Join Us!

Virtual encryption ...
 
Notifications
Clear all

Virtual encryption softwares  

  RSS
mrevoluter
(@mrevoluter)
New Member


HI friends,
I rolled through different web forums for the solution regarding how to find the date and time stamps of various encrypted volumes mounted in a windows operating system.
Firstly, we can get info about the truecrypt mounted volumes in the registry file HKLM/SYSTEM/MountedDevices location. But i dont find any time stamps mentioning over there. Kindly provide the info

Quote
Posted : 10/05/2019 11:08 am
Omnius
(@omnius)
Junior Member

I'd be looking for usage of TrueCrypt Format.exe as that can indicate that a volume was created.

I've found this article useful for VeraCrypt that may be of help https://sparky.tech/tracking-encryption-part-1-veracrypt-usage/

ReplyQuote
Posted : 10/05/2019 11:52 am
mrevoluter
(@mrevoluter)
New Member

Thank you Omnius for the reply, however i could get the type of drive the truecrypt is mounted still could not correlate with the time of usage as time stamps are not mentioned anywhere in the corresponding registry.

ReplyQuote
Posted : 10/05/2019 12:34 pm
Omnius
(@omnius)
Junior Member

Are you able to locate any records of TC being launched? Any .LNK / JumpList records of access to typical TC drive letters? You may be able to infer a connection there and use the timestamps they provide?

ReplyQuote
Posted : 10/05/2019 2:09 pm
mrevoluter
(@mrevoluter)
New Member

Yes, I got a .tc file info in the internet explorer artifacts which does not show the time stamp, I got info on various mounted drive letters using truecrypt which does Tahoe any time stamp, I got various .LNK files which shows different time lines for each file but the drive letters does not correlate to the truecrypt mounted volumes and there is no BAM &DAM entries in the registry file, not even {userassist} files in the registry. Though I could relate that .LNK files are accessed from a mounted truecrypt volume. I could not find its execution time stamp.
Q1. If truecrypt is executed in the system where else its execution time stamp will be available.
Q2. Is there any event viewer logs to rule out the execution of truecrypt.
Q3. If a thumb drive is inserted in the system at the time of mounting the truecrypt volume. Any traces could be found to rule out that data is pilfered out?

Kindly reply…..

ReplyQuote
Posted : 10/05/2019 2:29 pm
jaclaz
(@jaclaz)
Community Legend

Firstly, we can get info about the truecrypt mounted volumes in the registry file HKLM/SYSTEM/MountedDevices location. But i dont find any time stamps mentioning over there. Kindly provide the info

What about the GUID's?

See here (and given links)
https://www.forensicfocus.com/Forums/viewtopic/t=15925/

jaclaz

ReplyQuote
Posted : 15/05/2019 6:36 pm
Share: