Skip to Main content Skip to Navigation
Conference papers

Detecting Hidden Encrypted Volumes

Abstract : Hidden encrypted volumes can cause problems in digital investigations since they provide criminal suspects with a range of opportunities for deceptive anti-forensics and a countermeasure to legislation written to force suspects to reveal decryption keys. This paper describes how hidden encrypted volumes can be detected, and their size estimated. The paper shows how multiple copies of an encrypted container can be obtained from a single disk image of Windows Vista and Windows 7 systems using the Volume Shadow Copy feature, and how the changes between shadow copies can be visualised to detect hidden volumes. The visualisation assists in the presentation of this information to a court, and exposes patterns of change which allows the size and file system of the hidden volume to be determined.
Document type :
Conference papers
Complete list of metadata

Cited literature [10 references]  Display  Hide  Download
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Monday, August 18, 2014 - 6:09:54 PM
Last modification on : Friday, August 11, 2017 - 3:29:43 PM
Long-term archiving on: : Thursday, November 27, 2014 - 5:32:50 AM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Christopher Hargreaves, Howard Chivers. Detecting Hidden Encrypted Volumes. 11th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security (CMS), May 2010, Linz, Austria. pp.233-244, ⟨10.1007/978-3-642-13241-4_21⟩. ⟨hal-01056376⟩



Record views


Files downloads