I found some Truecrypt artefacts in hiberfil.sys and pagefile.sys as following image.
Is it possible to say that a Truecrypt volume was mounted or Truecrypt was running from these?
Thanks
With that limited information I don't think you can conclude much.
The string "Device\Truecrypt" might have appeared on a web page or in the text of an Email. And found it's way into memory and then into the pagefile from there.
You should carry out further analysis of hiberrfile to conclude the execution of truecrypt. Pslist, pstree commands in volatility may help you further.
I found some Truecrypt artefacts
Sorry, these are not artefacts, only a text string that matches to Truecrypt. For sure this string is not there by accident, X-Ways could have found it in a text document, antivirus database (most cases I know) or any communication as already mentioned.
You need a path from this memory dump to get a hint from which location it might have been started.
regards,
Robin
I found some Truecrypt artefacts in hiberfil.sys and pagefile.sys as following image.
Is it possible to say that a Truecrypt volume was mounted or Truecrypt was running from these?
Thanks
No, but you might consider looking here…
https://
In particular
"You can also determine if the system had been used to access TrueCrypt or PGP volumes by checking the MountedDevices key in the Registry (this is something that I've covered in my books). You can use the RegRipper mountdev.pl plugin to collect/display this information, either from a System hive extracted from a system…."