Truecrypt artefacts...
 
Notifications
Clear all

Truecrypt artefacts in hiberfil.sys and pagefile.sys

5 Posts
5 Users
0 Likes
810 Views
(@nsumer)
Posts: 20
Eminent Member
Topic starter
 

I found some Truecrypt artefacts in hiberfil.sys and pagefile.sys as following image.
Is it possible to say that a Truecrypt volume was mounted or Truecrypt was running from these?
Thanks

 
Posted : 12/05/2019 9:25 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

With that limited information I don't think you can conclude much.

The string "Device\Truecrypt" might have appeared on a web page or in the text of an Email. And found it's way into memory and then into the pagefile from there.

 
Posted : 13/05/2019 5:06 am
(@mrevoluter)
Posts: 14
Active Member
 

You should carry out further analysis of hiberrfile to conclude the execution of truecrypt. Pslist, pstree commands in volatility may help you further.

 
Posted : 13/05/2019 12:31 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

I found some Truecrypt artefacts

Sorry, these are not artefacts, only a text string that matches to Truecrypt. For sure this string is not there by accident, X-Ways could have found it in a text document, antivirus database (most cases I know) or any communication as already mentioned.

You need a path from this memory dump to get a hint from which location it might have been started.

regards,
Robin

 
Posted : 13/05/2019 1:43 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I found some Truecrypt artefacts in hiberfil.sys and pagefile.sys as following image.
Is it possible to say that a Truecrypt volume was mounted or Truecrypt was running from these?
Thanks

No, but you might consider looking here…

https://windowsir.blogspot.com/2011/10/tools-and-links.html

In particular

"You can also determine if the system had been used to access TrueCrypt or PGP volumes by checking the MountedDevices key in the Registry (this is something that I've covered in my books). You can use the RegRipper mountdev.pl plugin to collect/display this information, either from a System hive extracted from a system…."

 
Posted : 14/05/2019 12:14 pm
Share: