Find data from True...
 
Notifications
Clear all

Find data from Truecrypt with Volatility

3 Posts
2 Users
0 Likes
2,596 Views
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hello!

The thing is, I have a memory dump in which appears the process "Truecrypt.exe" and a mounted volume, and I want to find the key.

I issue

volatility truecryptmaster
volatility truecryptsummary
volatility truecryptpassphrase

The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.

¿How can I achieve that?

Thanks!

 
Posted : 04/07/2019 6:15 pm
(@athulin)
Posts: 1156
Noble Member
 

The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.

¿How can I achieve that?

Passphrase caching is, as far as I know, disabled by default. You have to enable it first.

 
Posted : 05/07/2019 5:05 am
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.

¿How can I achieve that?

Passphrase caching is, as far as I know, disabled by default. You have to enable it first.

Ok. So there's nothing I can do now, then? Can I look for another cached files related with that crypted drive?

Thanks!

 
Posted : 05/07/2019 1:30 pm
Share: