Bottom Line Up Front (BLUF):

VeraCrypt Portable on Windows 10 leaves behind a wealth of usage artifacts – revealing associated drive letters, volume size, and other usage artifacts. Scroll to the bottom of this page if you’d like to skip to the artifacts. VeraCrypt developers have addressed these types of artifacts here.

Introduction

Welcome to the first post! I would like to kick off this blog by starting a “Tracking Encryption” series – a series where I am focused on the behaviors associated with encryption usage. In this post I will outline how to identify Windows artifacts associated with VeraCrypt usage. Please note, this is not an exhaustive post about Veracrypt artifacts – this post will not discuss cracking into VeraCrypt containers (I’ll save that for a future post). Consider this more of a “quick look” at what is left behind after someone uses Veracrypt.

The intent of this post isn’t just to give you a list of artifacts (although you can find that at the bottom) – I also want to show how they are discovered. Maybe you are looking to get into digital forensics; perhaps you are a college student with a similar assignment, or maybe even you’re a forensics professional looking to grow your skillset.

Background

VeraCrypt has been a popular successor to TrueCrypt. I won’t go into the mysterious history of TrueCrypt, but suffice it to say that many folks were shaken up after the open-source application collapsed. I believe that experience is why VeraCrypt has taken a much more open and transparent approach.

VeraCrypt is a volume-based encryption application. Think of these volumes as miniature filesystems stored in a single file (a poor example would be zip files – a file containing other files). When mounted, the volumes show up under “My Computer” – just like removable media. This is important to keep in mind when analyzing the results of our test environment.

Creating A Test Environment

For this post we’re going to download and install Windows 10 Pro in VirtualBox . The VirtualBox snapshot feature will prove useful if we need to dial back any changes.

Our main tools to track down artifacts are going to be Regshot and ProcMon (from SysInternals). We are going to look for artifacts from installing the application, running the application, and mounting volumes. In a future post I may cover analysis of VeraCrypt using open source forensics tools like Autopsy and Volatility. Let me know if this is something you’d like to see.

We will focus on artifacts from VeraCrypt Portable instead of the installed version because the portable version likely has fewer artifacts than the installed version (since it is intended to be lighter weight). The version used in this testing is “VeraCrypt Portable 1.23-Hotfix-2.exe”. Many users would likely choose the portable version due to a lighter footprint.

Here is a rough outline of the steps followed to generate artifacts:

  1. Take a VM snapshot
  2. Create and save a text document using Notepad.
  3. Launch the VeraCrypt Portable “installer” (the .exe that unpacks VeraCrypt)
  4. Take the first RegShot Snapshot
  5. Launch ProcMon
  6. Launch VeraCrypt and create a VeraCrypt container
Creating a 500MB VeraCrypt Volume
  1. Mount the VeraCrypt Volume
A Mounted VeraCrypt Volume
  1. Interact with the VeraCrypt Volume – Move a file into the container; open the file in the container; edit the file; delete the file; remove the file from the Recycle Bin.
  2. Close the VeraCrypt Volume
  3. Stop ProcMon.
  4. Take the second RegShot Snapshot.
  5. Export ProcMon and RegShot results.
  6. Take another VM snapshot
  7. Analyze!

Examining The Results

RegShot has a great “Compare” feature, and ProcMon is invaluable when looking for artifacts in a controlled environment.

ProcMon’s filters are a great way to filter out the noise
Key Added: HKLM\SYSTEM\ControlSet001\Services\veracrypt

This is interesting – a service is setup on Windows even though we used the portable version.

Key Added: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-1315876150-3456151940-2672049916-1001\\Device\HarddiskVolume2\Users\user\Downloads\VeraCrypt\VeraCrypt-x64.exe: A3 51 C9 42 A8 9F D4 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 
Key Added: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-1315876150-3456151940-2672049916-1001\\Device\HarddiskVolume2\Users\user\Downloads\VeraCrypt\VeraCrypt Format-x64.exe:  85 C7 79 75 A8 9F D4 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00

According to work from Costas Katsavounidis, this key can be used as an alternative to Prefetch to show application usage (source: LinkedIn post). Mr. Katsavounidis says, “Bam is a Windows service that controls activity of background applications.

There are some great nuggets of truth in this registry key:

  1. The user’s Security Identifier (SID) is in the key path. This is great for multi-user systems: it is quick and easy to identify which user launched a given application.
  2. The value of each key is stored in Windows Filetime (64bit Little Endian) and indicates the last execution time
  3. Even though we launched the VeraCrypt executable, we see the launch of the VeraCrypt Format executable. We can infer the last time a VeraCrypt volume was created based off the associated bam timestamp.
Key Added: HKU\S-1-5-21-1315876150-3456151940-2672049916-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9b9fa3e6-080e-11e9-bb3f-08002768ef66}
ValueAdded: HKU\S-1-5-21-1315876150-3456151940-2672049916-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9b9fa3e6-080e-11e9-bb3f-08002768ef66}\MaxCapacity: 0x00000031

This is the real interesting stuff! The BitBucket registry key is used to track Recycle Bin settings (in this case, the Recycle Bin’s maximum size). This registry key fits with our VeraCrypt volume – Windows defaults to a Recycle Bin size of 10% the of the volume size. Our VeraCrypt volume was 500MB, and this Recycle Bin is set to 50MB.

The MountedDevices key under the System registry is incredibly useful for removable media analysis because it reveals details about drive mappings. It turns out that the MountedDevices key is really useful for VeraCrypt analysis, too, since VeraCrypt volumes are treated very similarly to removable media. We actually see the above-mentioned volume GUID in the MountedDevices:

HKLM\SYSTEM\MountedDevices\\??\Volume{9b9fa3e6-080e-11e9-bb3f-08002768ef66}:  56 65 72 61 43 72 79 70 74 56 6F 6C 75 6D 65 56

The key content (56 65 72 61 43 72 79 70 74 56 6F 6C 75 6D 65 56) is in hexadecimal. Converting this to ASCII, we learn that is hex for “VeraCryptVolumeV”. This is definitely referencing our volume!

The MountedDevices key can reveal VeraCrypt volume mappings
HKU\S-1-5-21-1315876150-3456151940-2672049916-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{9b9fa3e6-080e-11e9-bb3f-08002768ef66}\NukeOnDelete: 0x00000000

It is also worth noting the “NukeOnDelete” registry key – the Recycle Bin is bypassed if this value is set to “1”.

Evidence in the Traditional Locations, Too

As expected, we also see evidence of VeraCrypt in more traditional locations, as well – ShellBags and Prefetch.

Eric Zimmerman’s ShellBags Explorer is the application used in this screenshot.

VeraCrypt Artifacts

So if you are in a situation where you need to find evidence of VeraCrypt – or you need to determine the size of a (missing) VeraCrypt volume:

HKLM\SYSTEM\ControlSet001\Services\veracryptIndicates veracrypt is running as a service
HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>\Device\<HDD>\Users\<UserName>\<FilePath>\VeraCrypt\VeraCrypt-x64.exeSimilar to PreFetch, this reveals when VeraCrypt was last executed
HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>\Device\<HDD>\Users\<UserName>\<FilePath>\VeraCrypt\VeraCrypt Format-x64.exeThis suggests a VeraCrypt volume was created
HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{<VolumeGUID>}\MaxCapacity: <HexValue>Unless Recycle Bin settings have been altered, this indicates 10% the size of a given (VeraCrypt) volume
HKLM\SYSTEM\MountedDevices\??\Volume{<VolumeGUID>}If the key value says “VeraCryptVolume<Letter>, this indicates the given VolumeGUID is associated with a VeraCrypt Volume
PrefetchIf enabled, Prefetch will contain evidence of VeraCrypt usag
ShellBagsThis can indicate VeraCrypt volume contents, but the timestamps must be corroborated

Conclusion

I don’t think it is a surprise that Windows artifacts tell us a lot about how VeraCrypt is used on a system. What surprises me, though, is the depth and volume of the artifacts – there are a lot of areas I didn’t cover in this post (Windows Event Logs, Prefetch, Windows Error Reporting, LNK Files) that will undoubtedly contain more information.

I think there are a lot of directions to go from here. More in-depth analysis of VeraCrypt, a detailed examination of other encryption products, or even looking at some bogus encryption tools (whether “fake” TrueCrypt/VeraCrypt or mobile applications).

What do you think? Do you have any questions, comments, or thoughts on this post? Let me know – joe <AT> sparky.tech