Reading Time: 3 minutes

This script scans the entire hard drive and performs a size,signature and entropy test on all files, it generates a list of potential TrueCrypt/VeraCrypt volumes.
See this post for more information: Detect TrueCrypt and Veracrypt volumes

Language: Python

Download “TC-Detective” – Downloaded 97 times – 2 KB

Download “Signatures” signatures.csv – Downloaded 154 times – 3 KB

# Author: Nick Raedts -
# TC-Detective: Scan an entire drive for possible TrueCrypt or VeraCrypt volumes
# Last update: 12-02-2018
# Usage: X
# X = Driveletter
# Results are saved to a log file in the script directory
# entropy function based on this post

import sys
import math
import os
import csv
import time
import datetime

rootdir = sys.argv[1]+':\\'

# This function calcuates the Shanon Entropy
def entropy(string):
  prob = [ float(string.count(c)) / len(string) for c in dict.fromkeys(list(string)) ]
  entropy = - sum([ p * math.log(p) / math.log(2.0) for p in prob ])
  return entropy

# This function reads the signatures to an array
def readsignatures(filename):	
    ifile = open(filename, "rU")
    reader = csv.reader(ifile, delimiter=",")

    rownum = 0	
    signatures = []

    for row in reader:
        signatures.append (row)
        rownum += 1
    return signatures

# This function Checks the file if it's possibly a encrypted volume
def tcvcdetect(file):
  size = os.path.getsize(file)									# Get the file size
  if (size % 512 != 0):										# Check if the size is a multiple of 512
    return 0											# If the file is not a multiple, it failed the division test

                                                                                                # The file passed the division test
    in_file = open(file, 'rb')  								# Open the file to inspect
    logfile.write('Error reading file: "'+file+'"\n')
    return 0
  chunk_size = 2048										# Set the chunk size to analyze
    data =								# Read the defined chunk size from the file
    logfile.write('Error reading file: "'+file+'"\n')
    return 0
  entropytest = entropy(data)									# Do the entropy test on test chunk
  if entropytest < 7.9:										# Check if the entropy is higher than 7.9
    return 0											# If Entropy is lower then 7.9, it failed the entropy test

                                                                                                # The file passed the entropy test
    data = open(file, "rb").read(32)							        # Read the first 32 bytes of the file
    logfile.write('Error reading file: "'+file+'"\n')
    return 0
  header = " ".join(['{:02X}'.format(byte) for byte in data])		                        # Convert the bytes into readable hex

  detected = ""											# Set the detected variable to ""
  for i in range(len(signatures)):								# Loop through the signatures
    if signatures[i][1] in header: 								# Check if the signature appears in the header (first 32 bytes)
      return 0											# If it finds an match, it failed the signature test
                                                                                                # The file passed the signature test
  return 1										        # File might be an encrypted volume, report back

                                                                                                # Main script
signatures = readsignatures("signatures.csv")							# Read the signature file
ts 	= time.time()										# Get current time
tss	= datetime.datetime.fromtimestamp(ts).strftime('%d%m%Y %H%M%S')			        # Set TSS to current timestamp for logfile name
ts 	= datetime.datetime.fromtimestamp(ts).strftime('%d-%m-%Y %H:%M:%S')		        # Set TS to current time for timestamp in logfile
logfile = open('TC-D_Log_'+tss+'.txt','a')							# Create the logfile
logfile.write('TC-Detective Logfile generated on '+ts+' \n\n')				        # Write first lines to logfile
for subdir, dirs, files in os.walk(rootdir):							# Start looping trough entire drive including subfolders
  for file in files:										# For every file
    file = os.path.join(subdir, file)								# Set file to the complete filepath
    if (tcvcdetect(u"\\\\?\\"+file)):								# Send file to tcvcdetect function
      print (file)										# Print every match to the screen
      logfile.write('Possible encrypted volume: "'+file+'"\n')		                        # Save every match in the logfile

ts 	= time.time()										# Get current time
ts 	= datetime.datetime.fromtimestamp(ts).strftime('%d-%m-%Y %H:%M:%S')		        # set TS to current timestamp
logfile.write('\nTC-Detective completed scan on '+ts)						# Add last line to logfile