Re: [Vol-users] TrueCrypt File Found in Handles extraction, but can't replicate results

Hello I've been testing volatility and looking through the results. In particular, within the Handles extraction, I found the following line... 0xfffffa8009648800 3544 0x1a78 0x120089 File \Device\TrueCryptVolumeK\Test.txt This is a file that I had stored in a hidden volume. I attempted to re-create this type of entry with 3 further memory dumps with no such success (No files within TrueCrypt volume). Can anyone advise why this filename "Test.txt" was found? I see that a lot of files can be found in the Handles extraction, but haven't been able to find any documentation on how files are included in this section. I ran the following command on an 8GB Memory dump which was captured via FTK Imager... vol.exe -f memdump.mem --profile=Win7SP1x64 --output=text --output-file=handles-files.txt handles -t File This result was a total surprise to find. In further testing, I attempted to do the following within the hidden volume... - Create new files - Copy files into the volume - Leave files open while closing the volume within TrueCrypt Thanks, R _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users