I've been testing volatility and looking through the results. In particular, within the Handles extraction, I found the following line...

0xfffffa8009648800   3544             0x1a78           0x120089 File           \Device\TrueCryptVolumeK\Test.txt

This is a file that I had stored in a hidden volume. I attempted to re-create this type of entry with 3 further memory dumps with no such success (No files within TrueCrypt volume). Can anyone advise why this filename "Test.txt" was found? I see that a lot of files can be found in the Handles extraction, but haven't been able to find any documentation on how files are included in this section.

I ran the following command on an 8GB Memory dump which was captured via FTK Imager...

This result was a total surprise to find. In further testing, I attempted to do the following within the hidden volume...

- Create new files

- Copy files into the volume

- Leave files open while closing the volume within TrueCrypt

Thanks,

R