Things I’ve learned, published for the public benefit
Hope This Helps header image

The Hidden Shadow

The flower delivery van had been parked across the street for far too long. Cahey peered outside through the window blinds for the third time. By now he was certain they had him under surveillance. He had been careful not to discuss the subject matter of his current project with anyone, but there were a few souls at the Tribune who knew he was working on a major investigative piece. Apparently that was enough to spike the government’s interest.

Cahey lit a cigarette and reflected on the van’s relatively conspicuous location. Sloppy surveillance work or a deliberate attempt to scare him into silence? There was no way to know. He was, however, sure of one thing: if they came here, they would find nothing. Knowing that digital content was much easier to protect from prying eyes than papers, photographs and recordings, he had disposed of every physical record of his investigation, leaving only a digitized copy on the hard drive of his laptop computer. Two days ago, he had encrypted all this data using an open-source application called TrueCrypt, making sure to overwrite the original files several times before deletion. Now his data was unrecoverable without the password, and there was nothing anybody could do about it, not even the NSA with their army of PhD’s and their supercomputers. The spooks would be in for a surprise.

“Drrrrrt” — the sound of the doorbell pierced the smoke-infused air. Cahey glanced through the window. The van was gone. As he walked towards the door, he contemplated logging out of his Windows account, but decided against it. Bypassing that layer of security would be a trivial exercise, and it wouldn’t do the government much good anyway, given the fact that everything of interest was now encrypted. He opened the door. On his porch stood five serious-looking men in suits. “Stephen Cahey? We have a warrant to search the premises.”


Agent Jack Trallis looked at the machine he had been ordered to process. It was a pretty standard Dell laptop with a dual-core CPU and a 15-inch screen that was covered with fingerprints. “God, do I hate those glossy displays”, he muttered to himself. He was alone in the room; the other agents were in the living room questioning the suspect. Trallis noticed the prominent TrueCrypt icon on the machine’s desktop. “Uh oh. Strong encryption.” He fixed his eyes on the taskbar at the bottom of the screen. There was a row of oversized, unlabeled icons that reminded him of the Hackintosh he had once built for his girlfriend. The guy’s laptop was running Windows 7. There was still a chance.

He located the Documents folder, opened its Properties window, and clicked on the “Previous Versions” tab. Just as he thought, there were five previous versions of the folder – “shadow copies” created regularly by the operating system as part of the System Restore mechanism. As these snapshots were prepared silently in the background and stored on a hidden disk volume, few users were aware of them. Agent Trallis was smiling. The good guys from Redmond were going to make his job easy again.

He selected one of the snapshots and clicked Open. An Explorer window popped up, showing the contents of the Documents folder exactly as it had appeared three days ago. “This is too funny”, he thought. There was a subfolder labeled Project Foxhunt full of scanned documents and audio files. Trallis grabbed his radio. “Sir”, he called out to his commanding officer, “I’ve got something you might want to have a look at.”

For technical information on Volume Shadow Copy, read What you should know about Volume Shadow Copy/System Restore in Windows 7 & Vista

7 Comments so far

  • tony

    haha. This is good story-stelling, although I like this feature (seems like a semi VCS), but there should be a wait to disable some folders or files if not, that is a lot of waste of disk space for every folder and file.

  • Paul Whitaker

    Why not just encrypt the entire drive with Bitlocker?

  • Infestedtassadar

    To start off with, why wasn’t he using FDE (full disc encryption, that truecrypt offers) vs a file container and the machine turned OFF? They cant force you to give the password (see the 5th amendment.)

    Ether way, the contents of his laptop more then likely wont be admissible in court, as the data on the machine is in a state of modification once the machine receives power. The officers should of performed a dump of the data in ram and pulled the power to the machine.

  • Mark

    @Paul: BitLocker is flawed. lol It can be hacked using Microsoft’s own COFEE tool.

    Also, you can disable volume shadow copies manually 😉

  • daveyt

    Did someone just tamper/interfere with the computer? oops, that laptop just became inadmissable.

  • Tomasz

    There is a way to exclude certain folders by means of a fairly obscure registry setting. I will cover this in my mini-FAQ on Volume Shadow Copy, which I’ll be writing tonight. VSC is a pretty cool feature from a technological point of view.

  • a

    BitLocker isn’t flawed. Any machine with physical access can be compromised. COFEE can be used if the machine is still online before it is turned off to try and extract the encryption keys. And TrueCrypt FDE can be broken if someone can get an Evil Maid onto it, last I heard. These are just acceptable risks.

Leave a Comment