The goal of Truehunter is to detect encrypted containers using a fast and memory efficient approach without any external dependencies for ease of portability. It was designed to detect Truecrypt and Veracrypt containers, however it may detect any encrypted file with a 'header' not included in its database.
Truehunter performs the following checks:
- Test the first 8 bytes of the file against its own database.
- File size modulo 64 must be zero.
- Calculates file entropy.
Truehunter is part of BlackArch forensic tools.
Any Python version from 2.7-3.7 should work, it does not need any additional libraries.
The headers database file will be created with the first use, and can be updated after every scan. Note this is not a correct header database, just the first 8 bytes of every file, extension and date(It does the job as a PoC).
Fast Scan: Searchs for files with a size % 64 = 0 (block ciphers), unknown headers and appearing less than MAXHEADER value (default 3).
Default Scan: Performs a fast scan and calculates the entropy of the resulting files to reduce false positives.
usage: truehunter.py [-h] [-D HEADERSFILE] [-m MINSIZE] [-M MAXSIZE] [-R MAXHEADER] [-f] [-o OUTPUTFILE] LOCATION Checks for file size, unknown header, and entropy of files to determine if they are encrypted containers. positional arguments: LOCATION Drive or directory to scan. optional arguments: -h, --help show this help message and exit. -D HEADERSFILE, --database HEADERSFILE Headers database file, default headers.db -m MINSIZE, --minsize MINSIZE Minimum file size in Kb, default 1Mb. -M MAXSIZE, --maxsize MAXSIZE Maximum file size in Kb, default 100Mb. -R MAXHEADER, --repeatHeader MAXHEADER Discard files with unknown headers repeated more than N times, default 3. -f, --fast Do not calculate entropy. -o OUTPUTFILE, --outputfile OUTPUTFILE Scan results file name, default scan_results.csv
Author Andres Doreste
Copyright (C) 2015, Andres Doreste