

  1. Start by creating a brand new hidden TrueCrypt volume (which I will call myvol.tc from now on) of any size you want. Do not use a dynamic size or it won't work.  This file will be duplicated when it is combined with the picture, so make sure to have enough free space on your hard drive for a copy.  If you're not sure how to create a TrueCrypt volume, you can visit the tutorial linked above or get more information from the TrueCrypt website.  I strongly recommend starting with a brand new file, as the contents of the encrypted volume WILL be destroyed in the process of setting it up.  There is no need to put any files in the standard volume, as that will become inaccessible.  Create the hidden volume with the maximum available size minus about triple the size of the image you intend to combine with the volume.
  2. Dismount myvol.tc from TrueCrypt if you currently have it mounted.
  3. Find a picture that you would like to use to mask the volume and place it in the same folder as myvol.tc  (I haven't extensively tested this but because of the limited byte range for the Hidden volume, try use a picture that is as small as possible.  I used a 7kb black and white .GIF image)
  4. Open a command prompt and navigate to the folder containing myvol.tc and the picture file.
  5. Run the following command to combine the two files:

       copy /B mypic.gif + myvol.tc secretimage.gif
     
  6. You will now have a file named secretimage.gif with the combined size of the image + myvol.tc.  Using file explorer, you should see a thumbnail of the original image on secretimage.gif and if you were to open it in an image viewer, the picture should display fine.  Just a couple more steps to go...
  7. If you try to mount secretimage.gif in TrueCrypt using the password for the Standard container volume, it will fail with an error message "Incorrect password or not a TrueCrypt volume."  This is normal.  It happens because the TrueCrypt header has been pushed back from the start of the file.
  8. Now try to mount secretimage.gif using the password and/or keyfiles for the hidden volume.  It will give you the same error message, on the first two attempts, but the third attempt will actually use a backup header that was created along with the volume and you will get a warning message along those lines. ** Do not follow the instructions in the warning to restore the header, or it will destroy the picture that was combined with the volume.
  9. Try to navigate to the volume you just mounted.  It will tell you the file system is not initialized and needs to be formatted.  This is because the header specifies absolute range within the file where the volume is located. By combining the image file, that location was offset by the byte length of the image, rendering the file table of the partition invalid.  Perform a Quick Format of the newly mounted drive to rebuild it. ** Be very careful to verify that you are formatting the correct drive. If you get the wrong one, you will likely lose a lot of important data. **
  10. Once the drive is formatted, you now have a working, fully encrypted data volume disguised as an obscenely oversized image.

As an additional note, there are a couple of downsides to this process. First, you are out of luck if you were hoping to maintain plausible deniability.  A 50gb image file is pretty obvious that something is amiss.  Second, every time you try to mount the image file, it will give errors on the first two attempts followed by success with a warning message. (If you have the correct password)  This can be annoying, but I think the trade-off is worth it.  In some ways, it may even improve security.  A brute force guessing attack will return errors on the first two attempts with even the correct password, making it that much more difficult to crack.

I hope you enjoyed this little tutorial and I hope it proves useful for you.  For this project, I am using Windows 7 and TrueCrypt v7.0.  I have not extensively tested this process, so there might be unforseen problems.  Use this tutorial at your own risk and always be sure to backup your data.  If the encrypted file becomes corrupt, you will most likely loose it all.

Please post in the comments if you are able to resolve some of the error messages or caveats I mentioned.

Tags:

Re: How to Hide a TrueCrypt Volume in a Picture

Very very very very good one, I was looking exactly for this :)

Note : for credibility you can hide the truccrypt container in a standard 700Mo DivX.avi, and rename it DivX_720p_HD.avi ;)

By T. on  1/31/2013 2:13 PM