Notifications

Clear all

Find data from Truecrypt with Volatility

General (Technical, Procedural, Software, Hardware etc.)

Last Post by banderas20 6 years ago

3 Posts

2 Users

0 Reactions

3,519 Views

RSS

banderas20

(@banderas20)

Eminent Member

Joined: 6 years ago

Posts: 29

Topic starter 04/07/2019 7:15 pm

Hello!

The thing is, I have a memory dump in which appears the process "Truecrypt.exe" and a mounted volume, and I want to find the key.

I issue

volatility truecryptmaster
volatility truecryptsummary
volatility truecryptpassphrase

The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.

¿How can I achieve that?

Thanks!

Quote

Anonymous 6593

(@Anonymous 6593)

Guest

Joined: 17 years ago

Posts: 1158

05/07/2019 6:05 am

The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.

¿How can I achieve that?

Passphrase caching is, as far as I know, disabled by default. You have to enable it first.

ReplyQuote

banderas20

(@banderas20)

Eminent Member

Joined: 6 years ago

Posts: 29

Topic starter 05/07/2019 2:30 pm

The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.

¿How can I achieve that?

Passphrase caching is, as far as I know, disabled by default. You have to enable it first.

Ok. So there's nothing I can do now, then? Can I look for another cached files related with that crypted drive?

Thanks!

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
285 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed