Detecting Truecrypt Volume in EnCase

here is the easy way Recursive file listing, look for the biggest files. those are most likely encrypted containers! =) i find it to really be that easy in most cases. when you think about it, its not very practical to have a 5MB container, so containers tend to have large file sizes.

also, look for files where the created and modified dates are the same that fit into the above pattern. In my testing, the last modified date time will NOT be modified as a TC container is used. your mileage may vary.

theres no way to definitively KNOW its a TC container, or if they are using a hidden container inside, without the keys.

from there you have to look at things like the registry, TC config file, lnk files, etc. to show what is going in and out of a TC.

as others have mentioned, if the TC container is on an external drive, things like the registry, lnk files etc become even more important.

I just did a big case where it was all TC related.

You may also want to look at 3rd party $logfile parsers (assuming you are seeing NTFS) as it can show a TON of info related to files being moved, renamed, etc which may point to things going into a TC volume. Ive had great luck with ANJP by David Cohen and crew.

look for a file called configuration.xml as thats what TC uses to remember settings. it looks like this

<?xml version="1.0" encoding="utf-8"?>
<TrueCrypt>
<configuration>
<config key="OpenExplorerWindowAfterMount">0</config>
<config key="UseDifferentTrayIconIfVolumesMounted">1</config>
<config key="SaveVolumeHistory">0</config>

and so on.

The most useful entry (IMO) is

<config key="LastSelectedDrive">R</config>

and the meaning should be obvious. With that info, the lnk file and registry stuff becomes a lot more clear.

since its XP, did you check restore points for more data that can point to TC?

Just for reference purposes concerning Truecrypt, I have referred to TCHunt in the Directory of data recovery tools being compiled at my blog http//www.trewmte.blogspot.co.uk/2013/01/directory-of-data-recovery-soft-tools.html. The entries are NOT for advertising purposes as I do not accept paid advertising on my blog or click advertising but to generate information for practitioners. I have nearly completed all weblinks which should be finalised fairly soon.

If anyone thinks there is a tool missing from the list then please let me. Thanks.

Thank you for all your replies.

I was able to find an abnormally large .mp3 file which turned out to be a TrueCrypt container. I used the same password used for the system password to decrypt the volume.

BOOM! works every time! =)