In a previous post I mentioned that TrueCrypt leaves behind a string in its boot loader (that identifies it as a TrueCrypt boot loader) when using the full disk encryption feature. As you can see in the screenshot below I have modified the original “TrueCrypt Boot Loader” string to read “Windows Boot Loader.”
Timestomp has the ability to modify or delete the accessed, created, modified and entry modified timestamp values on an NTFS system. These are also known as the MACE attributes or timestamp values.
If you use hibernation mode you are vulnerable to this sort of attack. You may inadvertently divulge trade secrets to a malicious hacker who copies your hiberfil.sys or just as easily incriminate yourself if your computer is seized and forensically examined.
