I've never understood this. Wouldn't a competent security professional know of the existence of TrueCrypt, who would then ask a competent psychologist to determine if you were withholding information (I sure as hell wouldn't be able to keep a straight face), who would then ask a competent interrogator to get the real password from you?
I don't even think plausible deniability would hold in court -- claiming that a large blob of random data on your hard drive is just there for no reason at all is not plausible.
Sure it's plausible. The suggested _secure_ way of wiping a harddrive is to override it with random data (since a typical delete simply drops an entry from a table, making data retrieval trivial (in the current context)).
What I don't understand is that in a context of a court (and this group of competent professionals), password disclosure _should_ be considered self-incrimination (although there was at least one case in the UK where a judge came up with some loophole reasoning around that). Disclosure of multiple passwords ("we didn't like what we found, do you have any other passwords?") would certainly be obtained under great duress.
A large part of the design of Truecrypt is that nobody CAN prove there's an alternate partition. Or, you can decrypt your secondary alternate partition under duress to reveal your real hidden one. Maybe put some token warez on it or something.
To make sure that you can't distinguish free space from encrypted noise, you have to write random noise everywhere as part of the filesystem creation process.
The one thing Truecrypt is vulnerable to is that you can note what parts changed -- say they raid your house twice and image it between when you used it. Then they'll know that free space isn't really free.
Couldn't they just attempt to fill the "outside" partition up? I mean, let's say you have a 1TB partition with a 100GB hidden volume inside. What happens if somebody tries to write more than 900GB into the outside partition?
It will overwrite the hidden partition. The 'outside' partition doesn't know about the hidden one. When you are mounting the outside partition you do have an option to protect the hidden one by providing the password for the hidden one, but if you don't, you can end up overwriting it by filling up the outer partition.
A-ha, I think this is what I was missing. Thank you.
That said -- I would think that a random blob of data sitting around on the hard drive is still highly suspect. Aren't hard drives zeroed from the factory? And wouldn't any true "garbage" data be decidedly not random? (Even if it's compressed... you would still expect to find headers etc. somewhere.)
The OS has absolutely no knowledge of the hidden partition - as far as it knows, that area is just empty space on the disk. TrueCrypt runs from a bootloader (which you can have on a separate CD!), prompting you for a password. It uses that password to attempt to decrypt the (encrypted) volume headers - note the rest of the disk is encrypted too. Unless you install TrueCrypt the software application, there is no indication that was the tool you used.
The point is that the hidden partition is marked as free space on the disk, and the free space is filled with statistically random noise. Some portion of it will be the encrypted hidden partition, which is also statistically random. It is mathematically impossible to prove that any of that random data is actually an encrypted hidden disk. The only way to open it is to use the correct key, which is indistinguishable from the other key which simply unlocks the normal, clean partition, which is also encrypted.
When the police demand the key from you, you give them the one that unlocks the clean partition. Now, at this point it doesn't matter if they don't believe you, it doesn't matter if they know all about truecrypt and hidden partitions, there is no way for them to prove in a court of law or otherwise that there is a hidden partition there. You can just keep telling them "I gave you the password! I just wipe my free space with noise every night! It's just noise!" and you have plausible deniability.
As far as I'm aware this is only in theory. I'm not aware of any case of this actually being tested in court. But mathematically, it is apparently sound.
I don't even think plausible deniability would hold in court -- claiming that a large blob of random data on your hard drive is just there for no reason at all is not plausible.