[Vol-dev] Finding Truecrypt passphrases

Hello Jesse, hello list, today I have given a try to the cryptoscan-plugin. The dump comes from an XP with SP3. That should not be problematic because the structure the plugin looks for is os-independent, isn't it? In the case I forced Truecrypt (v6.2a) to cache the passphrases in memory I saw it as plain text: XWF was not able to allocate that offset (phys. 0x18218c84) to a single process. But I was not able to find the described structure neither with the plugin nor manually. The dump is from a test case I use for forensic classes. So I could provide it for further analysis. It additionally includes cached domain credentials, waiting for extraction.. Cu Michael