Hello All,<br><br>I&#39;m new to Volatility but am a reasonably experienced forensic examiner.<br><br>I&#39;m working on a hiberfil.sys from a WIN7SP1x64 machine and am trying to determine whether a TrueCrypt volume was mounted and, for bonus points, the path to the TrueCrypt volume file.<br>
<br>I&#39;ve used devicetree and found:<br><br>DRV 0x23ea15de0 \Driver\truecrypt<br>---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK<br>---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN<br><br>So a good start.<br>
<br>Question: Does that tell me that there _IS_ a TrueCrypt volume mounted as the G drive or there _WAS_ a TrueCrypt volume mounted as the G drive, or that there&#39;s no way of knowing one way or the other?<br><br>filescan shows two entries for \TrueCrypt.exe. The only difference between the two (besides a slight difference in #Ptr) is that one has access of:<br>
<br>R--rwd<br><br>and the other:<br><br>R--r-d<br><br>What should I be discerning from this? Why does one have a write permission that the other does not?<br><br>And finally, pslist shows me that TrueCrypt.exe was started but has no exit time.<br>
<br>I&#39;m just not really sure where to go next?<br>Can anybody suggest anything?<br><br>More than happy for someone to tell me to go read X! Just can&#39;t find a helpful X to read.<br><br>Thank you all,<br>AB<br>