On Thu, Aug 16, 2012 at 4:28 PM, Adam Bridge <
adam.bridge@yahoo.com> wrote:
> Thanks so much for the email - extremely useful already.
> I'm taking notes so that I can do my best at writing it up at the end.
>
> So, with pslist I found one instance of TrueCrypt.exe which had a PID of
> 4920.
>
> With handles --pid=4920 there was nothing useful - all very much T/C stuff.
> So I did handles without the --pid.
> Now, with my test data I of course know the name of the T/C volume file and
> sure enough I could see it:
>
> Offset(V) Pid Handle Access Type
> Details
> ------------------ ------ ------------------ ------------------
> ---------------- -------
> 0xfffffa8002193b30 4 0x269c 0x2a Process
> TrueCrypt.exe(4920)
> 0xfffffa80021a63c0 4 0x2a1c 0x12019f File
> \Device\HarddiskVolume10\MyTrueCryptVolume # Here!
> 0xfffffa8002193b30 796 0x6c0 0x1fffff Process
> TrueCrypt.exe(4920)
> 0xfffffa8002193b30 836 0xc28 0x1478 Process
> TrueCrypt.exe(4920)
> 0xfffffa8002193b30 1144 0xd4c 0x1478 Process
> TrueCrypt.exe(4920)
> 0xfffffa8001b4f070 2700 0x1084 0x100081 File
> \Device\TrueCryptVolumeT\
> 0xfffffa8002c7d1c0 2700 0x1118 0x100081 File
> \Device\TrueCryptVolumeT\
> 0xfffffa8001e51f20 4920 0x324 0x100080 File
> \Device\TrueCrypt
> 0xfffffa80038e4680 4920 0x330 0x1f0001 Mutant
> TrueCryptTaskBarIcon
> 0xfffffa8004d5a8d0 3384 0xc 0x100020 File
> \Device\TrueCryptVolumeT\
>
> In my real case I don't know the name of the file - so I wouldn't know it if
> I saw it - especially if it had an innocent name like "school_work.doc".
>
> I now know my T/C volume is mounted as T:
> I notice that there are 2 PIDs accessing the T:
> Look them up in the plist data and they're explorer and notepad (which is
> correct, I'd opened a txt file from the T/C volume).
>
> So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks and grep'd
> for TrueCrypt:
>
>
> Offset(P) #Ptr #Hnd Creation time From
> To
> ------------------ ------ ------ ------------------------
> --------------------
> ------------------------------------------------------------
> 0x0000000026b33c80 1 0 2012-08-16 19:12:51
> Volume{3d...10a7e8a} \Device\TrueCryptVolumeT
> 0x0000000037f51b10 1 0 2012-08-16 18:14:48 TrueCrypt
> \Device\TrueCrypt
> 0x0000000052ececb0 1 0 2012-08-16 19:12:51 T:
> \Device\TrueCryptVolumeT
> 0x000000006131c9d0 1 0 2012-08-16 19:12:51 T:
> \Device\TrueCryptVolumeT
>
> So, definitely T: then.
>
> So I know there's a T/C volume mounted, I know that it's mounted as the T:
> and I know that explorer and notepad have both got handles to it.
> I've got one last hurdle to clear: how do I find out the file which is
> behind \Device\TrueCryptVolumeT?
>
> I filtered handles for File objects from \Device\HarddiskVolume* but that
> left me with ~130 files and without knowing the file name how would I
> identify it?
>
> Thanks again for all the suggestions so far!
>
>
> On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <
atcuno@gmail.com> wrote:
>>
>> Hello,
>>
>> So I will assume you are using the latest release of Volatility, which
>> means the 2.1 command reference will give you information about every
>> plugin we have:
>>
>>
http://code.google.com/p/volatility/wiki/CommandReference21
>>
>> The next thing I would do is run the handles plugin [1] and look for
>> any reference to the open file. You can filter with the -p option to
>> be only the TrueCrypt process that you found in pslist, but if you do
>> not see any encrypted container referenced there then you may want to
>> run it across all processes (the default) because we have seen where
>> files opened by drivers end up in other processes' handles (e.g.
>> SYSTEM).
>>
>> I think handles would be more helpful to determine if any files were
>> opened b/c it will show you exactly what truecrypt had open when the
>> machine hibernated. With filescan you would have to already know the
>> name of the encrypted container to see if it was ever opened.
>>
>> Also, MHL suggested using the symlink scan command [2] as this will
>> map drive letters to physical device paths. Here is some sample output
>> for the command:
>>
>> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan
>> Volatile Systems Volatility Framework 2.2_alpha
>> Offset(P) #Ptr #Hnd Creation time From
>> To
>> ------------------ ------ ------ ------------------------
>> --------------------
>> ------------------------------------------------------------
>> 0x0000000007331840 1 0 2011-12-30 08:26:15 Global
>> \Global??
>> 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z:
>> \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup
>> 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A:
>> \Device\Floppy0
>> 0x000000002ab23430 1 0 2011-12-30 08:25:30 D:
>> \Device\CdRom0
>> 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C:
>> \Device\HarddiskVolume2
>>
>> And you can see, C: is mapped to HarddiskVolume2. From there you can
>> run handles and filter specifically to files opened on that device
>> like this:
>>
>> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t File
>> | grep HarddiskVolume2
>> Volatile Systems Volatility Framework 2.2_alpha
>> 0xfffffa800248e5a0 4 0x5c 0x12008b File
>> \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl
>> 0xfffffa800267f300 4 0xa4 0x13019f File
>>
>> \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog
>> 0xfffffa800267b540 4 0xa8 0x12019f File
>>
>> \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog
>> 0xfffffa8002671350 4 0xac 0x13019f File
>>
>> \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog
>> 0xfffffa80026794e0 4 0xb0 0x12019f File
>>
>> \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002
>> 0xfffffa8002679c30 4 0xb4 0x1 File
>> \Device\HarddiskVolume2
>>
>>
>> If the combination of handles and symlinkscan does not answer your
>> question please write back. Also, it would be interesting if you
>> documented your process through this (assuming you can), as I am sure
>> many other people will encounter this situation.
>>
>>
>> [1]
http://code.google.com/p/volatility/wiki/CommandReference21#handles
>> [2]
>>
http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan
>>
>>
>>
>>
>> ....
>>
>> On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge <
adam.bridge@yahoo.com>
>> wrote:
>> > Hello All,
>> >
>> > I'm new to Volatility but am a reasonably experienced forensic examiner.
>> >
>> > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am trying to
>> > determine whether a TrueCrypt volume was mounted and, for bonus points,
>> > the
>> > path to the TrueCrypt volume file.
>> >
>> > I've used devicetree and found:
>> >
>> > DRV 0x23ea15de0 \Driver\truecrypt
>> > ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK
>> > ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN
>> >
>> > So a good start.
>> >
>> > Question: Does that tell me that there _IS_ a TrueCrypt volume mounted
>> > as
>> > the G drive or there _WAS_ a TrueCrypt volume mounted as the G drive, or
>> > that there's no way of knowing one way or the other?
>> >
>> > filescan shows two entries for \TrueCrypt.exe. The only difference
>> > between
>> > the two (besides a slight difference in #Ptr) is that one has access of:
>> >
>> > R--rwd
>> >
>> > and the other:
>> >
>> > R--r-d
>> >
>> > What should I be discerning from this? Why does one have a write
>> > permission
>> > that the other does not?
>> >
>> > And finally, pslist shows me that TrueCrypt.exe was started but has no
>> > exit
>> > time.
>> >
>> > I'm just not really sure where to go next?
>> > Can anybody suggest anything?
>> >
>> > More than happy for someone to tell me to go read X! Just can't find a
>> > helpful X to read.
>> >
>> > Thank you all,
>> > AB
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> >
Vol-users@volatilesystems.com
>> >
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>
>
>
> _______________________________________________
> Vol-users mailing list
>
Vol-users@volatilesystems.com
>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>