This script performs a size, signature and entropy test on a file of your choice, a quick way to check if the file you suspect to be an encrypted volume passes the tests.
See this post for more information: Detect TrueCrypt and Veracrypt volumes
Language: Python
Download “TC-FileDetective” TC-FileDetective.zip – Downloaded 1674 times – 1.39 KB# # Author: Nick Raedts - Raedts.biz # TC-FileDetective: Check if a file could be an encrypted volume. # Last update: 12-02-2018 # # Usage: TC-FileDetective.py file # File = file you want to analyze # Results are printed to the screen # # entropy function based on this post # http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html # import sys import math import os import csv # This function calcuates the Shanon Entropy def entropy(string): prob = [ float(string.count(c)) / len(string) for c in dict.fromkeys(list(string)) ] entropy = - sum([ p * math.log(p) / math.log(2.0) for p in prob ]) return entropy # This function reads the signature.csv file def readsignatures(filename): ifile = open(filename, "rU") reader = csv.reader(ifile, delimiter=",") rownum = 0 signatures = [] for row in reader: signatures.append (row) rownum += 1 ifile.close() return signatures # Main script # Division test size = os.path.getsize(sys.argv[1]) # Get the file size if (size % 512 == 0): # Check if the size is a multiple of 512 size = "Passed ("+str(size % 512)+")" # If the file is a multiple, it passed the division test else: size = "Failed ("+str(size % 512)+")" # If the file is not a multiple, it failed the test # Entropy test in_file = open(sys.argv[1], 'rb') # Get the file to inspect from the command line chunk_size = 2048 # Set the chunk size to analyze data = in_file.read(chunk_size) # Read the defined chunk size from the file entropytest = entropy(data) # Do the entropy test on test chunk if entropytest > 7.9: # Check if the entropy is higher than 7.9 entropytest = "Passed ("+str(entropytest)+")" # If it is, it passed the test else: entropytest = "Failed ("+str(entropytest)+")" # If it isn't it failed the test # File signature test signatures = readsignatures("signatures.csv") # Read the signature file file = open(sys.argv[1], "rb").read(32) # Read the first 32 bytes of the file header = " ".join(['{:02X}'.format(byte) for byte in file]) # Convert the bytes into readable hex detected = "" # Set the detected variable to "" for i in range(len(signatures)): # Loop through the signatures if signatures[i][1] in header: # Check if the signature appears in the header (first 32 bytes) if (detected == ""): # Check if it's the first match detected = signatures[i][0] # Set detected to the matched file exension else: detected += ','+signatures[i][0] # Add the matched file exension to detected if (detected == ""): # Check if detected is still "" detected = "Passed (unknown format)" # If it's still empty it passed the test else: detected = "Failed (%s)" % detected # If it isn't, it failed the test # Print results print ("================================") print ("TC/VC Quicktest") print ("================================") print ("file: %s" % sys.argv[1]) print ("") print ("results") print ("") print ("Header check:\t%s" % detected) print ("Division check:\t%s" % size) print ("Entropy test:\t%s" % entropytest)