Hello Jesse, hello list,

 

today I have given a try to the cryptoscan-plugin. The dump comes from an XP with SP3. That should not be problematic because the structure the plugin looks for is os-independent, isn’t it?

In the case I forced Truecrypt (v6.2a) to cache the passphrases in memory I saw it as plain text:

XWF was not able to allocate that offset (phys. 0x18218c84) to a single process.

But I was not able to find the described structure neither with the plugin nor manually. The dump is from a test case I use for forensic classes. So I could provide it for further analysis.

It additionally includes cached domain credentials, waiting for extraction….

 

Cu

 

Michael