TC Hunt identifies files as being TrueCrypt or not. Our software identifies 3,300+ different types of files. One of those is Encrypted Data (Headerless), another is TrueCrypt Data. The two false positives in the TC Hunt test appear to have been incorrectly labeled as TrueCrypt. In the FI TOOLS test, those files appear to have been correctly identified as Encrypted Data (Headerless). Since the author admitted that those files actually are encrypted, with a method other than TrueCrypt, they should be counted as correct positives for FI TOOLS. That moves FI TOOLS to 7 correct identifications out of 8 files, and TC Hunt to 5 correct identifications out of 8.

I do not see any proof of the jouib6.sys file being identified incorrectly by FI TOOLS. Please make all of these test files available for testing by other people and/or provide all of the details about the files tested.

The 5+ minutes required for FI TOOLS to identify these files indicates that the test may have been run on a slow computer (or slow virtual environment). FI TOOLS has to read the entire file for some file types, when configured to read beyond the first megabyte, in order to maintain our high accuracy. I didn’t think that slower configuration was the default, but I will look into it. Would the author/tester please document any configuration changes that they made before the test?

Since these two tools use completely different methods, I recommend that FI TOOLS be used to identify all of the files on a hard drive, then use TC Hunt to get a second opinion on the files that FI TOOLS identifies as Encrypted Data (Headerless). The files that FI TOOLS identifies as TrueCrypt Data are identified with even higher accuracy and should not require the use of TC Hunt. The TrueCrypt identification in FI TOOLS works on Formatted Dynamic True Crypt files. All other TrueCrypt files are identified as Encrypted Data (Headerless).

Rob Zirnstein
Forensic Innovations, Inc.

J’ai raté un épisode ?