Hello!
The thing is, I have a memory dump in which appears the process "Truecrypt.exe" and a mounted volume, and I want to find the key.
I issue
volatility truecryptmaster
volatility truecryptsummary
volatility truecryptpassphrase
The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.
¿How can I achieve that?
Thanks!
The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.
¿How can I achieve that?
Passphrase caching is, as far as I know, disabled by default. You have to enable it first.
The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.
¿How can I achieve that?
Passphrase caching is, as far as I know, disabled by default. You have to enable it first.
Ok. So there's nothing I can do now, then? Can I look for another cached files related with that crypted drive?
Thanks!