This project has moved. For the latest updates, please go here.

How to trustworthy deny knowledge about Veracrypt volumes

Topics: Technical Issues, Users Discussion
Feb 29, 2016 at 5:13 PM
Edited Feb 29, 2016 at 5:13 PM

I have a question about normal and hidden Veracrypt volumes. If I create any type of volume and mount it, I find the following event logged in the Windows 10 event logging system:

How could I trustworthy deny any knowledge about a volume or hidden volume, if every time I mount a volume/container/hidden container is logged in the Windows event log :/
Feb 29, 2016 at 6:05 PM
Mar 1, 2016 at 3:05 PM
I believe drmorti had something else in mind/.... probably whether it would be possible to somehow disable these event logs for the VC operations....
Mar 1, 2016 at 4:40 PM
Hello Alex,

This may be a "feature" of Windows 10. However, Windows and applications often leak the path to files accessed and/or temporary files onto the C drive. Hence, system encryption is the only solution.

Kind Regards.
Mar 2, 2016 at 6:50 AM
Couldn't you just disable windows event logging in Win10? Type services.msc in run,and then disable it/
Mar 2, 2016 at 2:27 PM
Edited Mar 2, 2016 at 3:30 PM
Even if you are successful in disabling the logging event of mounting a VeraCrypt volume, per the documentation links I provided in my post above, there are many ways that data is leaked by both Windows and applications.

Also, beware that without the OS or the C drive being encrypted, there are third party tools that can be run to determine the time the volume was mounted/dismounted and which Windows account performed the action. You can Google search for Windows Forensic Tools.