![]() |
FreeOTFE |
In addition to this, MS Windows does create a registry entry for each FreeOTFE driver used. This is inevitable; all OTFE systems running under MS Windows are required to do this in order to function correctly.
The following detail the registry entries are typically created by MS Windows:
Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<driver name>
These keys may have the following values under them:
Value |
Type |
Meaning |
---|---|---|
ErrorControl | DWORD | 0x00000001 - Normal error handling |
Start | DWORD | 0x00000001 - Driver started at system 0x00000003 - Driver started manually |
Type | DWORD | 0x00000001 |
Portable | DWORD | This value is optional, but set to 0x00000001 if present. This value flags that the relevant driver was installed in "portable mode", and should be removed |
The PDA version operates in a similar manner, though no registry entries are created automatically by the OS for the drivers used. Instead, FreeOTFE4PDA is required to create a sequence of registry entries when a volume is mounted. These registry entries are deleted once the volume is dismounted.
![]() |
This section applies to the PC version of FreeOTFE only |
Although no files are copied to your computers hard drive when using portable mode, because part of the manner in which MS Windows manages device drivers, Windows still writes certain details about the portable mode drivers to the registry. Specifically, the full path and filename of the drivers used together with other basic information on the drivers as detailed above.
When portable mode is stopped, most of this information is deleted by Windows automatically. However:
It is not possible to securely delete the relevant registry entries without "going behind Windows' back" - not exactly recommended when working with kernel mode device drivers!
It should be noted that this applies equally to all disk encryption systems that support any kind of "portable mode".
Should it be a concern that an attacker may discover which FreeOTFE drivers were being used, it is suggested that you either: