I'm working on an Image of a hard drive from an internal user (XP Pro SP3), am trying to identify drive letters for external USB drives to tie into .LNK files but I don't have any of the external media and have come up against a brick wall.
There are six devices I'm interested in (due to timeline), these are the last six devices to have been connected to the system under investigation. One is a hard drive, the others are all Flash/Thumb drives.
Hard Drives - I've followed "USB_Drive_Enclosure-XP_Guide.pdf" (Rob Lee?) but as I don't have the media I can't get the Disk ID. Or can I?
Flash devices - I've followed "USBKEY-XP_Guide.pdf" but only one of the devices has a corresponding drive letter (G). Which is strange isn't it? Searching for the Parent Prefix ID in MountedDevices should get me the name of the last device which had that drive letter?
TrueCrypt is recorded in UserAssist as being run 20 times, the last time being 2 days before the computer and its user were parted from each other.
In MountedDevices (info from RegRipper), there are several entries which include TrueCrypt, as follows
Device TrueCryptVolumeG
\??\Volume{ac197334-e400-11de-aec9-001302a9a966}
Device TrueCryptVolumeE
\??\Volume{6c1a01dc-6fba-11de-ae9d-001302a9a966}
#{34bac2c6-72f0-11de-ae9f-0015c5412bf9}
Device TrueCryptVolumeY
\??\Volume{6a958744-6440-11de-ae97-0015c5412bf9}
#{6a95874e-6440-11de-ae97-001302a9a966}
Device TrueCryptVolumeF
\??\Volume{0d05e772-8389-11de-aea7-0015c5412bf9}
\DosDevices\F
Device TrueCryptVolumeD
\??\Volume{5380f114-5c1d-11de-ae96-0015c5412bf9}
#{6a958789-6440-11de-ae97-001302a9a966}
I assume/guess these are volume GUIDs (I random cross-checked with 6 non-truecrypt-marked devices in the list from RegRipper in the Volume section of Mounted Devices), but they don't show up in MountPoints2. Can anyone shed any light on where this GUID comes from?
Also, in AccessData Registry Viewer, in Mounted Devices the value "\DosDevices\F" has data "TrueCryptVolumeF" (text).
Can anyone point me in the right direction for (a) a drive letter for the hard drive and (b) working out which (if any) devices have had TrueCrypt volumes created on them?
Cheers
Can anyone point me in the right direction for (a) a drive letter for the hard drive and (b) working out which (if any) devices have had TrueCrypt volumes created on them?
http//
"According to the TCHunt the following attributes are used to identify potential TrueCrypt volumes
* The suspect file size modulo 512 must equal zero.
* The suspect file size is at least 19 KB or 275 KB in size.
* The suspect file contents pass a chi-square distribution test.
* The suspect file must not contain a common file header."
http//
"Detects Encrypted Files, including TrueCrypt"
Can anyone point me in the right direction for (a) a drive letter for the hard drive and (b) working out which (if any) devices have had TrueCrypt volumes created on them?
Sounds like you're on the right track…
(a) you have everything you need. No one can validate this for you unless you are willing to share the data.
(b) This would likely come down to a matter of timing…you'd have to find the device that was plugged in and see which TrueCrypt volume "appeared" shortly thereafter.
I believe the UUID is generated on first mount to the file system based on a range of OS system data (RFC 4122 - i think).
True crypt does not record mount information by default and a container would not contain typical file header information and the extension would be incorrect for the header.
A truecrypt encrypted drive uses a boot loader which i believe is linux based to decrypt the drive the os may not be aware of this however the boot area of the drive is unencrypted and may provide additional information.
I would look at the standard for GUID generation it may allow you to reverse engineer the GUID. XP may have also dumped a recycle bin on the drive when it was mounted and you my find more information by looking for what the OS would have done to the FS as it only sees a drive and not a truecrypt container.
Well my random thoughts, hope they help
One thing about encrypted file volumes is that they will need to be quite large to be of any use. Of course this depends on the specific nefarious activity your suspect is involved in, but it's a starting point. As a matter of course I usually sort by file size and look at the largest files and just see if anything seems odd or out of place.
All of those volumes you report could actually be the same one, just mounted under different volume letters each time.
addshamsterarmy / gmarshall139 - sorry I didn't make this clear from the OP, but the only drive I have is the internal HDD from the user's laptop, I don't have any USB devices
According to FTK there are no .tc files on the HDD which only means there are no .tc files on the HDD, not that there used to be, or that TrueCrypr volumes MUST be on external media
Does this change your replies?
No,
Don't rely on FTK 100% to identify encrypted volumes. It's pretty good, but you may miss one. It could be that the volume was named .zip, .mpg, or anything else for that matter. From what your showing us I wouldn't assume the volume was on external media. It could just as easily be on the local drive and would in fact still show in the registry as a mounted device. Think of it as a virtual device.
keydet89 wrote
you'd have to find the device that was plugged in and see which TrueCrypt volume "appeared" shortly thereafter
I'm probably missing a trick here, but the only place these GUIDs are recorded is in MountedDevices, where individual values don't have LastWrite times asociated with them.
I have searched everywhere (all RegRipper output plus everywhere I can think of via AccessData's Registry Viewer) and no sirree. So question then is how do find when these TrueCrypt volumes "appeared"
Regards
So question then is how do find when these TrueCrypt volumes "appeared"
Go back through the restore points and see at what point they are no longer there.
No Restore Points due to GPO - just gets better and better doesn't it?