The reference to the names "Detective Stu Pitt" and "Detective Laughlin Foo" on the last page has me wondering about this. They both really, really sound like joke names. The similarity to the presenter's name (first slide) from the real North Dakota State Attorney's Association (NDSAA) presentation (<a href="http://www.ndsaa.org/Computer_Forensics_for_Prosecutors.pdf" rel="nofollow">http://www.ndsaa.org/Computer_Forensics_for_Prosecutors.pdf</a>) also seems suspicious.<p>It has the look that somebody took the real NDSAA presentation, tweaked it up, and released it as a hoax.<p>Edit:<p>Here's a site that seems to be hosting the same PDF as part of an article dated 1 April 2013: <a href="http://www.techarp.com/showarticle.aspx?artno=770" rel="nofollow">http://www.techarp.com/showarticle.aspx?artno=770</a>
A few gems in here besides the TrueCrypt statement, mainly that Apple iCloud and Dropbox are named, and the legal framework is touched upon.<p><pre><code> All cloud stored content are automatically hash-scanned
and image-analyzed by their service providers and
infringing content reported to NCMEC (p16)
Mobile content are automatically scanned when they are
synced with cloud storage like Apple iCloud or Dropbox.
Mobile devices that are not cloud-synced can be accessed
by their respective vendors (p16)
</code></pre>
If I am reading this correctly, when you upload something to Apple iCloud or Dropbox, there is a background process which generates a hash of your content, then compares that hash with infringing content? What defense do companies have? What about proof that these claims are true (sources, etc)? Can anyone just leak a document that claims XYZ tech company spies on its users and everyone takes this as fact?<p><pre><code> Vendors are legally and commercially prevented from
acknowledging their backdoors. Defense will not be
able to prove their existence (p16)
</code></pre>
Great, <i>blanket denial either way</i>! I hope this is a hoax!
Are we all just going to take this seriously? It's pretty obviously a fake. Just look at the names at the end. Detective Laughlin Foo? Stu Pitt? Neither of which, incidentally, return anything in google aside from this presentation. There's also a clear divergence in style on the backdoor slides, and it reads like a parody.<p>But the most obvious problem: if the NSA or whoever had a backdoor to truecrypt and Android and iOS, they would not send that information to a local DA office to be leaked.<p>Please don't set aside critical thinking just because something confirms your biases.
Page 16 has some wonderful lines:<p><pre><code> • “Fruit of the poisonous tree” can be circumvented
• The use of backdoors cannot be detected or proven
• Vendors are legally and commercially prevented from
acknowledging their backdoors. Defense will not be
able to prove their existence
• The files can be described as “forensically obtained”</code></pre>
This article is pretty interesting:<p><a href="http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/" rel="nofollow">http://www.privacylover.com/encryption/analysis-is-there-a-b...</a><p>It claims TrueCrypt is a CIA honeypot.
<a href="http://en.wikipedia.org/wiki/Cold_boot_attack" rel="nofollow">http://en.wikipedia.org/wiki/Cold_boot_attack</a><p>There's your backdoor.
If you use the link to the last year's presentation on the last page, and download it, you can see last year's presentation was made by "micah smith" (who apparently has become "michael smith" this year).<p>The entire presentation is clearly a copy of the previous year presentation, with some words changed by some moron with an agenda whose understanding of criminal procedure came from watching too many law and order episodes.
So there's a few possible ways to interpret this..<p><pre><code> * There is an actual hereto-unknown flaw in TrueCrypt's algorithms or implementations of algorithms that can be exploited.
* They are referring to the only known attack, wherein keys can be recovered from RAM if the volume isn't unmounted correctly.
* This is FUD designed to push people away from less-breakable encryption and onto software which actually /does/ have backdoors.
* This is a hoax (pay special attention to the detective's names on the slide)</code></pre>
I'm not sure what to make of it.
Anybody ever heard of the "zSearch" software mentioned in the pdf?<p>After some more digging, found this document: <a href="http://www.ndsaa.org/Computer_Forensics_for_Prosecutors.pdf" rel="nofollow">http://www.ndsaa.org/Computer_Forensics_for_Prosecutors.pdf</a><p>Which states:<p>Free product by SA Eric Zimmerman<p>Random Access Memory Analysis:<p>* FBI - Salt Lake City, UT<p>* Distribution - eric[at]feeble-industries.com<p>* Plug-in live triage via USB<p>* Virtualization, encryption, mass storage, P2P, Gigatribe, picture & video preview, password gathering, and MORE!<p>Looks LE agents can request a copy by registering for the guy's phpbb form here (judging by the registration terms, it's not open to the public):<p><a href="https://feeble-industries.com/forums/ucp.php?mode=register" rel="nofollow">https://feeble-industries.com/forums/ucp.php?mode=register</a>
Worth mentioning that truecrypt volumes can be hidden inside playable video files. Yes, it's security through obscurity, but hey, it makes me feel a little safer.<p><a href="http://keyj.emphy.de/real-steganography-with-truecrypt/" rel="nofollow">http://keyj.emphy.de/real-steganography-with-truecrypt/</a>
This really doesn't sound legit. I suspect they might be thinking of backdooring the truecrypt <i>client</i>, which, really wouldn't make it much of a feat.<p>The container format itself is really just a giant mathematical mess -- there really isn't anything to backdoor there.<p>And then the client doesn't exactly dial-out to anything when you mount an encrypted volume. Therefore I would suggest that this is probably a matter of using alternative means of access to the machine in order to patch the client itself.<p>That wouldn't exactly be worthy of the attention of the NSA, given that truecrypt <i>is</i> open-source.
I was going to add that you can link directly to the page like this: <a href="http://cryptome.org/2013/09/computer-forensics-2013.pdf#page=15" rel="nofollow">http://cryptome.org/2013/09/computer-forensics-2013.pdf#page...</a><p>Works in FF and Chrome in-browser readers.<p>Then I realized you should really skim every single page, rather than going straight to 15.
EDIT: Ignore that. I figured a slide show would not skip slides when you use arrow keys for navigation.<p>Can I get a direct quote? I'm not seeing any mention of TC on p15 or any other page.
<a href="https://github.com/bwalex/tc-play" rel="nofollow">https://github.com/bwalex/tc-play</a> this guy probably knows a thing or two about if it's safe