Re: [Vol-users] Was a TrueCrypt volume mounted?

Hello, So I will assume you are using the latest release of Volatility, which means the 2.1 command reference will give you information about every plugin we have: http://code.google.com/p/volatility/wiki/CommandReference21 The next thing I would do is run the handles plugin [1] and look for any reference to the open file. You can filter with the -p option to be only the TrueCrypt process that you found in pslist, but if you do not see any encrypted container referenced there then you may want to run it across all processes (the default) because we have seen where files opened by drivers end up in other processes' handles (e.g. SYSTEM). I think handles would be more helpful to determine if any files were opened b/c it will show you exactly what truecrypt had open when the machine hibernated. With filescan you would have to already know the name of the encrypted container to see if it was ever opened. Also, MHL suggested using the symlink scan command [2] as this will map drive letters to physical device paths. Here is some sample output for the command: $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan Volatile Systems Volatility Framework 2.2_alpha Offset(P) #Ptr #Hnd Creation time From To ------------------ ------ ------ ------------------------ -------------------- ------------------------------------------------------------ 0x0000000007331840 1 0 2011-12-30 08:26:15 Global \Global?? 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z: \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A: \Device\Floppy0 0x000000002ab23430 1 0 2011-12-30 08:25:30 D: \Device\CdRom0 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C: \Device\HarddiskVolume2 And you can see, C: is mapped to HarddiskVolume2. From there you can run handles and filter specifically to files opened on that device like this: $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t File | grep HarddiskVolume2 Volatile Systems Volatility Framework 2.2_alpha 0xfffffa800248e5a0 4 0x5c 0x12008b File \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl 0xfffffa800267f300 4 0xa4 0x13019f File \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog 0xfffffa800267b540 4 0xa8 0x12019f File \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog 0xfffffa8002671350 4 0xac 0x13019f File \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog 0xfffffa80026794e0 4 0xb0 0x12019f File \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002 0xfffffa8002679c30 4 0xb4 0x1 File \Device\HarddiskVolume2 If the combination of handles and symlinkscan does not answer your question please write back. Also, it would be interesting if you documented your process through this (assuming you can), as I am sure many other people will encounter this situation. [1] http://code.google.com/p/volatility/wiki/CommandReference21#handles [2] http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan .... On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge <adam.bridge(a)yahoo.com> wrote: