Abstract: TrueCrypt as one of the popular free open source encryption software has been widely applied on different platforms. Forensics process often to detected encrypted file for further decrypt and analysis, but TrueCrypt container has no signature and structure, so it is a difficult to detect TrueCrypt container. In view of the TrueCrypt container file, there is no accurate detection method, the available technology is signature rule out combined file size limit to detect TrueCrypt container. In this paper, on the basis of the existing detection technology, combined with chi-square test and information entropy theory, we came up with a fast TrueCrypt container detection technology. This method not only can quickly detect TrueCrypt container, but higher precision compared with the existing detection methods.

Key words: file signature, sector size, chi-square, significance level, information entropy