Become a fan of Slashdot on Facebook


Forgot your password?
Data Storage Encryption

Forensics Tool Finds Headerless Encrypted Files 374

gurps_npc writes "Forensics Innovations claims to have for sale a product that detects headerless encrypted files, such as TrueCrypt Dynamic files. It does not decrypt the file, just tells you that it is in fact an encrypted file. It works by detecting hidden patterns that don't exist in a random file. It does not mention steganography, but if their claim is true, it seems that it should be capable of detecting stenographic information as well."
This discussion has been archived. No new comments can be posted.

Forensics Tool Finds Headerless Encrypted Files

Comments Filter:
  • by telchine (719345) * on Thursday April 30, 2009 @03:18PM (#27778031)

    I'm am a citizen of the United Kingdom. Amongst many odd laws we have here, there's one that basically means that you can go to jail if you refuse to hand the police your encryption keys if they ask for them. The one saviour was Truecrypt's plausible denial. If they don't know you have encryption they can't ask for keys!

    Now they do know I have encryption... ...and I've forgotten my password.

    Can someone please give me tips on how to avoid dropping soap in the shower?

    • by wjh31 (1372867) on Thursday April 30, 2009 @03:23PM (#27778115) Homepage
      practice holding soap between your cheeks, that should prepare you well.
    • Don't worry (Score:5, Insightful)

      by sakdoctor (1087155) on Thursday April 30, 2009 @03:25PM (#27778135) Homepage

      The company has "innovations" in it's name, so their product probably won't work.
      If it did work against true crypt, which is a yard stick of well implemented encryption, I'm sure they'll come up with a counter measure by the next minor release.

      Also: In before XKCD strip.

      • Re:Don't worry (Score:4, Informative)

        by SerpentMage (13390) <ChristianHGross&yahoo,ca> on Thursday April 30, 2009 @03:33PM (#27778299)

        What I am guessing is that they are doing Gaussian analysis. It is actually quite simple, and not too hard to implement. If a data set is truly random then the statistics will have some basic indications that it is random.

        Since encryption implements a lossless conversion then the data is not random. BECAUSE random data is just that random.

        Though it would not be that hard to get around this because the statistics can be fooled. Actually would not be that hard to do that. Thinking about it, rather interesting problem...

        BTW I do statistical and probabilistic analysis in a hedge fund...

        • Re:Don't worry (Score:5, Insightful)

          by Kjella (173770) on Thursday April 30, 2009 @03:43PM (#27778511) Homepage

          Since encryption implements a lossless conversion then the data is not random. BECAUSE random data is just that random.

          Encryption in ECB mode leaves a very clear pattern, because identical input blocks leads to identical output blocks. Pretty much every other block chaining mode doesn't though because they mix it the preceding blocks, so i'm guessing an implementation flaw because the cryptographic primitives are pseudorandom, they have no distinguishable non-randomness unless you know the exact key.

          • Re:Don't worry (Score:4, Interesting)

            by SerpentMage (13390) <ChristianHGross&yahoo,ca> on Thursday April 30, 2009 @03:52PM (#27778693)

            What I think they are doing and I think it would indicate an encrypted drive is distribution analysis.

            If you have truly random data then there is a specific pattern. If you have deleted or unused blocks there will be a specific pattern.

            But if you have an encrypted block the distribution will not be like any of the other pieces of data. This is your indicator.

            Think of it as follows. You are driving on the highway and somebody on the highway drives the speed limit exactly, stays in the center lane, and does not switch lanes at all. Even though that would seem to be right, it is actually quite wrong and it would make police suspicious.

            • Re: (Score:3, Insightful)

              by MaskedSlacker (911878)

              You've never heard of cruise control on a 500 mile trip have you?

            • Re:Don't worry (Score:5, Insightful)

              by Anonymous Coward on Thursday April 30, 2009 @04:33PM (#27779319)

              You realize that you aren't saying anything at all, right? Your argument is that since encrypted data is different than random data (an assumption you make without stating), encrypted data will look different than random data.

              In reality, one of the standards for encryption algorithms (and block chaining methods) is that they produce a pseudorandom output. In fact, block ciphers are often called upon to operate as PRNGs when given random input data. The idea is that they will produce a significantly larger amount of pseudorandom output data than the random seed data.

              BTW I do mathematical cryptanalysis at a university...

              • Re: (Score:3, Insightful)

                Your argument is that since encrypted data is different than random data (an assumption you make without stating), encrypted data will look different than random data.

                He didn't say that. He said that, for TrueCrypt case, the "random" data on the disk in free sectors is not random at all - it's got bits of deleted files in it, and so on. So, it's rather low entropy. On the other hand, sectors used for TrueCrypt will actually contain truly random, high-entropy data. And statistical analysis will be able to tell the difference easily.

              • Re:Don't worry (Score:5, Insightful)

                by MoxFulder (159829) on Thursday April 30, 2009 @09:50PM (#27782647) Homepage

                I wish I had mod-points for you.

                Finally we hear from someone who knows WTF he/she is talking about.

                Just to expand a bit: encryption algorithms (except for one-time-pad) don't produce truly random output. But all good, modern ones seek to produce output that's as indistinguishable as possible from truly random output, as a necessary but not sufficient component of their security. There are a variety of techniques to produce pseudorandom data based on a variety of sophisticated mathematics.

                It seems like the height of hubris to claim that one software program can reliably detect all these different kinds of extreme slight deviation from perfect randomness.

                A more plausible approach (as others have pointed out), is to look for files that do appear to be totally random. Such files are likely to be either (a) the output of a random number generator, or (b) encrypted. All files that have some useful content in their present form have some structure or non-randomness.

            • Re: (Score:3, Interesting)

              by mgiuca (1040724)

              So basically this doesn't tell the difference between an encrypted drive and a blank drive, it tells the difference between a pure random drive and a blank drive.

              That is, out of the following three possibilities:

              1. Default/blank drive, possibly non-random.
              2. Drive written over with pure random bytes.
              3. Full disk encryption.

              This tool can tell the difference between 1 and {2,3}, but it can't tell the difference between 2 and 3. That should still give you plausible deniability then, because there's the possibi

            • Re: (Score:3, Insightful)

              by AmberBlackCat (829689)
              That would not account for people like me, who actually drive like that regardless of criminal intent. What if a truly random file just happened to have that pattern? Does the person go to jail due to the unlikely nature of the file?
              • Re: (Score:3, Interesting)

                by andy_t_roo (912592)

                because, as one of the up-thread comments says, a large file which looks true random is either encrypted or the output of a (good) random number generator. This software wouldn't be able to tell the difference. Unfortunately very few people need very large amounts of true random data, as the people who need the most random numbers are probably computational scientists, and then a good PRNG will do that for you.
                Alternative needs of true random data relate to communication, or cryptography. Either way you are

          • Re: (Score:3, Funny)

            by postbigbang (761081)

            Not necessarily.

            Elliptical encryption can produce waves, but if the seed is large enough, it's a bear to detect. Bigger waves, bigger cache to AND for rhythms.... hint hint.

            What's needed is some sort of slam dunk header with Britney Spears in some sort of Japanese HD interlaced display. Hash it with bluefish, then salt it up with Atomic Rooster.

            This also bodes badly for Layer 7 router problems-- the kind where ISPs 'deep dive' into packet streams to throttle them back, so that all important ISP-provided mov

        • Re:Don't worry (Score:5, Insightful)

          by Stray7Xi (698337) on Thursday April 30, 2009 @04:45PM (#27779499)

          BECAUSE random data is just that random.

          Any kind of analysis that answers the question of whether a piece of data is random or deterministic can't do so with certainty. You can't prove a string of a million 1's wasn't randomly generated. Every piece of random data long enough will have substrings that appear to be a pattern.

          Give a voice recognition program a low enough certainty threshold and it'll pick out words from below the noise floor. But the lower you go, it'll make more and more mistakes and eventually it'll pick out words from plain white noise.

        • Re: (Score:3, Informative)

          by Atzanteol (99067)
          Sounds like the do something like the free ent [] utility. It calculates a "randomness" of files. It can be quite useful to tell "data" from "encryption."
        • Re: (Score:3, Informative)

          by JamesP (688957)

          And that's why it's recommended to compress things before encryption.

          • Re:Don't worry (Score:5, Informative)

            by MSG (12810) on Thursday April 30, 2009 @07:34PM (#27781559)

            I don't think so... It's recommended that you compress things before you encrypt them if you plan to do both (usually for network transmission). If you encrypt and then compress, your compression will not be very effective. Good encryption produces very few patterns, and patterns are what compression applications need in order to function.

      • Re: (Score:3, Funny)

        by inviolet (797804)

        The company has "innovations" in it's name, so their product probably won't work.
        If it did work against true crypt, which is a yard stick of well implemented encryption, I'm sure they'll come up with a counter measure by the next minor release.

        This will probably become an arms race, in order to use vs detect subtler and subtler patterns in the bytes.

        In any case, this tool will probably end up being used by law-enforcement as a polygraph, or breathalyzer: not true, not quite false either, but exciting enou

        • by EnglishTim (9662)

          I seem to remember that being a scene from The Wire.

          • Re: (Score:3, Informative)

            by 1729 (581437)

            I seem to remember that being a scene from The Wire.

            It first appeared in the David Simon's Homicide: A Year on the Killing Streets. The anecdote had been passed down within the Baltimore Police homicide squad, and was presented as a true story in the book. Simon later adapted this and other events from his true crime books for use in The Wire.

      • Re:Don't worry (Score:4, Interesting)

        by FutureDomain (1073116) on Thursday April 30, 2009 @03:55PM (#27778735)

        The company has "innovations" in it's name, so their product probably won't work.

        I actually tried it with a Truecrypt volume and a random file (/dev/urandom) and it seems to work. The Truecrypt is identified as "Encrypted Data (Headerless)" and the random file is identified as "Data File (Unknown)".

        • by compro01 (777531)

          What does it say about a Truecrypt hidden volume?

        • Re:Don't worry (Score:4, Insightful)

          by PitaBred (632671) <slashdot@pitabre ... g minus caffeine> on Thursday April 30, 2009 @05:52PM (#27780473) Homepage
          That's why I name my TrueCrypt volumes stuff like ""

          "Awww, jeez... the damn thing's gotten corrupted! My boss told me to keep my sensitive company files in an encrypted zip file, and it keeps screwing up"

          Just because security through obscurity isn't good as the only defense doesn't mean that it's not quite handy in addition to others.
          • Re:Don't worry (Score:4, Informative)

            by hoggoth (414195) on Friday May 01, 2009 @11:30AM (#27788729) Journal

            I am a computer forensic investigator, and I know what the structure of a zip file looks like internally. It's NOT a blob of random bits. Even a corrupted zip file has a well defined header, indexes, etc.

            It's extremely difficult, if not impossible, to hide data from a good investigator who has the time and motivation to investigate thoroughly. If I find a large file containing only random bytes, it is NOT a normal thing and I will look into it further, especially if the file size is an even multiple of 512 bytes. If I can find traces of TrueCrypt ever having been used on that drive I will have a pretty good idea what I'm looking at. I can try to decrypt the file using every possible string found on the hard drive, including bits of memory saved to the paging file and hibernation file. If I manage to decrypt and open the file and find it is formatted with the FAT32 filesystem instead of NTFS I will be very suspicious that this was done because there is a hidden "plausibly deniable" inner volume. I will then work on cracking that open like I did the outer volume. I will also report to the authorities I am working for that there is a significant possibility of a hidden volume. They will use their social skills [] to get the key from the owner.

            The real limitation is that cases usually DON'T give me enough time or resources to investigate that deeply, or the lawyers manage to bury the issue of an encrypted file and it doesn't get addressed. The best bet for a person with something to hide is to make it very difficult and time consuming for an investigator to get to the bad stuff, and hope his case isn't that important to warrant the time to dig deeply. In practice that means if you cheated your partner in a small business and hide it very very well I probably won't find it. If you killed someone I will find it.

    • Re:Plausible Denial? (Score:5, Informative)

      by jroysdon (201893) on Thursday April 30, 2009 @03:37PM (#27778393) Homepage

      I thought one feature of TrueCrypt was the ability to have two passwords. One password unlocks your "non-secret" data. The other password unlocks your "secret" data in a hidden volume. []

      The point is both sets of data are stored in one big binary blob. It'll all look like one big fat encrypted mess. In fact, if you are not careful, your non-secret data can overrun your secret data.

      To get around this "randomness" problem, after creating your non-secret partition, fill the partition completely with something (copy a few public domain books over and over until the partition is full). All the "randomness" will be gone with encrypted data. Then delete everything and put back in just the smallest amount of non-secret data you need to store in order to appear legit. The "randomness" is still there, as only the FAT entries are deleted, but all the encrypted data is still filling up that whole binary blob.

      Now, create your secret partition and use it. Be sure to use it just short of the non-secret data's amount (as they fill from the opposite end), otherwise your non-secret partition will be corrupted.

      This link helps with the graphics: []

      The one downside is that the non-secret side, if it fills up with too much data, will override your secret side. That's why your have backups and this is just for transport anyway, right?

      • Re: (Score:3, Interesting)

        by Lumpy (12016)

        you got it. It's called hiding in the noise.

        Format your drive, now plug it in as usb and create a full size truecrypt encryption on it and fill it with junk.

        now take the drive, delete that file and then use it as your new drive whatever. any encrypted files will be hidden in the noise of the background encrypted file that is in the blank area of the drive.

      • by Animaether (411575) on Thursday April 30, 2009 @03:53PM (#27778695) Journal

        "That's cute, sir - now give us the other password"
        - "what other password?"
        "for the hidden truecrypt volume"
        - "what hidden truecrypt volume??"
        "the one that's being referred to by half a dozen applications' most recently used files lists"
        - "oh err.. that's uh.. another drive entirely"
        "very well, then hand us that other drive"
        - "err uhm.. my dog ate it?"

        If you're really, really serious about these things, maybe you could work super-diligently to prevent leaving any clues as to that hidden volume's existence.. odds are something's going to bite you in the behind somewhere though.

      • by gurps_npc (621217)
        The tool claims to be able to detect patterns that indicate files. So if you give them your first password, they can look for said patterns within the first encrypted file, thereby displaying that a second level of encryption exists.
      • Re: (Score:3, Interesting)

        by Kjella (173770)

        The one downside is that the non-secret side, if it fills up with too much data, will override your secret side. That's why your have backups and this is just for transport anyway, right?

        It has a protection option where you can enter the hidden password along with the normal password so the hidden partition will be protected, the outer container will be frozen on a write attempt to hidden data. I think it's unnatural that you must ensure that there's no data written to the end of the disk though, it leads to some peculiar disk format choices and so on. A better implementation would be more like a transparent file system layer, where the outer partition could write anywhere it wants and the

    • by PMuse (320639) can go to jail if you refuse to hand the police your encryption keys if they ask for them.

      Interesting. Does anyone know if there are similar laws concerning assisting the police in non-digital searches? In the UK? In the States?

      For example, suppose that a 9mm handgun was used to kill your husband. The police have records indicating that you own such a gun and they have your empty gun case, but your gun is missing. A ballistic analysis of your gun would be vital evidence, but you remain silent. A trial later acquits you of murder. Can the police charge you with Failure to Assist in an Aut

      • Can the police charge you with Failure to Assist in an Authorized Search and send you to jail for not telling them where your gun was?

        In the US, you have no duty to assist the police, only a duty not to impede them. I think an analogous situation would be whether they could charge you for refusing to open the safe. Is remembering the combo the same as giving up the passcode? Is it possible self incrimination to do so? You aren't telling them things that implicate you, just how to get at things that might do that. What if you're a lawyer and there are client files in that safe/encrypted volume?

  • Patterns? (Score:5, Informative)

    by causality (777677) on Thursday April 30, 2009 @03:20PM (#27778063)

    It works by detecting hidden patterns that don't exist in a random file.

    I should first say that I'm rather ignorant about encryption but I hope someone will be able to explain this. I was under the impression that any sort of good-quality encrypted data is indistinguishable from completely random data. That seems to directly contradict the ability to determine whether a volume contains encrypted data by means of locating patterns. Is this really a contradiction?

    • And how many completely-random files do you have on your computer?

      • Re: (Score:2, Informative)

        by causality (777677)

        And how many completely-random files do you have on your computer?

        One, and a second file that's pretty close. /dev/random and /dev/urandom.

        Dear mods, that's meant to be facetious. Some of you seem to be a little trigger-happy so you won't understand why I shouldn't have to explain that.

        • Re:Patterns? (Score:5, Insightful)

          by Jah-Wren Ryel (80510) on Thursday April 30, 2009 @03:55PM (#27778733)

          Dear mods, that's meant to be facetious. Some of you seem to be a little trigger-happy so you won't understand why I shouldn't have to explain that.

          Make your joke and take the moderations like a man.
          If you are going to explain that it is a joke, you might as well not bother in the first place since explaining takes away all the fun.

      • I knew testing that hardware random number generator was a bad idea.

      • by Andy Dodd (701)

        I think it goes with the whole "Innocent until proven guilty beyond a reasonable doubt" mantra.

        If a file is indistinguishable from random noise, then a court can't prove that it's encrypted data.

        That said, in reality they can make your life a living hell.

      • Re: (Score:3, Insightful)

        by thehickcoder (620326) *
        Good point. My guess is that is how this tool actually works. It relies on the assumption that any statistically psuedorandom files (or maybe even partitions) must be encrypted, since every other file will contain some sort of pattern.
      • Perfectly compressed data is indistinguishable from random noise. Well-compressed data is "close" to random noise. So I suspect any file type I have that uses a good compression method (jpeg, most mpeg codecs) looks close enough to completely random.

        (Be nice, I'm just an information theory hobbyist.)

      • by Lehk228 (705449)
        well my /b/ folder is pretty random
  • Umm... (Score:5, Informative)

    by drakaan (688386) on Thursday April 30, 2009 @03:21PM (#27778071) Homepage Journal
    s-t-e-g-a-n-o-g-r-a-p-h-y...not stenography.
    • Re:Umm... (Score:5, Funny)

      by Daimanta (1140543) on Thursday April 30, 2009 @03:34PM (#27778323) Journal

      ssshhh, the "ga" is secretly embedded through steganography

      • by Kjella (173770)

        Ohh, and I thought it was just stenography shorthand. Not only secretly embedded, it has plausible deniability too.

    • by gnick (1211984)

      No, stenography. Their software can detect files that are written in shorthand. I find that much more plausible than the idea that it can tell strongly encrypted data from noise.

    • Re: (Score:2, Funny)

      by Zapotek (1032314)
      Dunno, if the hidden data is 30 column wrapped that could be stenography[1].

      Steno = narrow
      graphy = writing
      Greek /. readers I expect a funny mod up. xD
    • by mcrbids (148650)

      Uh, steganography is spelled like this:

      I was understanding that we are generally aware of nothing where we are desperate to have fixed, at least not immediately.

      Sans the bolds, that is.

  • Or "How I learned that you can't fight information theory".

    A few years ago, I recall arguing with someone here on Slashdot about this very issue. My take on it was that stenography could never be completely successful because there would always be a pattern sticking out from the file. The other poster argued that truly encrypted data should be indistinguishable from white noise. I pointed out that a) stenography disrupted the image coloring and therefore should be detectable by looking for irregularities an

    • by Burkin (1534829)
      I wouldn't use a slashvertisement as the basis of my argument if I were you.
      • We'll see how far they go with it. If their tool works as well as they claim, it wouldn't be the first time engineering has preceded the scientific theories behind them. Obviously testing the tool helps. If it finds TruCrypt data, that's not a good sign for the theoretical randomness of data. Next interesting question is: How far will TruCrypt be able to go to prevent the tool from detecting data? Will we see an arms race of encryption hiding vs. detection? If so, who will win?

        My own feeling is that data s

        • by Burkin (1534829)

          If it finds TruCrypt data, that's not a good sign for the theoretical randomness of data.

          No, it just means there is a flaw in TruCrypt's implementation.

    • Re: (Score:3, Insightful)

      by Hatta (162192)

      encrypted information (short of a one time pad, which is the only way to get true noise) has an underlying structure in the data operated on.

      The digits of pi have an underlying structure. If you have a way to distinguish an arbitrary stretch of pi from truly random data, I suspect you'll win a Fields Medal.

    • by pyite (140350)

      i.e. Encrypted information will stand out as structured data.

      So you really believe that if I take a non-random stream and encrypt it with AES in CBC with a random key and random IV (both of which I can easily obtain as I can generate 2 * 128 bits of true random data with 256 flips of a fair coin) that you will be able to distinguish the resulting ciphertext from true random data?

      I find that, and this company's claims, *highly* unlikely.

  • Won't someone please think of Linus and RMS? *ducks*

    No info in the article. It is an advert for some Windows only software.

    Repeat, this is an advert, not an article.

    • by BitterOak (537666)
      The advertisement says the software runs on Windows. It doesn't say that it is incapable of scanning non-Windows disks or filesystems.
  • Benford's law (Score:4, Informative)

    by tyrr (306852) on Thursday April 30, 2009 @03:34PM (#27778307)

    This is probably another application of the Benford's law [].

    • by owlstead (636356)

      Well, not if it is encrypted data. I'm not so certain that you cannot detect AES (CBC) encrypted files, but the leading digit will certainly look like it is randomly distributed - the numbers are certainly not part of a logarithmic scale (which is what seems to drive this "law").

      And mods, questions and sentences that have "probable" in them should - in most cases - be modded "interesting", IMHO.

  • Who Cares? (Score:5, Informative)

    by DomNF15 (1529309) on Thursday April 30, 2009 @03:36PM (#27778351)
    The Wikipedia page on TrueCrypt already indicates that the volumes can pretty much be detected since they are always divisible by 512, it's just impossible to PROVE they are TrueCrypt volumes...

    Be enlightened: []
    • by dgatwood (11270)

      That's just sloppiness, then, if being undetectable is a goal. There's nothing preventing them from adding N pad bytes to the end of the file where N is some random number from 0-511....

  • Yet another scam (Score:5, Interesting)

    by trifish (826353) on Thursday April 30, 2009 @03:45PM (#27778531)

    Wow, the quality of Slashdot has really been going down lately. Now any random fraud can submit his misleading material and it gets accepted to front page just because it sounds interesting? Is this actually tabloid or serious news for nerds who understand what the talk about?

    In short, this is yet another lame attempt to make money by posting bogus claims about a popular product.

    First, hidden volumes [] are the only kind of steganography that TrueCrypt offers. Second, if you read the TrueCrypt documentation, you'll learn the following about hidden volumes vs. dynamic:

    On Linux or Mac OS X, if you intend to create a hidden volume within a file-hosted TrueCrypt volume, make sure that the volume is not sparse-file-hosted (the Windows version of TrueCrypt verifies this and disallows creation of hidden volumes within sparse files).

    Furthermore, when I try to create a dynamic TrueCrypt volume, TrueCrypt displays a big warning saying that dynamic volumes are insecure. That's right. Insecure.

    So again, I demote this story as total and utter bogus motivated by the vision commercial gain.

  • It works by detecting hidden patterns that don't exist in a random file.

    That would be equal to breaking AES or the mode of operation (XTS).

    If they could distinguish the AES-XTS ciphertext from random data, they would be famous in the cryptographic community instantly. However, these fraudsters obviously cannot do anything like that. They are just posting a bunch of lies hoping to earn big money on it.

  • I'm calling BS (Score:2, Interesting)

    by zindorsky (710179)

    I'm pretty familiar with TrueCrypt, but I don't know what a TrueCrypt "Dynamic" file is. Are they just talking about an encrypted virtual volume?

    Anyway, I'm pretty sure this is BS. I think they're just doing regular entropy tests on files. That will tell you when you have random data. A good test might be able to distinguish a large amount of compressed data from encrypted data since compressed data does have a little redundancy (emphasis on "might" and "little").

    But I guarantee that they are not detecting

  • by e4m (1424229)
    TCHunt found all of my TrueCrypt volumes. It's free too. []
  • by stokessd (89903) on Thursday April 30, 2009 @04:34PM (#27779337) Homepage

    I do a lot of data acquisition for work and in grad school. I've got lots of my data on my drive. They are written in binary formats of my design. There is lots of repetition, there are no headers, who knows what my data looks like to someone who doesn't know the "decoder ring" to unpack it.

    That doesn't mean that my files are kiddie pron or directions to make a dirty bomb.


    • Re: (Score:3, Insightful)

      by e4m (1424229)
      There is a reason that high-quality encryption was once classified as a "munition" by the US government. You cannot accidentally create it. You need a very good PRNG or an algo such as AES. Don't worry, your formats will (and cannot) be confused with encrypted data.
  • by anom (809433) on Thursday April 30, 2009 @06:46PM (#27781179)

    This is complete sensationalist crap. Truecrypt isn't broken, (probably) nor are any of the other programs they possibly claim to have broken.

    This is easy to test for yourselves folks, I just did it in 5 minutes.

    dd if=/dev/urandom of=/home/me/somefile.jpg bs=512 count=10000

    Performing this command and then scanning the resulting file with "File Investigator" results in the file being detected as a headerless encrypted data file.

    Whoever pointed out that they simply identify any randomly filled binary file of a size of a multiple of 512bytes is correct.

    TrueCrypt doesn't use ECB mode, hasn't for some time, etc etc etc. Stop freaking out every time someone claims to have broken it.

"Consequences, Schmonsequences, as long as I'm rich." -- "Ali Baba Bunny" [1957, Chuck Jones]