This project has moved and is read-only. For the latest updates, please go here.

Windows has a record of VeraCrypt usage

Topics: Technical Issues, Users Discussion
Jul 26, 2015 at 3:39 AM
Hi all,

This post is probably in the wrong area but it seemed to me to be the closest to my topic.

This issue is not strictly about a problem with VeraCrypt. It's about a security issue when Veracrypt/TrueCrypt is used with Windows 7 (and I believe Windows 8/8.1 also, though the affected files might not be in the exact same folder)

I believe it applies to containers only, perhaps not disk encryption although someone who uses disk encryption may be able to check this.

The issue is that when a VeraCrypt or TrueCrypt volume is used, Windows creates certain files that will reveal to an attacker that you have used VeraCrypt or TrueCrypt. This completely ruins the ability to use deniability, which is extremely important to some people.

Here are the two affected areas that I know of and I can tell you how to reproduce this on your own machine.

One is that the Windows event logs (seen with Event Viewer) will record an error which includes at least the drive letter (or perhaps even the folder) in plain text, where the so-called error occurred.

Here's how to reproduce this effect:

1) Decrypt (open) any container by selecting the file or folder you have encrypted and enter the proper password or passphrase (mount it, in other words).
2) Open a video file contained within that now decrypted file/folder, such as double-clicking a video file to view it in Windows Media Player, VLC, Daum PotPlayer, KMPlayer, or any other video player.
3) Leave that video open (whether playing or paused) in the video player.
4) Dismount the container. It will say that the volume has files or folders still in use and ask if you want to force the dismount. Select 'Yes'.
5) Close the video player.
6) Click the Start Orb and type 'event viewer' then click on the result named 'Event Viewer'.
7) Click on Administrative Events. At the very top, or at least very near the top, of the results will show an NTFS (Ntfs) Error.
8) Double-click to open it.
9) You will see that it has recorded the drive letter which you used to mount the volume. (Z:, in my case used here for an example but R:, S:, W:, etc. is just as bad). It also shows more technical information in code which may contain the actual folder or maybe even the filename. I am not sure about this part. The drive letter being displayed is bad enough.

The practical problem with this is that if your system is attacked by a person or persons with at least elementary knowledge of crypto, they will see that your actual drive letters, if your system contains fairly standard assigned letters, that you indeed have a system drive assigned C:, a DVD drive assigned D:, an internal storage drive asigned E:, and an external storage drive assigned F:, that nowhere in the system is a drive with Z: assigned.

The logical conclusion for someone to come to is that there used to be a drive with Z: assigned and now it's not. You could always say that you had inserted a flash drive, etc. but I, as an investigator who uses TrueCrypt or VeraCrypt, would immediately leap to the conclusion that someone had mounted an encrypted container.

Say for example that someone is insisting to law enforcement, or some other entity, that they know nothing of crypto and certainly not TrueCrypt or VeraCrypt, the informed investigator would have to say that he was almost certain that they did and had something encrypted that may or may not be of interest.

This issue pretty well destroys your ability to deny that you were not encrypting something. Like I said at the beginning this is not the fault of TrueCrypt or VeraCrypt, it's Windows, but it's a problem with your encryption practices nonetheless.

Now a second, worse, problem.

If you have certain photos of anything at all, and I won't even attempt to cover the huge spectrum of possibilities of types, that you don't want another person or persons to see, if you use TrueCrypt or VeraCrypt with Windows 7 (and probably 8/8.1), you are in serious trouble.

I scour the Internet periodically checking for news articles, forum posts, IRC channels, etc. for things that have been cracked and what has not.

I ran across an actual court case where a man was tried and convicted for possessing child pornography. It was all encrypted within a TrueCrypt container.

I'm sorry to have to use that as an example since there are already too many people who think that if you use encryption you must be hiding child pornography. I don't and I don't know anyone who does, it's just that these cases are the ones that make the news.

The investigators didn't crack the TrueCrypt container because they didn't have to.


Here's how to reproduce that problem (and this is how they successfully did it) and a way to avoid it:

1) Open (mount) your TrueCrypt or VeraCrypt container.
2) Double-click to open one or more photos in the now-decypted folder. (3 or 4 or more is good for this example)
3) Close the photo viewer that you used and dismount the container to close it.

By default, Windows will have made thumbnails of every single photo you viewed. Ostensibly this is a good thing so that if you re-open a folder later they will display very quickly because Windows will already have made all the thumbnails for that folder.

For encryption and privacy concerns this is a very bad thing.

The thumbnails are in hidden files in a hidden folder and you will have no notification whatsoever that thumbnails were being stored somewhere within the Windows folder hierarchy. These are also never cleared by default. The files can potentially grow to a huge size. You have to clear them manually but the uninformed user will not realize that there is even anything existing that needs to be cleared.

To continue:

4) Double-click the 'Computer' icon on the desktop and double-click on your system drive, normally C:.

5) If you have not already done so, you need to have the ability to see hidden files. This is easily accomplished by pressing the Alt key when the C: folder is open (or any folder, actually). This will show the Menu. Click on Tools then Folder Options. Click the View tab. Select 'Show hidden files, folders, and drives' and uncheck 'Hide protected operating system files' then uncheck 'Hide extensions for known file types' then click Yes on the Warning dialog box that opens then on Apply then Ok. That's it.

6) Now navigate to C:\Users[your username]\AppData\Local\Microsoft\Windows\Explorer.

7) Double-click to open the Explorer folder.
You will see that in this folder are several files that have the .db file extension. There is an important part of the filenames, namely 'thumbcache'. These differentiate between the normal thumbs.db thumbnail files that exist in mostly every folder that contains photos. These are easily seen and deleted.
The 'thumbcache' files cannot be deleted but their contents can be cleared. If an attempt is made to delete them, they will immediately reappear. Sometimes this will clear the files of their contents but not reliably so.
8) The important part. You (and thus a hostile entity) can view the thumbnails of the files you opened.
9) Download, unzip, then run Thumbcache Viewer, available on GitHub at

10) When the program is open, click on File, then Open, then navigate to one of the files contained in the Explorer folder whose location is explained above.

11) Try the different files, namely 'thumbcache_32.db', 'thumbcache_96.db', etc. A couple of the .db files there do not contain thumbnails and will not open with Thumbcache Viewer. That's ok.
Much of the thumbnails you will see are of no interest as they only contain small system icon thumbnails of folders, etc.
However, you will indeed run across (in one of the .db files or another) a thumbnail of every single photo you previously opened.

A couple of ways to try to clear these files of their contents:

1) CCleaner - CCleaner will indeed clean the files but not reliably so. Sometimes it does and sometimes it doesn't. Open CCleaner and make sure there is a checkmark beside 'Thumbnail cache' then click 'Analyze' then 'Run Cleaner'.

2) The most reliable way seems to be through Disk Cleanup, a utility contained in Windows.
To run it, first check the file sizes of the .db files in the Explorer folder. Jot these down or just keep them in mind for a moment.
Now double-click the Computer icon on the desktop. Right click on your system drive (normally C:) and select Properties.
Click on the Disk Cleanup button. If you have never run this before, it may take several minutes.
After you have clicked on Disk Cleanup, the results will be shown of files that can be safely deleted. Check or uncheck whatever you wish but be sure to place a checkmark beside 'Thumbnails' if one is not already there.

After the Disk Cleanup is finished, you must reboot your system.

After you have rebooted and returned to the desktop, navigate again to the Explorer folder (steps listed above) and check the sizes of the .db files that you checked before. The 32.db, 96.db, 256.db, and 1024.db files should all be the same size, normally 1KB.

There is a way to stop the creation of the thumbnail caches and it's a good idea, but it causes inconvenience to the user. It will not show image previews (thumbnails) when you open a folder containing image files, only the standard Windows image icon for an image file (blue water, a mountain and blue sky with clouds)

To stop the creation of these thumbnail caches, open any folder and click on Tools, Folder Options, then the View tab. Put a checkmark in 'Always show icons, never thumbnails'. Click Apply then Ok.

In summary, these are two issues arising from the use of Windows 7\8\8.1 and TrueCrypt or VeraCrypt as your encryption mechanism.

As stated at the beginning, these are not shortcomings of TrueCrypt or VeraCrypt, only potentially serious security issues when used with Windows.

Any additional information would be appreciated.

Jul 26, 2015 at 5:54 PM
The best way to avoid the unintended data leaks you describe is to encrypt the system drive.

Many applications remember the last files you accessed in the Windows registry or in their own proprietary database.
Marked as answer by Thinking_Monkey on 7/26/2015 at 1:00 PM
Jul 26, 2015 at 9:26 PM
Hi Enigma2Illusion,

Thank you for the information and especially the very interesting links. That's the type of thing I really love to read.

I re-read the manual (under 'Security Requirements and Precautions') again last night and I did in fact see that the answer to almost every single issue of data leakage (as defined by any data remaining in an unencrypted state even after your particular encryption program has been properly closed) was answered by the excellent advice to use either full disk encryption or to boot with a live CD/DVD. (With other advice to turn your computer completely off for at least several minutes then back on to allow the RAM contents to decay, turn off Hibernation temporarily, etc.)

Looking back over my original post I see now that it seems like the focus was on "Windows OS programming architecture will cause data leaks" but it was actually inspired by the actual case studies of exactly how that can happen.

I meant for the emphasis to be on how, step-by-step, you can see for yourself that data leakage not only CAN happen, it DOES happen.

I was reading a ton of articles that were using very ambiguous terms to describe what may potentially happen when using TrueCrypt/VeraCrypt type encryption programs such as " do so may cause unencrypted data to remain on the system." (Yes, but WHERE on the system?) and "Certain shortcomings in the software may cause data leakage." (WHAT certain shortcomings?).

I hope you see my point. Well, I'm sure you do. I just kind of wanted to point out a couple of very specific issues that could, and did, happen.

Thank you again for the quick reply and the additional information. Veracrypt, combined with these instructions on proper housekeeping/security measures outside the programs abilities, take us from "Pretty Darn Secure" to "Super Secure". :)