[jeroenhd]

The hidden volume set up by Truecrypt has different offsets between the headers and the actual encrypted data.

It's possible to move the encrypted volume 50GB from the header and fill the disk with random bytes, but it's not doable through the standard GUI.

In an encrypted state, it's impossible to tell the difference between the hidden volume and random data. When you use your real passphrase, the primary header is decrypted and the hidden volume may just be random-data empty space. If the key you entered decrypts the random bytes between the first Truecrypt header and the first partition, it's clear that the key belongs to the secret header and not the normal partition.

You can try to cover your tracks; you can use your hidden volume as the main volume and enter the main volume key when forced to come up with a password.

However, you'll have to make sure the activity logs on the PC line up with the other logs available (i.e. increments in power on hours, external drive logs and timestamps, external access logs, etc.) that can prove that the partition you've unlocked doesn't contain the OS that caused all kinds of side effects. Hell, you can probably find something related to relocated sectors/wear levelling statistics to find the clusters that are in use.

When the passphrase for the hidden volume has been entered, you can find the physical offsets of the encrypted data and find out that the first half the drive (or less, or more, depending on your setup) isn't mapped to your booted partition.

A completely read-only OS with no logging outside RAM or connections to the outside might be used securely if you use the hidden volume as your main OS, but such a system would be too difficult to use properly.

As always, opsec is crucial for security even if your software algorithms are absolutely perfect. If you follow the guidelines set forth by Veracrypt, it should be very difficult to prove the presence of a hidden partition. That does mean you should be using your secondary OS as often as your hidden OS and analysis from external devices (such as network traffic) should not be able to tell the difference between the two.

[CobrastanJorji]

You're totally right, but "we suspect there's a hidden volume" and "this machine is clearly locked, unlock it" are two very different situations. The prosecution and even the judge might be convinced that it's extremely likely that you have a hidden volume, but that's not the same as compelling you to unlock a phone. It's the difference between "you are ordered to open the secret safe we suspect exists."

[egberts1]

So having a read-only USB-media OS to boot into the either the-50G-in displacement of Truecrypt-hidden or just the unmoved regular standard-filesystem volume on a standard OS boot onboard magnetic media ... is best?

Sounds like it is an OpSec risk to do the "resecuring of 50G re-displacement upon orderly shutdown" for "safest" traveling mode. One could forget or didn't have time to do that proper shutdown sequence.

[Fnoord]

> A completely read-only OS with no logging outside RAM or connections to the outside might be used securely if you use the hidden volume as your main OS, but such a system would be too difficult to use properly.

With Tails it'd be feasible. You'd have your user data on a hidden volume.

[egberts1]

Just as long as the hidden volume is not tipped off by an entry in /etc/passwd or something.

[Fnoord]

In this example it can't (normally I'd say be careful with bash_history and such) since Tails would be ro.