Please can someone advise how to identify a Truecrypt volume with FTK Demo. I am studying a dummy case for University and have various passwords throughout the case to use to open a volume that has been encrypted with Truecrypt. However, I don't know how to open it with FTK? Also, there is a file with a .html extension but is identified as an Encrypted MS Word in FTK, within this is an OLE Embedded Storage Container called DateSpaces. Any ideas?
Many thanks roll
afaik FTK will not automatically decrypt a container or mount its contents, although it may help you identify it (I would suggest searching the FTK manual perhaps for the word encrypted/encryption). If somebody gave you a password and a file they told you was a Truecrypt container and you didn't have FTK how would you go about opening it ? This would also apply if somebody asked you to look at a password protected Word document.
If you can see the contents of a file, and they make sense, its not a truecrypt volume.
True crypt volumes don't have file signatures. I think there's a tab in ftk which sorts unrecognised files.
It's probably .docx format which if I remember correctly uses .zip compression and contains the documents data in different files. It may have had it's extension changed to .html to obfuscate it.