TCHunt is a legacy command-line tool designed by digital forensics experts to search for hidden TrueCrypt and VeraCrypt volumes. It identifies these volumes by looking for high-entropy (highly random) files that lack standard file headers and signatures, and have file sizes perfectly divisible by 512 bytes.
Because TrueCrypt has been deprecated for years and modern digital forensics requires more robust scanning capabilities, several modern tools and methods serve as the top alternatives to TCHunt. 1. Elcomsoft Encrypted Disk Hunter Best for: Live system analysis and rapid discovery.
Overview: This free, portable command-line tool is explicitly designed for IT pros and forensic analysts to flag encrypted volumes. Unlike TCHunt, which focuses purely on file containers, Elcomsoft Encrypted Disk Hunter scans a live system to find partitions encrypted by TrueCrypt, VeraCrypt, BitLocker, PGP WDE, FileVault 2, and LUKS.
Advantage over TCHunt: It handles whole-disk and partition-level encryption, not just local container files. 2. Passware Encryption Analyzer Best for: Scanning files and local network drives.
Overview: Part of the forensic suite by Passware, the Passware Encryption Analyzer is a free utility that systematically scans a machine for protected items. It searches for full disk encryption images (like TrueCrypt or VeraCrypt), as well as password-protected documents, archives, and keys.
Advantage over TCHunt: It offers a polished GUI and broader file type discovery, allowing you to instantly build a list of all encrypted files on a hard drive. 3. Forensic Suites (EnCase and X-Ways Forensics) Best for: Deep legal and criminal investigation pipelines.
Overview: Industry-standard enterprise forensic tools like EnCase or X-Ways incorporate sophisticated Signature and Entropy Analysis out of the box.
Advantage over TCHunt: Investigators can build custom filters to automatically isolate files matching the specific characteristics of unmounted volumes. By sorting largest to smallest and filtering for high-entropy files missing valid magic bytes, these suites duplicate and enhance TCHunt’s core methodology within a centralized workspace. 4. Custom Python and CLI Scripts (binwalk and math) Best for: Open-source, flexible automated pipelines.
Overview: Many modern reverse engineers and system administrators bypass third-party binaries entirely. They use specialized tools like binwalk combined with mathematical script routines to parse a system’s file system. A basic script can quickly scan directories, compute Shannon Entropy for files, and check if the byte count is divisible by 512 to reveal hidden containers.
Advantage over TCHunt: Scripting allows you to easily chain the results into automated alerts, continuous logging tools, or larger security platforms. How These Tools Compare (Summary Table) Focus Area Supported Formats Elcomsoft Disk Hunter Live System/Partitions VeraCrypt, BitLocker, LUKS, FileVault Passware Encryption Analyzer Files & Network Storage Disk Images, Office Docs, Archives EnCase / X-Ways Full Deep-Drive Forensic Triage Comprehensive Signature/Entropy Commercial Custom Python Scripts Highly Tailored Local Scanning Custom Defined (Entropy/Size) Important Reality Check
Because TrueCrypt and VeraCrypt containers do not feature any standard file headers (by design, to ensure “plausible deniability”), no tool can definitively guarantee a high-entropy file is an encrypted volume without attempting to decrypt it. They only identify suspected containers.
Are you using this tool for a personal audit, enterprise compliance tracking, or a digital forensics investigation? Knowing your exact goal will help me pinpoint the right deployment method. Detect TrueCrypt and Veracrypt volumes – Raedts.BIZ
Leave a Reply