TrueCrypt is a super powerful disk encryption software to secure a set of files as well as entire disk to prevent data theft and like attacks. Apart from encrypting data, it allows users to disguise their encrypted containers, so that external sources can’t even check if the disk contains TrueCrypt containers or not. However, if you created multiple Trucrypt containers on the disk, and have forgotten where they actually reside, TCHunt may help you find them without having to manually search each location on your disk. It’s a small CLI-based tool that checks the attributes of the files to locate TrueCrypt containers on the disk partitions. Read past the jump for more.
Using the following attributes of the file, it checks whether the suspected file is a disguised TrueCrypt container or not.
- The suspect file size modulo 512 must equal zero.
- The suspect file size is at least 19 KB in size (although in practice this is set to 15 MB).
- The suspect file contents pass a chi-square distribution test.
- The suspect file must not contain a common file header.
The application also lets you check a specific directory and all its sub-directories to find both mounted and dismounted TrueCrypt containers. To begin, download the TCHunt.exe, and put it in disk volume where you want to find the hidden TrueCrypt volume. Now, open CMD utility with administrative privileges, and navigate to location where TCHunt.exe is residing. Once done, enter the following command.
TCHunt –d <folder name>
This will recursively search the specified folder for hidden TrueCrypt container(s), and show the complete path of suspected file. Similarly, you can search TrueCrypt containers from any local and removable disk volumes. It must be noted that TCHunt is only capable of hunting down mounted and dismounted TrueCrypt volumes, and it doesn’t attempt to make any changes to your TrueCrypt containers. TCHunt works on both 32-bit and 64-bit editions of Windows.