±Your Account
Membership:
New Today: 0
New Yesterday: 4
Overall: 24209
Visitors: 33±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2 Next
I can help you quite easily, but the instructions won't have anything to do with EnCase...so it might not be that easy for you.
What OS is the image file? Knowing this will help in looking for information about Truecrypt.
Detecting Truecrypt Volume in EnCase
Detecting Truecrypt Volume in EnCase
Posted: Thu Jan 24, 2013 11:46 am
I've been given a university assingment to extract a series of .jpg files from an image. We have been told there is a Truecrypt hidden somewhere on the image.
I'm fairly new to EnCase 6 and I was wondering if somebody could point in the right direction.
Thanks thanks,
iDan
I'm fairly new to EnCase 6 and I was wondering if somebody could point in the right direction.
Thanks thanks,
iDan
-
iDan - Newbie
Re: Detecting Truecrypt Volume in EnCase
Posted: Thu Jan 24, 2013 12:19 pm
What have you tried?
The forums aren't really here to do your homework for you, so if you want help you are going to have to give us more info than that.
The forums aren't really here to do your homework for you, so if you want help you are going to have to give us more info than that.
-
twjolson - Senior Member
Re: Detecting Truecrypt Volume in EnCase
Posted: Thu Jan 24, 2013 12:47 pm
- iDan
I'm fairly new to EnCase 6...
I can help you quite easily, but the instructions won't have anything to do with EnCase...so it might not be that easy for you.
-
keydet89 - Senior Member
Re: Detecting Truecrypt Volume in EnCase
Posted: Thu Jan 24, 2013 5:02 pm
Entropy, file length, sector boundary
-
jhup - Senior Member
Re: Detecting Truecrypt Volume in EnCase
Posted: Thu Jan 24, 2013 5:04 pm
...or check the Registry for access to an encrypted volume, map that to the user and date/time, and then compare that to documents/files opened...
-
keydet89 - Senior Member
Re: Detecting Truecrypt Volume in EnCase
Posted: Thu Jan 24, 2013 5:22 pm
You also need to consider if it is a Truecrypt file within the file system, or a volume outside of visible file systems.
For example do the visible partitions on the disk actually fill up the disk?
Another technique is to check file signatures for all the files on the disk. For example you might find a file with the file name xxxxx.jpg, but the internals of the file aren't a JPG at all.
As per keydet89's comment, I don't know how to do this in EnCase as I don't use EnCase.
For example do the visible partitions on the disk actually fill up the disk?
Another technique is to check file signatures for all the files on the disk. For example you might find a file with the file name xxxxx.jpg, but the internals of the file aren't a JPG at all.
As per keydet89's comment, I don't know how to do this in EnCase as I don't use EnCase.
-
Passmark - Senior Member
Re: Detecting Truecrypt Volume in EnCase
Posted: Thu Jan 24, 2013 5:59 pm
- iDanI've been given a university assingment to extract a series of .jpg files from an image. We have been told there is a Truecrypt hidden somewhere on the image.
What OS is the image file? Knowing this will help in looking for information about Truecrypt.
-
section2600 - Newbie