This script scans the entire hard drive and performs a size,signature and entropy test on all files, it generates a list of potential TrueCrypt/VeraCrypt volumes.
See this post for more information: Detect TrueCrypt and Veracrypt volumes
Language: Python
Download “TC-Detective” TC-Detective.zip – Downloaded 1854 times – 2 KB
Download “Signatures” signatures.csv – Downloaded 1461 times – 3 KB
# # Author: Nick Raedts - Raedts.biz # TC-Detective: Scan an entire drive for possible TrueCrypt or VeraCrypt volumes # Last update: 12-02-2018 # # Usage: TC-Detective.py X # X = Driveletter # Results are saved to a log file in the script directory # # entropy function based on this post # http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html # import sys import math import os import csv import time import datetime rootdir = sys.argv[1]+':\\' # This function calcuates the Shanon Entropy def entropy(string): prob = [ float(string.count(c)) / len(string) for c in dict.fromkeys(list(string)) ] entropy = - sum([ p * math.log(p) / math.log(2.0) for p in prob ]) return entropy # This function reads the signatures to an array def readsignatures(filename): ifile = open(filename, "rU") reader = csv.reader(ifile, delimiter=",") rownum = 0 signatures = [] for row in reader: signatures.append (row) rownum += 1 ifile.close() return signatures # This function Checks the file if it's possibly a encrypted volume def tcvcdetect(file): size = os.path.getsize(file) # Get the file size if (size % 512 != 0): # Check if the size is a multiple of 512 return 0 # If the file is not a multiple, it failed the division test # The file passed the division test try: in_file = open(file, 'rb') # Open the file to inspect except: logfile.write('Error reading file: "'+file+'"\n') return 0 chunk_size = 2048 # Set the chunk size to analyze try: data = in_file.read(chunk_size) # Read the defined chunk size from the file except: logfile.write('Error reading file: "'+file+'"\n') return 0 entropytest = entropy(data) # Do the entropy test on test chunk if entropytest < 7.9: # Check if the entropy is higher than 7.9 return 0 # If Entropy is lower then 7.9, it failed the entropy test # The file passed the entropy test try: data = open(file, "rb").read(32) # Read the first 32 bytes of the file except: logfile.write('Error reading file: "'+file+'"\n') return 0 header = " ".join(['{:02X}'.format(byte) for byte in data]) # Convert the bytes into readable hex detected = "" # Set the detected variable to "" for i in range(len(signatures)): # Loop through the signatures if signatures[i][1] in header: # Check if the signature appears in the header (first 32 bytes) return 0 # If it finds an match, it failed the signature test # The file passed the signature test return 1 # File might be an encrypted volume, report back # Main script signatures = readsignatures("signatures.csv") # Read the signature file ts = time.time() # Get current time tss = datetime.datetime.fromtimestamp(ts).strftime('%d%m%Y %H%M%S') # Set TSS to current timestamp for logfile name ts = datetime.datetime.fromtimestamp(ts).strftime('%d-%m-%Y %H:%M:%S') # Set TS to current time for timestamp in logfile logfile = open('TC-D_Log_'+tss+'.txt','a') # Create the logfile logfile.write('TC-Detective Logfile generated on '+ts+' \n\n') # Write first lines to logfile for subdir, dirs, files in os.walk(rootdir): # Start looping trough entire drive including subfolders for file in files: # For every file file = os.path.join(subdir, file) # Set file to the complete filepath if (tcvcdetect(u"\\\\?\\"+file)): # Send file to tcvcdetect function print (file) # Print every match to the screen logfile.write('Possible encrypted volume: "'+file+'"\n') # Save every match in the logfile ts = time.time() # Get current time ts = datetime.datetime.fromtimestamp(ts).strftime('%d-%m-%Y %H:%M:%S') # set TS to current timestamp logfile.write('\nTC-Detective completed scan on '+ts) # Add last line to logfile