Virtual encryption ...
 
Notifications
Clear all

Virtual encryption softwares

6 Posts
3 Users
0 Likes
730 Views
(@mrevoluter)
Posts: 14
Active Member
Topic starter
 


HI friends,
I rolled through different web forums for the solution regarding how to find the date and time stamps of various encrypted volumes mounted in a windows operating system.
Firstly, we can get info about the truecrypt mounted volumes in the registry file HKLM/SYSTEM/MountedDevices location. But i dont find any time stamps mentioning over there. Kindly provide the info

 
Posted : 10/05/2019 10:08 am
Omnius
(@omnius)
Posts: 39
Eminent Member
 

I'd be looking for usage of TrueCrypt Format.exe as that can indicate that a volume was created.

I've found this article useful for VeraCrypt that may be of help https://sparky.tech/tracking-encryption-part-1-veracrypt-usage/

 
Posted : 10/05/2019 10:52 am
(@mrevoluter)
Posts: 14
Active Member
Topic starter
 

Thank you Omnius for the reply, however i could get the type of drive the truecrypt is mounted still could not correlate with the time of usage as time stamps are not mentioned anywhere in the corresponding registry.

 
Posted : 10/05/2019 11:34 am
Omnius
(@omnius)
Posts: 39
Eminent Member
 

Are you able to locate any records of TC being launched? Any .LNK / JumpList records of access to typical TC drive letters? You may be able to infer a connection there and use the timestamps they provide?

 
Posted : 10/05/2019 1:09 pm
(@mrevoluter)
Posts: 14
Active Member
Topic starter
 

Yes, I got a .tc file info in the internet explorer artifacts which does not show the time stamp, I got info on various mounted drive letters using truecrypt which does Tahoe any time stamp, I got various .LNK files which shows different time lines for each file but the drive letters does not correlate to the truecrypt mounted volumes and there is no BAM &DAM entries in the registry file, not even {userassist} files in the registry. Though I could relate that .LNK files are accessed from a mounted truecrypt volume. I could not find its execution time stamp.
Q1. If truecrypt is executed in the system where else its execution time stamp will be available.
Q2. Is there any event viewer logs to rule out the execution of truecrypt.
Q3. If a thumb drive is inserted in the system at the time of mounting the truecrypt volume. Any traces could be found to rule out that data is pilfered out?

Kindly reply…..

 
Posted : 10/05/2019 1:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Firstly, we can get info about the truecrypt mounted volumes in the registry file HKLM/SYSTEM/MountedDevices location. But i dont find any time stamps mentioning over there. Kindly provide the info

What about the GUID's?

See here (and given links)
https://www.forensicfocus.com/Forums/viewtopic/t=15925/

jaclaz

 
Posted : 15/05/2019 5:36 pm
Share: