Not just detecting hidden volumes

First, all present hidden volumes can be detected if you have access to a previous snapshot of the visible volume (assuming the contents of the hidden volume have changed) - put simply, something will have changed in a place where it shouldn't have changed.

This can be overcome, but no-one does it - it's difficult and expensive. Note that if volumes are backed up it is quite easy to get a previous snapshot of a filing system.

[Markus Kuhn suggested that the original StegFS could withstand a two-snapshot attack - but it doesn't pass my "will it convince a Jury?" test., and the code of the original version is moribund anyway.]

However this attack is not just about detecting hidden volumes, it's about getting some of the plaintext content too - which is far more important, as people frequently don't need or use hidden volumes.

This type of attack is nothing new. I won't go into OTFE modes as it's verra complicated Captain, and none of the usual modes are completely secure anyway. Rekeying solves some of the problems, but introduces others.

Does TurboCrypt do any better? I don't know - they have probably plugged a small known hole, but there's more to an OTFE solution.