> If the duress command causes different files to be modified compared to a normal login, then that can be detected by comparing to the original disk image, even though the actual modifications performed are hidden by the encryption
Don't they also need to know what files are changed by a normal login, so that they can see that the changed set in this login was different from that set?
Comparing an image after a login to an image from before the login gives you a set of changed files, but it doesn't tell you if that is the normal login change set or the duress login change set.
Anyway, if I were setting up a duress login I'd make it so normal and duress login change the same set of files.
Don't they also need to know what files are changed by a normal login, so that they can see that the changed set in this login was different from that set?
Comparing an image after a login to an image from before the login gives you a set of changed files, but it doesn't tell you if that is the normal login change set or the duress login change set.
Anyway, if I were setting up a duress login I'd make it so normal and duress login change the same set of files.