Re: [Vol-users] Was a TrueCrypt volume mounted?

Hi all, I've a question somewhat related to this thread: As far as I understand after a successful boot using a hibernation file the header of the file is altered - that means that the file is not a valid hibernation file any longer. Is there a way to decompress/analyze such a hibernation-file taken from a system that has already zerod-out the header of the hibernate file ? I was able to recover some AES-Keys with bulk-extractor, but now I would need more Info regarding possible Truecrypt-Volumes. Another question: I managed to find some AES-Keys in Memory, is there a possibility to match the physical offset of these keys (from aeskeyfind/bulk-extractor) to a Process in memory ? (Similar to the "strings" option). Until know it's a trial and error process for me to find what key belongs to truecrypt. Chris On 8/18/12 1:22 AM, Adam Bridge wrote: