I have found some Truecrypt records in the Mounted Devices registry hive (Windows > system32 > config > system). These Truecrypt records are like this
#{2689etc.} TrueCryptT
#{3489etc.} TrueCryptU
#{3564etc.} TrueCryptV
#{2235etc.} TrueCryptW
etc.
Does this mean the Truecrypt container has been mounted in the past as driveletter T, U, V and W ?
I ask this question because I have found an old linkfile which points to a file on W
Stamitz
Not an expert on this by any means, in fact by no means at all. But a Google of truecrypt comes up with this
Creates a virtual encrypted disk within a file and mounts it as a real disk.
Encrypts an entire partition or storage device such as USB flash drive or hard drive.
Encrypts a partition or drive where Windows is installed (pre-boot authentication).
Encryption is automatic, real-time (on-the-fly) and transparent.
Provides two levels of plausible deniability, in case an adversary forces you to reveal the password
1) Hidden volume (steganography – more information may be found here).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
Encryption algorithms AES-256, Serpent, and Twofish. Mode of operation XTS.
Further information regarding features of the software may be found in the documentation.
Thanks for your reply, but it doesn't answer my question. I HAVE found Truecrypt records in the registry
#{2689etc.} TrueCryptT
#{3489etc.} TrueCryptU
#{3564etc.} TrueCryptV
#{2235etc.} TrueCryptW
etc.
I just want to know if this means that the Truecrypt container that IS on the harddisk has been mounted in the past as driveletter T, U, V and W ?
Anybody ?
Stamitz
Greetings,
I do not know the answer off hand, but to find it, I'd install TrueCrypt on a USB thumb drive, insert it into my system, see where it gets mounted, and then check the registry for anything that looked like what you're seeing.
-David
.. if this means that the Truecrypt container that IS on the harddisk has been mounted in the past as driveletter T, U, V and W ?
Just made some experiments and found the same keys after using truecrypt-containers.
I don't see how you can come to the conclusion that the existing tc-file was mounted to this letters - it also could point to a truecrypt-container that was temporarily used from a USB-portable disk
Ulli
Just made some experiments and found the same keys after using truecrypt-containers.
Which drive(s) did you mount the container as? Was the container on a thumb drive or local HD?
I don't see how you can come to the conclusion that the existing tc-file was mounted to this letters - it also could point to a truecrypt-container that was temporarily used from a USB-portable disk
Well, that's true ! I have noticed a kind of MAC - address in the registry key of the TrueCrypt container. This MAC - address corresponds with the MAC - address in the linkfile (found it thanks to WFA from MiTec.cz). I'll have to investigate more on this topic, it seems to me it's rather interesting…
Stamitz - do you know if the volumeIDs like
\??\Volume{7fa292a1-6eb2-11d8-879d-806e6f6e6963}
use true random-numbers ?
If not - it would be interesting to find a relation here. Maybe this would give a hint for the question where the truecrypt-container was located …