TChunt-Defeater is an anti-forensics tool built using Delphi that counters TChunt's ability to detect Truecrypt encrypted containers.
The TChunt works using these four attributes:
- No File Header.
- (File size % 512) = 0 (Modulo)
- Successful X2 and Arithmetic Mean tests on certain bytes.
- File size greater than 19KB (Legacy) or 275KB (Current).
My tool counters the second attribute by adding a few NOPS at the end of the file. This is enough to fool TChunt.
See the TChunt-Defeater below in action, step by step.
