TCHunt ng-Reveal encrypted files stored on a filesystem.
TCHunt-ng
TCHunt-ng attempts to reveal encrypted files stored on a filesystem. The program is successful in finding TrueCrypt, VeraCrypt, CipherShed containers; LUKS, EncFS, PGP/GPG encrypted files; OpenSSH and PEM private keys; password databases; files made up of random data. The code is based on ideas laid out in the project of Stephen Judge named TCHunt, hence the name. The original code has aged badly, having unnecessary dependencies and unfixed bugs. A rewrite seemed like a good idea.TCHunt-ng is a free software licensed under GPLv3.
TCHunt-ng performs following tests against content of a file to determine if it is of interest: Methodology
- Test against a database of well known file-types provided by libmagic.
- Test the size of a file to be greater than 19 kiB and of modulo 512. The test is performed only in TCHunt compatibility mode.
- Chi-squared test.
Usage
Usage: ./tchuntng [options] <file> [file ...]
Options:
-p preserve access time of files analyzed
-q quietly treat no result as success
-s show a file's classification
-T enable TCHunt compatibility mode
-v show version information
-h show usage information
Test a single file: Examples
$ tchuntng ./test/samples/message.txt.asc
Test multiple files located in the same directory:$ tchuntng ./*.*
Traverse a directory tree testing all the files:$ find ./ -type f | tchuntng -
The behavior of TCHunt-ng is affected by the following environment variables. Environment
The environment variable MAGIC can be used to override default magic file name. Please note that doing so may affect other programs that rely on libmagic.
TCHunt-ng exits with one of the following exit codes: Exit status
0
- content of a file is likely to be encrypted.1
- a generic error occured.2
- content of a file is not encrypted.3
- interrupted by a signal.
Dependencies
- libmagic >= 5.0
- glibc >= 2.0
On Ubuntu: Installation
sudo apt-get install libmagic-dev
On Fedora:sudo dnf install file-devel
Compile the source code and install the executable:make && sudo make install
Post a Comment