Thanks so much for the email - extremely useful already.<br>I&#39;m taking notes so that I can do my best at writing it up at the end.<br><br>So, with pslist I found one instance of TrueCrypt.exe which had a PID of 4920.<br>
<br>With handles --pid=4920 there was nothing useful - all very much T/C stuff.<br>So I did handles without the --pid.<br>Now, with my test data I of course know the name of the T/C volume file and sure enough I could see it:<br>
<br>Offset(V)             Pid             Handle             Access Type             Details<br>------------------ ------ ------------------ ------------------ ---------------- -------<br>0xfffffa8002193b30      4             0x269c               0x2a Process          TrueCrypt.exe(4920)<br>
0xfffffa80021a63c0      4             0x2a1c           0x12019f File             \Device\HarddiskVolume10\MyTrueCryptVolume # Here!<br>0xfffffa8002193b30    796              0x6c0           0x1fffff Process          TrueCrypt.exe(4920)<br>
0xfffffa8002193b30    836              0xc28             0x1478 Process          TrueCrypt.exe(4920)<br>0xfffffa8002193b30   1144              0xd4c             0x1478 Process          TrueCrypt.exe(4920)<br>0xfffffa8001b4f070   2700             0x1084           0x100081 File             \Device\TrueCryptVolumeT\<br>
0xfffffa8002c7d1c0   2700             0x1118           0x100081 File             \Device\TrueCryptVolumeT\<br>0xfffffa8001e51f20   4920              0x324           0x100080 File             \Device\TrueCrypt<br>0xfffffa80038e4680   4920              0x330           0x1f0001 Mutant           TrueCryptTaskBarIcon<br>
0xfffffa8004d5a8d0   3384                0xc           0x100020 File             \Device\TrueCryptVolumeT\<br><br>In my real case I don&#39;t know the name of the file - so I wouldn&#39;t know it if I saw it - especially if it had an innocent name like &quot;school_work.doc&quot;.<br>
<br>I now know my T/C volume is mounted as T:<br>I notice that there are 2 PIDs accessing the T:<br>Look them up in the plist data and they&#39;re explorer and notepad (which is correct, I&#39;d opened a txt file from the T/C volume).<br>
<br>So, pretending I hadn&#39;t seen &#39;MyTrueCryptVolume&#39; I tried symlinks and grep&#39;d for TrueCrypt:<br><br>Offset(P)            #Ptr   #Hnd Creation time            From                 To                                                          <br>
------------------ ------ ------ ------------------------ -------------------- ------------------------------------------------------------<br>0x0000000026b33c80      1      0 2012-08-16 19:12:51      Volume{3d...10a7e8a} \Device\TrueCryptVolumeT                                    <br>
0x0000000037f51b10      1      0 2012-08-16 18:14:48      TrueCrypt            \Device\TrueCrypt                                           <br>0x0000000052ececb0      1      0 2012-08-16 19:12:51      T:                   \Device\TrueCryptVolumeT                                    <br>
0x000000006131c9d0      1      0 2012-08-16 19:12:51      T:                   \Device\TrueCryptVolumeT                                    <br><br>So, definitely T: then.<br><br>So I know there&#39;s a T/C volume mounted, I know that it&#39;s mounted as the T: and I know that explorer and notepad have both got handles to it.<br>
I&#39;ve got one last hurdle to clear: how do I find out the file which is behind \Device\TrueCryptVolumeT?<br><br>I filtered handles for File objects from \Device\HarddiskVolume* but that left me with ~130 files and without knowing the file name how would I identify it?<br>
<br>Thanks again for all the suggestions so far!<br><br><div class="gmail_quote">On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <span dir="ltr">&lt;<a href="mailto:atcuno@gmail.com" target="_blank">atcuno@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
So I will assume you are using the latest release of Volatility, which<br>
means the 2.1 command reference will give you information about every<br>
plugin we have:<br>
<br>
<a href="http://code.google.com/p/volatility/wiki/CommandReference21" target="_blank">http://code.google.com/p/volatility/wiki/CommandReference21</a><br>
<br>
The next thing I would do is run the handles plugin [1] and look for<br>
any reference to the open file. You can filter with the -p option to<br>
be only the TrueCrypt process that you found in pslist, but if you do<br>
not see any encrypted container referenced there then you may want to<br>
run it across all processes (the default) because we have seen where<br>
files opened by drivers end up in other processes&#39; handles (e.g.<br>
SYSTEM).<br>
<br>
I think handles would be more helpful to determine if any files were<br>
opened b/c it will show you exactly what truecrypt had open when the<br>
machine hibernated. With filescan you would have to already know the<br>
name of the encrypted container to see if it was ever opened.<br>
<br>
Also, MHL suggested using the symlink scan command [2] as this will<br>
map drive letters to physical device paths. Here is some sample output<br>
for the command:<br>
<br>
$ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan<br>
Volatile Systems Volatility Framework 2.2_alpha<br>
Offset(P)            #Ptr   #Hnd Creation time            From<br>
        To<br>
------------------ ------ ------ ------------------------<br>
--------------------<br>
------------------------------------------------------------<br>
0x0000000007331840      1      0 2011-12-30 08:26:15      Global<br>
        \Global??<br>
0x0000000013d6a930      1      0 2012-01-10 18:35:28      Z:<br>
        \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup<br>
0x0000000023bc0140      1      0 2011-12-30 08:25:30      A:<br>
        \Device\Floppy0<br>
0x000000002ab23430      1      0 2011-12-30 08:25:30      D:<br>
        \Device\CdRom0<br>
0x000000002d3b8c90      1      0 2011-12-30 08:25:26      C:<br>
        \Device\HarddiskVolume2<br>
<br>
And you can see, C: is mapped to HarddiskVolume2. From there you can<br>
run handles and filter specifically to files opened on that device<br>
like this:<br>
<br>
$ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t File<br>
| grep HarddiskVolume2<br>
Volatile Systems Volatility Framework 2.2_alpha<br>
0xfffffa800248e5a0      4               0x5c           0x12008b File<br>
          \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl<br>
0xfffffa800267f300      4               0xa4           0x13019f File<br>
          \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog<br>
0xfffffa800267b540      4               0xa8           0x12019f File<br>
          \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog<br>
0xfffffa8002671350      4               0xac           0x13019f File<br>
          \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog<br>
0xfffffa80026794e0      4               0xb0           0x12019f File<br>
          \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002<br>
0xfffffa8002679c30      4               0xb4                0x1 File<br>
          \Device\HarddiskVolume2<br>
<br>
<br>
If the combination of handles and symlinkscan does not answer your<br>
question please write back. Also, it would be interesting if you<br>
documented your process through this (assuming you can), as I am sure<br>
many other people will encounter this situation.<br>
<br>
<br>
[1] <a href="http://code.google.com/p/volatility/wiki/CommandReference21#handles" target="_blank">http://code.google.com/p/volatility/wiki/CommandReference21#handles</a><br>
[2] <a href="http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan" target="_blank">http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan</a><br>
<br>
<br>
<br>
<br>
....<br>
<div><div class="h5"><br>
On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge &lt;<a href="mailto:adam.bridge@yahoo.com">adam.bridge@yahoo.com</a>&gt; wrote:<br>
&gt; Hello All,<br>
&gt;<br>
&gt; I&#39;m new to Volatility but am a reasonably experienced forensic examiner.<br>
&gt;<br>
&gt; I&#39;m working on a hiberfil.sys from a WIN7SP1x64 machine and am trying to<br>
&gt; determine whether a TrueCrypt volume was mounted and, for bonus points, the<br>
&gt; path to the TrueCrypt volume file.<br>
&gt;<br>
&gt; I&#39;ve used devicetree and found:<br>
&gt;<br>
&gt; DRV 0x23ea15de0 \Driver\truecrypt<br>
&gt; ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK<br>
&gt; ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN<br>
&gt;<br>
&gt; So a good start.<br>
&gt;<br>
&gt; Question: Does that tell me that there _IS_ a TrueCrypt volume mounted as<br>
&gt; the G drive or there _WAS_ a TrueCrypt volume mounted as the G drive, or<br>
&gt; that there&#39;s no way of knowing one way or the other?<br>
&gt;<br>
&gt; filescan shows two entries for \TrueCrypt.exe. The only difference between<br>
&gt; the two (besides a slight difference in #Ptr) is that one has access of:<br>
&gt;<br>
&gt; R--rwd<br>
&gt;<br>
&gt; and the other:<br>
&gt;<br>
&gt; R--r-d<br>
&gt;<br>
&gt; What should I be discerning from this? Why does one have a write permission<br>
&gt; that the other does not?<br>
&gt;<br>
&gt; And finally, pslist shows me that TrueCrypt.exe was started but has no exit<br>
&gt; time.<br>
&gt;<br>
&gt; I&#39;m just not really sure where to go next?<br>
&gt; Can anybody suggest anything?<br>
&gt;<br>
&gt; More than happy for someone to tell me to go read X! Just can&#39;t find a<br>
&gt; helpful X to read.<br>
&gt;<br>
&gt; Thank you all,<br>
&gt; AB<br>
&gt;<br>
</div></div>&gt; _______________________________________________<br>
&gt; Vol-users mailing list<br>
&gt; <a href="mailto:Vol-users@volatilityfoundation.org">Vol-users@volatilesystems.com</a><br>
&gt; <a href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-users" target="_blank">http://lists.volatilityfoundation.org/mailman/listinfo/vol-users</a><br>
&gt;<br>
</blockquote></div><br>