Mission Implausible: Defeating Plausible Deniability with Digital Forensics

The goal of plausible deniability is to hide potentially sensitive information while maintaining the appearance of compliance. In simple terms, it is granting someone access to a safe but keeping items of real value successfully hidden in a false bottom. Encryption platforms such as VeraCrypt and TrueCrypt achieve this goal in the digital realm using nested encryption. This nesting typically takes one of two forms; a deniable file system or a deniable operating system (OS). The deniable file system uses the interior of an encrypted container to mask its presence, akin to the false bottom to the safe analogy. The deniable operating system uses an encrypted bootable partition to mask the presence of a second OS, much like a safe that reveals a different compartment based on how a key turns in the lock. The use of encryption to create a scenario for plausible deniability presents a significant threat to the success of law enforcement and digital forensic professionals. Performing registry analysis and digital forensics is the metaphorical equivalent of using a magnifying glass to look for clues inside the safe with a false bottom or a key-based compartment. When forensics is successful in revealing clues of a deniable file system, it effectively defeats the case for plausible deniability. The goal of this research is to explore the digital forensics metaphorical equivalent of such clues.