I have a case where I was told that it is suspected that
- TrueCrypt was installed on a Windows 7 system.
- A CD or USB that contained a hidden TrueCrypt volume was then inserted.
- The volume contained a video file which was played.
- The CD or USB was ejected.
I need to find any available artifacts that show
- TrueCrypt was installed.
- TrueCrypt was run.
- A volume was mounted.
- A video file was played.
- What user and when said user installed TrueCrypt / mounted the volume / played the video.
- Were any malicious files introduced to the system during this time.
I've got the TrueCrypt investigation covered. Found some remnants in the registry as it seems the application was uninstalled.
I'm interested in what artifacts, if any, would be of a video that was played from an encrypted volume (which probably doesn't matter since it was decrypted for access) but not saved on the system. I'm not seeing anything in the only media application, WMP, i.e. recently played files.
Any thoughts?
- The CD or USB was ejected.
You can do it with a forensic analysis of the windows registry.
- TrueCrypt was installed.
You can do it with a forensic analysis of the windows registry.
- TrueCrypt was run.
You can do it with a forensic analysis of the windows registry.
- A volume was mounted.
You can do it with a forensic analysis of the windows registry, a windows operation system artifacts analysis.
- A video file was played.
You can do it with a forensic analysis of the windows registry, a video players logs analysis, a windows operation system artifacts analysis.
- What user and when said user installed TrueCrypt / mounted the volume / played the video.
You can do it with a forensic analysis of the windows registry, a video players logs analysis, a windows operation system artifacts analysis.