Data Leaks
When a VeraCrypt volume is mounted, the operating system and third-party applications may write to unencrypted volumes (typically, to the unencrypted system volume) unencrypted information about the data stored in the VeraCrypt volume (e.g. filenames and locations of recently accessed files, databases created by file indexing tools, etc.), or the data itself in an unencrypted form (temporary files, etc.), or unencrypted information about the filesystem residing in the VeraCrypt volume.
Note that Windows automatically records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. For example, Windows uses a set of Registry keys known as “shellbags” to store the name, size, view, icon, and position of a folder when using Explorer. Each time you open a folder, this information is updated including the time and date of access. Windows Shellbags may be found in a few locations, depending on operating system version and user profile. On a Windows XP system, shellbags may be found under "HKEY_USERS\{USERID}\Software\Microsoft\Windows\Shell\" and "HKEY_USERS\{USERID}\Software\Microsoft\Windows\ShellNoRoam\". On a Windows 7 system, shellbags may be found under "HEKY_USERS\{USERID}\Local Settings\Software\Microsoft\Windows\Shell\". More information available at https://www.sans.org/reading-room/whitepapers/forensics/windows-shellbag-forensics-in-depth-34545.
Also, starting from Windows 8, every time a VeraCrypt volume that is formatted using NTFS is mounted, an Event 98 is written for the system Events Log and it will contain the device name (\\device\VeraCryptVolumeXX) of the volume. This event log "feature"
was introduced in Windows 8 as part of newly introduced NTFS health checks as explained
here. To avoid this leak, the VeraCrypt volume must be mounted
as a removable medium. Big thanks to Liran Elharar for discovering this leak and its workaround.
In order to prevent data leaks, you must follow these steps (alternative steps may exist):
- If you do not need plausible deniability:
- Encrypt the system partition/drive (for information on how to do so, see the chapter
System Encryption) and ensure that only encrypted or read-only filesystems are mounted during each session in which you work with sensitive data.
or, - If you cannot do the above, download or create a "live CD" version of your operating system (i.e. a "live" system entirely stored on and booted from a CD/DVD) that ensures that any data written to the system volume is written to a RAM disk. When you need to work with sensitive data, boot such a live CD/DVD and ensure that only encrypted and/or read-only filesystems are mounted during the session.
- Encrypt the system partition/drive (for information on how to do so, see the chapter
System Encryption) and ensure that only encrypted or read-only filesystems are mounted during each session in which you work with sensitive data.
- If you need plausible deniability:
- Create a hidden operating system. VeraCrypt will provide automatic data leak protection. For more information, see the section
Hidden Operating System.
or, - If you cannot do the above, download or create a "live CD" version of your operating system (i.e. a "live" system entirely stored on and booted from a CD/DVD) that ensures that any data written to the system volume is written to a RAM disk. When you need to work with sensitive data, boot such a live CD/DVD. If you use hidden volumes, follow the security requirements and precautions listed in the subsection Security Requirements and Precautions Pertaining to Hidden Volumes. If you do not use hidden volumes, ensure that only non-system partition-hosted VeraCrypt volumes and/or read-only filesystems are mounted during the session.
- Create a hidden operating system. VeraCrypt will provide automatic data leak protection. For more information, see the section
Hidden Operating System.