Plausible Deniability

In case an adversary forces you to reveal your password, TrueCrypt provides and supports two kinds of plausible deniability:

1. Hidden volumes   (for more information, see the section Hidden Volume).
   
   
2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted. However, note that for system encryption, the first drive cylinder contains the (unencrypted) TrueCrypt Boot Loader, which can be easily identified as such (for more information, see the chapter System Encryption).
   

TrueCrypt containers (file-hosted volumes) can have any file extension you like (for example, .raw, .iso, .img, .dat, .rnd, .tc) or they can have no file extension at all. TrueCrypt ignores file extensions. If you need plausible deniability, make sure your TrueCrypt volumes do not have the .tc file extension (this file extension is officially associated with TrueCrypt).

When formatting a hard disk partition as a TrueCrypt volume, the partition table (including the partition type) is never modified (no TrueCrypt “signature” or “ID” is written to the partition table).

Whenever TrueCrypt accesses a file-hosted volume (e.g., when dismounting, attempting to mount, changing or attempting to change the password, creating a hidden volume within it, etc.) or a keyfile, it preserves the timestamp of the container/keyfile (i.e., date and time that the container/keyfile was last accessed* or last modified), unless this behavior is disabled in the preferences.