Was a TrueCrypt volume mounted?

newer

older

Re: [Vol-users] Win 2008...

Re: [Vol-users] Was a TrueCrypt...

Adam Bridge

16 Aug 2012 16 Aug '12

9:41 a.m.

Hello All, I'm new to Volatility but am a reasonably experienced forensic examiner. I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am trying to determine whether a TrueCrypt volume was mounted and, for bonus points, the path to the TrueCrypt volume file. I've used devicetree and found: DRV 0x23ea15de0 \Driver\truecrypt ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN So a good start. Question: Does that tell me that there _IS_ a TrueCrypt volume mounted as the G drive or there _WAS_ a TrueCrypt volume mounted as the G drive, or that there's no way of knowing one way or the other? filescan shows two entries for \TrueCrypt.exe. The only difference between the two (besides a slight difference in #Ptr) is that one has access of: R--rwd and the other: R--r-d What should I be discerning from this? Why does one have a write permission that the other does not? And finally, pslist shows me that TrueCrypt.exe was started but has no exit time. I'm just not really sure where to go next? Can anybody suggest anything? More than happy for someone to tell me to go read X! Just can't find a helpful X to read. Thank you all, AB

Attachments:

attachment.html (text/html — 1.3 KB)

Show replies by date

Andrew Case

16 Aug 16 Aug

3:04 p.m.

...

Adam Bridge

4:28 p.m.

Thanks so much for the email - extremely useful already. I'm taking notes so that I can do my best at writing it up at the end. So, with pslist I found one instance of TrueCrypt.exe which had a PID of 4920. With handles --pid=4920 there was nothing useful - all very much T/C stuff. So I did handles without the --pid. Now, with my test data I of course know the name of the T/C volume file and sure enough I could see it: Offset(V) Pid Handle Access Type Details ------------------ ------ ------------------ ------------------ ---------------- ------- 0xfffffa8002193b30 4 0x269c 0x2a Process TrueCrypt.exe(4920) 0xfffffa80021a63c0 4 0x2a1c 0x12019f File \Device\HarddiskVolume10\MyTrueCryptVolume # Here! 0xfffffa8002193b30 796 0x6c0 0x1fffff Process TrueCrypt.exe(4920) 0xfffffa8002193b30 836 0xc28 0x1478 Process TrueCrypt.exe(4920) 0xfffffa8002193b30 1144 0xd4c 0x1478 Process TrueCrypt.exe(4920) 0xfffffa8001b4f070 2700 0x1084 0x100081 File \Device\TrueCryptVolumeT\ 0xfffffa8002c7d1c0 2700 0x1118 0x100081 File \Device\TrueCryptVolumeT\ 0xfffffa8001e51f20 4920 0x324 0x100080 File \Device\TrueCrypt 0xfffffa80038e4680 4920 0x330 0x1f0001 Mutant TrueCryptTaskBarIcon 0xfffffa8004d5a8d0 3384 0xc 0x100020 File \Device\TrueCryptVolumeT\ In my real case I don't know the name of the file - so I wouldn't know it if I saw it - especially if it had an innocent name like "school_work.doc". I now know my T/C volume is mounted as T: I notice that there are 2 PIDs accessing the T: Look them up in the plist data and they're explorer and notepad (which is correct, I'd opened a txt file from the T/C volume). So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks and grep'd for TrueCrypt: Offset(P) #Ptr #Hnd Creation time From To ------------------ ------ ------ ------------------------ -------------------- ------------------------------------------------------------ 0x0000000026b33c80 1 0 2012-08-16 19:12:51 Volume{3d...10a7e8a} \Device\TrueCryptVolumeT 0x0000000037f51b10 1 0 2012-08-16 18:14:48 TrueCrypt \Device\TrueCrypt 0x0000000052ececb0 1 0 2012-08-16 19:12:51 T: \Device\TrueCryptVolumeT 0x000000006131c9d0 1 0 2012-08-16 19:12:51 T: \Device\TrueCryptVolumeT So, definitely T: then. So I know there's a T/C volume mounted, I know that it's mounted as the T: and I know that explorer and notepad have both got handles to it. I've got one last hurdle to clear: how do I find out the file which is behind \Device\TrueCryptVolumeT? I filtered handles for File objects from \Device\HarddiskVolume* but that left me with ~130 files and without knowing the file name how would I identify it? Thanks again for all the suggestions so far! On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com> wrote:

...

the

path to the TrueCrypt volume file. I've used devicetree and found: DRV 0x23ea15de0 \Driver\truecrypt ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN So a good start. Question: Does that tell me that there _IS_ a TrueCrypt volume mounted as the G drive or there _WAS_ a TrueCrypt volume mounted as the G drive, or that there's no way of knowing one way or the other? filescan shows two entries for \TrueCrypt.exe. The only difference

between

the two (besides a slight difference in #Ptr) is that one has access of: R--rwd and the other: R--r-d What should I be discerning from this? Why does one have a write

permission

that the other does not? And finally, pslist shows me that TrueCrypt.exe was started but has no

exit

time. I'm just not really sure where to go next? Can anybody suggest anything? More than happy for someone to tell me to go read X! Just can't find a helpful X to read. Thank you all, AB _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Jamie Levy

5:10 p.m.

...

Hello, So I will assume you are using the latest release of Volatility, which means the 2.1 command reference will give you information about every plugin we have: http://code.google.com/p/volatility/wiki/CommandReference21 The next thing I would do is run the handles plugin [1] and look for any reference to the open file. You can filter with the -p option to be only the TrueCrypt process that you found in pslist, but if you do not see any encrypted container referenced there then you may want to run it across all processes (the default) because we have seen where files opened by drivers end up in other processes' handles (e.g. SYSTEM). I think handles would be more helpful to determine if any files were opened b/c it will show you exactly what truecrypt had open when the machine hibernated. With filescan you would have to already know the name of the encrypted container to see if it was ever opened. Also, MHL suggested using the symlink scan command [2] as this will map drive letters to physical device paths. Here is some sample output for the command: $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan Volatile Systems Volatility Framework 2.2_alpha Offset(P) #Ptr #Hnd Creation time From To ------------------ ------ ------ ------------------------ -------------------- ------------------------------------------------------------ 0x0000000007331840 1 0 2011-12-30 08:26:15 Global \Global?? 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z: \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A: \Device\Floppy0 0x000000002ab23430 1 0 2011-12-30 08:25:30 D: \Device\CdRom0 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C: \Device\HarddiskVolume2 And you can see, C: is mapped to HarddiskVolume2. From there you can run handles and filter specifically to files opened on that device like this: $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t File | grep HarddiskVolume2 Volatile Systems Volatility Framework 2.2_alpha 0xfffffa800248e5a0 4 0x5c 0x12008b File \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl 0xfffffa800267f300 4 0xa4 0x13019f File \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog 0xfffffa800267b540 4 0xa8 0x12019f File \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog 0xfffffa8002671350 4 0xac 0x13019f File \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog 0xfffffa80026794e0 4 0xb0 0x12019f File \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002 0xfffffa8002679c30 4 0xb4 0x1 File \Device\HarddiskVolume2 If the combination of handles and symlinkscan does not answer your question please write back. Also, it would be interesting if you documented your process through this (assuming you can), as I am sure many other people will encounter this situation. [1] http://code.google.com/p/volatility/wiki/CommandReference21#handles [2] http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan .... On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge <adam.bridge(a)yahoo.com> wrote: > Hello All, > > I'm new to Volatility but am a reasonably experienced forensic examiner. > > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am trying to > determine whether a TrueCrypt volume was mounted and, for bonus points, > the > path to the TrueCrypt volume file. > > I've used devicetree and found: > > DRV 0x23ea15de0 \Driver\truecrypt > ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK > ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN > > So a good start. > > Question: Does that tell me that there _IS_ a TrueCrypt volume mounted > as > the G drive or there _WAS_ a TrueCrypt volume mounted as the G drive, or > that there's no way of knowing one way or the other? > > filescan shows two entries for \TrueCrypt.exe. The only difference > between > the two (besides a slight difference in #Ptr) is that one has access of: > > R--rwd > > and the other: > > R--r-d > > What should I be discerning from this? Why does one have a write > permission > that the other does not? > > And finally, pslist shows me that TrueCrypt.exe was started but has no > exit > time. > > I'm just not really sure where to go next? > Can anybody suggest anything? > > More than happy for someone to tell me to go read X! Just can't find a > helpful X to read. > > Thank you all, > AB > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

Adam Bridge

5:23 p.m.

On Thu, Aug 16, 2012 at 10:10 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:

...

stuff.

So I did handles without the --pid. Now, with my test data I of course know the name of the T/C volume file

and

sure enough I could see it: Offset(V) Pid Handle Access Type Details ------------------ ------ ------------------ ------------------ ---------------- ------- 0xfffffa8002193b30 4 0x269c 0x2a Process TrueCrypt.exe(4920) 0xfffffa80021a63c0 4 0x2a1c 0x12019f File \Device\HarddiskVolume10\MyTrueCryptVolume # Here! 0xfffffa8002193b30 796 0x6c0 0x1fffff Process TrueCrypt.exe(4920) 0xfffffa8002193b30 836 0xc28 0x1478 Process TrueCrypt.exe(4920) 0xfffffa8002193b30 1144 0xd4c 0x1478 Process TrueCrypt.exe(4920) 0xfffffa8001b4f070 2700 0x1084 0x100081 File \Device\TrueCryptVolumeT\ 0xfffffa8002c7d1c0 2700 0x1118 0x100081 File \Device\TrueCryptVolumeT\ 0xfffffa8001e51f20 4920 0x324 0x100080 File \Device\TrueCrypt 0xfffffa80038e4680 4920 0x330 0x1f0001 Mutant TrueCryptTaskBarIcon 0xfffffa8004d5a8d0 3384 0xc 0x100020 File \Device\TrueCryptVolumeT\ In my real case I don't know the name of the file - so I wouldn't know

it if

I saw it - especially if it had an innocent name like "school_work.doc". I now know my T/C volume is mounted as T: I notice that there are 2 PIDs accessing the T: Look them up in the plist data and they're explorer and notepad (which is correct, I'd opened a txt file from the T/C volume). So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks and

grep'd

for TrueCrypt: Offset(P) #Ptr #Hnd Creation time From To ------------------ ------ ------ ------------------------ -------------------- ------------------------------------------------------------ 0x0000000026b33c80 1 0 2012-08-16 19:12:51 Volume{3d...10a7e8a} \Device\TrueCryptVolumeT 0x0000000037f51b10 1 0 2012-08-16 18:14:48 TrueCrypt \Device\TrueCrypt 0x0000000052ececb0 1 0 2012-08-16 19:12:51 T: \Device\TrueCryptVolumeT 0x000000006131c9d0 1 0 2012-08-16 19:12:51 T: \Device\TrueCryptVolumeT So, definitely T: then. So I know there's a T/C volume mounted, I know that it's mounted as the

and I know that explorer and notepad have both got handles to it. I've got one last hurdle to clear: how do I find out the file which is behind \Device\TrueCryptVolumeT? I filtered handles for File objects from \Device\HarddiskVolume* but that left me with ~130 files and without knowing the file name how would I identify it? Thanks again for all the suggestions so far! On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com> wrote: > > Hello, > > So I will assume you are using the latest release of Volatility, which > means the 2.1 command reference will give you information about every > plugin we have: > > http://code.google.com/p/volatility/wiki/CommandReference21 > > The next thing I would do is run the handles plugin [1] and look for > any reference to the open file. You can filter with the -p option to > be only the TrueCrypt process that you found in pslist, but if you do > not see any encrypted container referenced there then you may want to > run it across all processes (the default) because we have seen where > files opened by drivers end up in other processes' handles (e.g. > SYSTEM). > > I think handles would be more helpful to determine if any files were > opened b/c it will show you exactly what truecrypt had open when the > machine hibernated. With filescan you would have to already know the > name of the encrypted container to see if it was ever opened. > > Also, MHL suggested using the symlink scan command [2] as this will > map drive letters to physical device paths. Here is some sample output > for the command: > > $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan > Volatile Systems Volatility Framework 2.2_alpha > Offset(P) #Ptr #Hnd Creation time From > To > ------------------ ------ ------ ------------------------ > -------------------- > ------------------------------------------------------------ > 0x0000000007331840 1 0 2011-12-30 08:26:15 Global > \Global?? > 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z: > \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup > 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A: > \Device\Floppy0 > 0x000000002ab23430 1 0 2011-12-30 08:25:30 D: > \Device\CdRom0 > 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C: > \Device\HarddiskVolume2 > > And you can see, C: is mapped to HarddiskVolume2. From there you can > run handles and filter specifically to files opened on that device > like this: > > $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t File > | grep HarddiskVolume2 > Volatile Systems Volatility Framework 2.2_alpha > 0xfffffa800248e5a0 4 0x5c 0x12008b File > \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl > 0xfffffa800267f300 4 0xa4 0x13019f File > > \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > 0xfffffa800267b540 4 0xa8 0x12019f File > > \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > 0xfffffa8002671350 4 0xac 0x13019f File > > \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > 0xfffffa80026794e0 4 0xb0 0x12019f File > >

\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

> 0xfffffa8002679c30 4 0xb4 0x1 File > \Device\HarddiskVolume2 > > > If the combination of handles and symlinkscan does not answer your > question please write back. Also, it would be interesting if you > documented your process through this (assuming you can), as I am sure > many other people will encounter this situation. > > > [1] http://code.google.com/p/volatility/wiki/CommandReference21#handles > [2] > http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan > > > > > .... > > On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge <adam.bridge(a)yahoo.com> > wrote: > > Hello All, > > > > I'm new to Volatility but am a reasonably experienced forensic

examiner.

> > > > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am trying

> > determine whether a TrueCrypt volume was mounted and, for bonus

points,

> > the > > path to the TrueCrypt volume file. > > > > I've used devicetree and found: > > > > DRV 0x23ea15de0 \Driver\truecrypt > > ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK > > ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN > > > > So a good start. > > > > Question: Does that tell me that there _IS_ a TrueCrypt volume mounted > > as > > the G drive or there _WAS_ a TrueCrypt volume mounted as the G drive,

> > that there's no way of knowing one way or the other? > > > > filescan shows two entries for \TrueCrypt.exe. The only difference > > between > > the two (besides a slight difference in #Ptr) is that one has access

of:

> > R--rwd > > and the other: > > R--r-d > > What should I be discerning from this? Why does one have a write > permission > that the other does not? > > And finally, pslist shows me that TrueCrypt.exe was started but has no > exit > time. > > I'm just not really sure where to go next? > Can anybody suggest anything? > > More than happy for someone to tell me to go read X! Just can't find a > helpful X to read. > > Thank you all, > AB > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

Adam Bridge

5:24 p.m.

...

stuff.

So I did handles without the --pid. Now, with my test data I of course know the name of the T/C volume file

and

it if

grep'd

\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

examiner.

> > > > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am trying

> > determine whether a TrueCrypt volume was mounted and, for bonus

points,

of:

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

Andre' M. DiMino

5:58 p.m.

Adam, You might also want to try using: printkey -K "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" or printkey -K "Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" and see what comes up there. Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV) On 08/16/2012 05:24 PM, Adam Bridge wrote:

...

Thanks so much for the email - extremely useful already. I'm taking notes so that I can do my best at writing it up at the end. So, with pslist I found one instance of TrueCrypt.exe which had a

PID of

4920. With handles --pid=4920 there was nothing useful - all very much

T/C stuff.

So I did handles without the --pid. Now, with my test data I of course know the name of the T/C volume

file and

sure enough I could see it: Offset(V) Pid Handle Access Type Details ------------------ ------ ------------------ ------------------ ---------------- ------- 0xfffffa8002193b30 4 0x269c 0x2a

Process

TrueCrypt.exe(4920) 0xfffffa80021a63c0 4 0x2a1c 0x12019f File \Device\HarddiskVolume10\MyTrueCryptVolume # Here! 0xfffffa8002193b30 796 0x6c0 0x1fffff

Process

TrueCrypt.exe(4920) 0xfffffa8002193b30 836 0xc28 0x1478

Process

TrueCrypt.exe(4920) 0xfffffa8002193b30 1144 0xd4c 0x1478

Process

TrueCrypt.exe(4920) 0xfffffa8001b4f070 2700 0x1084 0x100081 File \Device\TrueCryptVolumeT\ 0xfffffa8002c7d1c0 2700 0x1118 0x100081 File \Device\TrueCryptVolumeT\ 0xfffffa8001e51f20 4920 0x324 0x100080 File \Device\TrueCrypt 0xfffffa80038e4680 4920 0x330 0x1f0001 Mutant TrueCryptTaskBarIcon 0xfffffa8004d5a8d0 3384 0xc 0x100020 File \Device\TrueCryptVolumeT\ In my real case I don't know the name of the file - so I wouldn't

know it if

I saw it - especially if it had an innocent name like

"school_work.doc".

I now know my T/C volume is mounted as T: I notice that there are 2 PIDs accessing the T: Look them up in the plist data and they're explorer and notepad

(which is

correct, I'd opened a txt file from the T/C volume). So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks

and grep'd

as the T:

but that

left me with ~130 files and without knowing the file name how would I identify it? Thanks again for all the suggestions so far! On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com

<mailto:atcuno@gmail.com>> wrote:

> > Hello, > > So I will assume you are using the latest release of Volatility,

which

> means the 2.1 command reference will give you information about every > plugin we have: > > http://code.google.com/p/volatility/wiki/CommandReference21 > > The next thing I would do is run the handles plugin [1] and look for > any reference to the open file. You can filter with the -p option to > be only the TrueCrypt process that you found in pslist, but if you do > not see any encrypted container referenced there then you may want to > run it across all processes (the default) because we have seen where > files opened by drivers end up in other processes' handles (e.g. > SYSTEM). > > I think handles would be more helpful to determine if any files were > opened b/c it will show you exactly what truecrypt had open when the > machine hibernated. With filescan you would have to already know the > name of the encrypted container to see if it was ever opened. > > Also, MHL suggested using the symlink scan command [2] as this will > map drive letters to physical device paths. Here is some sample

output

> for the command: > > $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan > Volatile Systems Volatility Framework 2.2_alpha > Offset(P) #Ptr #Hnd Creation time From > To > ------------------ ------ ------ ------------------------ > -------------------- > ------------------------------------------------------------ > 0x0000000007331840 1 0 2011-12-30 08:26:15 Global > \Global?? > 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z: > \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup > 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A: > \Device\Floppy0 > 0x000000002ab23430 1 0 2011-12-30 08:25:30 D: > \Device\CdRom0 > 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C: > \Device\HarddiskVolume2 > > And you can see, C: is mapped to HarddiskVolume2. From there you can > run handles and filter specifically to files opened on that device > like this: > > $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t File > | grep HarddiskVolume2 > Volatile Systems Volatility Framework 2.2_alpha > 0xfffffa800248e5a0 4 0x5c 0x12008b File > \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl > 0xfffffa800267f300 4 0xa4 0x13019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa800267b540 4 0xa8 0x12019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa8002671350 4 0xac 0x13019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa80026794e0 4 0xb0 0x12019f File > >

\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

http://code.google.com/p/volatility/wiki/CommandReference21#handles

> [2] >

http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan

> > > > > .... > > On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge

<adam.bridge(a)yahoo.com <mailto:adam.bridge@yahoo.com>>

> wrote: > > Hello All, > > > > I'm new to Volatility but am a reasonably experienced forensic

examiner.

> > > > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am

trying to

> > determine whether a TrueCrypt volume was mounted and, for bonus

points,

mounted

> > as > > the G drive or there _WAS_ a TrueCrypt volume mounted as the G

drive, or

access of:

> > > > R--rwd > > > > and the other: > > > > R--r-d > > > > What should I be discerning from this? Why does one have a write > > permission > > that the other does not? > > > > And finally, pslist shows me that TrueCrypt.exe was started but

has no

> > exit > > time. > > > > I'm just not really sure where to go next? > > Can anybody suggest anything? > > > > More than happy for someone to tell me to go read X! Just can't

find a

> > helpful X to read. > > > > Thank you all, > > AB > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org

<mailto:Vol-users@volatilityfoundation.org>

> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Tom Yarrish

6:14 p.m.

You might also check looking for ShellBag artifacts. Tom On Thu, Aug 16, 2012 at 4:58 PM, Andre' M. DiMino <adimino(a)sempersecurus.org> wrote:

...

Thanks so much for the email - extremely useful already. I'm taking notes so that I can do my best at writing it up at the end. So, with pslist I found one instance of TrueCrypt.exe which had a

PID of

4920. With handles --pid=4920 there was nothing useful - all very much

T/C stuff.

So I did handles without the --pid. Now, with my test data I of course know the name of the T/C volume

file and

sure enough I could see it: Offset(V) Pid Handle Access Type Details ------------------ ------ ------------------ ------------------ ---------------- ------- 0xfffffa8002193b30 4 0x269c 0x2a

Process

TrueCrypt.exe(4920) 0xfffffa80021a63c0 4 0x2a1c 0x12019f File \Device\HarddiskVolume10\MyTrueCryptVolume # Here! 0xfffffa8002193b30 796 0x6c0 0x1fffff

Process

TrueCrypt.exe(4920) 0xfffffa8002193b30 836 0xc28 0x1478

Process

TrueCrypt.exe(4920) 0xfffffa8002193b30 1144 0xd4c 0x1478

Process

know it if

I saw it - especially if it had an innocent name like

"school_work.doc".

I now know my T/C volume is mounted as T: I notice that there are 2 PIDs accessing the T: Look them up in the plist data and they're explorer and notepad

(which is

correct, I'd opened a txt file from the T/C volume). So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks

and grep'd

as the T:

but that

left me with ~130 files and without knowing the file name how would I identify it? Thanks again for all the suggestions so far! On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com

<mailto:atcuno@gmail.com>> wrote:

> > Hello, > > So I will assume you are using the latest release of Volatility,

which

output

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa800267b540 4 0xa8 0x12019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa8002671350 4 0xac 0x13019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa80026794e0 4 0xb0 0x12019f File > >

\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

http://code.google.com/p/volatility/wiki/CommandReference21#handles

> [2] >

http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan

> > > > > .... > > On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge

<adam.bridge(a)yahoo.com <mailto:adam.bridge@yahoo.com>>

> wrote: > > Hello All, > > > > I'm new to Volatility but am a reasonably experienced forensic

examiner.

> > > > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am

trying to

> > determine whether a TrueCrypt volume was mounted and, for bonus

points,

mounted

> > as > > the G drive or there _WAS_ a TrueCrypt volume mounted as the G

drive, or

access of:

has no

> > exit > > time. > > > > I'm just not really sure where to go next? > > Can anybody suggest anything? > > > > More than happy for someone to tell me to go read X! Just can't

find a

> > helpful X to read. > > > > Thank you all, > > AB > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org

<mailto:Vol-users@volatilityfoundation.org>

> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Jamie Levy

17 Aug 17 Aug

4:21 p.m.

Unfortunately these MRU keys won't give you the volume for the files contained in the TrueCrypt volume. You can see references to the TrueCrypt volume (for printkey -K "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"), but you can't tell _for sure_ that that's what you're dealing with: REG_BINARY 23 : (S) 0x00000000 4c 00 6f 00 63 00 61 00 6c 00 20 00 44 00 69 00 L.o.c.a.l...D.i. 0x00000010 73 00 6b 00 20 00 28 00 54 00 3a 00 29 00 00 00 s.k...(.T.:.)... 0x00000020 5e 00 32 00 00 00 00 00 00 00 00 00 00 00 4c 6f ^.2...........Lo 0x00000030 63 61 6c 20 44 69 73 6b 20 28 54 29 2e 6c 6e 6b cal.Disk.(T).lnk 0x00000040 00 00 3c 00 03 00 04 00 ef be 00 00 00 00 00 00 ..<............. 0x00000050 00 00 14 00 00 00 4c 00 6f 00 63 00 61 00 6c 00 ......L.o.c.a.l. 0x00000060 20 00 44 00 69 00 73 00 6b 00 20 00 28 00 54 00 ..D.i.s.k...(.T. 0x00000070 29 00 2e 00 6c 00 6e 00 6b 00 00 00 22 00 00 00 )...l.n.k..."... REG_BINARY 24 : (S) 0x00000000 62 00 6c 00 61 00 68 00 20 00 62 00 6c 00 61 00 b.l.a.h...b.l.a. 0x00000010 68 00 2e 00 74 00 78 00 74 00 00 00 5a 00 32 00 h...t.x.t...Z.2. 0x00000020 00 00 00 00 00 00 00 00 00 00 62 6c 61 68 20 62 ..........blah.b 0x00000030 6c 61 68 2e 74 78 74 2e 6c 6e 6b 00 3a 00 03 00 lah.txt.lnk.:... 0x00000040 04 00 ef be 00 00 00 00 00 00 00 00 14 00 00 00 ................ 0x00000050 62 00 6c 00 61 00 68 00 20 00 62 00 6c 00 61 00 b.l.a.h...b.l.a. 0x00000060 68 00 2e 00 74 00 78 00 74 00 2e 00 6c 00 6e 00 h...t.x.t...l.n. 0x00000070 6b 00 00 00 20 00 00 00 k....... REG_BINARY 20 : (S) 0x00000000 70 00 6f 00 69 00 73 00 6f 00 6e 00 5f 00 69 00 p.o.i.s.o.n._.i. 0x00000010 76 00 79 00 2e 00 70 00 79 00 00 00 5a 00 32 00 v.y...p.y...Z.2. 0x00000020 00 00 00 00 00 00 00 00 00 00 70 6f 69 73 6f 6e ..........poison 0x00000030 5f 69 76 79 2e 70 79 2e 6c 6e 6b 00 3a 00 03 00 _ivy.py.lnk.:... 0x00000040 04 00 ef be 00 00 00 00 00 00 00 00 14 00 00 00 ................ 0x00000050 70 00 6f 00 69 00 73 00 6f 00 6e 00 5f 00 69 00 p.o.i.s.o.n._.i. 0x00000060 76 00 79 00 2e 00 70 00 79 00 2e 00 6c 00 6e 00 v.y...p.y...l.n. 0x00000070 6b 00 00 00 20 00 00 00 k....... for printkey -K "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\folder": REG_BINARY 5 : (S) 0x00000000 4c 00 6f 00 63 00 61 00 6c 00 20 00 44 00 69 00 L.o.c.a.l...D.i. 0x00000010 73 00 6b 00 20 00 28 00 54 00 3a 00 29 00 00 00 s.k...(.T.:.)... 0x00000020 5e 00 32 00 00 00 00 00 00 00 00 00 00 00 4c 6f ^.2...........Lo 0x00000030 63 61 6c 20 44 69 73 6b 20 28 54 29 2e 6c 6e 6b cal.Disk.(T).lnk 0x00000040 00 00 3c 00 03 00 04 00 ef be 00 00 00 00 00 00 ..<............. 0x00000050 00 00 14 00 00 00 4c 00 6f 00 63 00 61 00 6c 00 ......L.o.c.a.l. 0x00000060 20 00 44 00 69 00 73 00 6b 00 20 00 28 00 54 00 ..D.i.s.k...(.T. 0x00000070 29 00 2e 00 6c 00 6e 00 6b 00 00 00 22 00 00 00 )...l.n.k..."... for printkey -K "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt": REG_BINARY 2 : (S) 0x00000000 4e 00 65 00 77 00 20 00 54 00 65 00 78 00 74 00 N.e.w...T.e.x.t. 0x00000010 20 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 ..D.o.c.u.m.e.n. 0x00000020 74 00 2e 00 74 00 78 00 74 00 00 00 72 00 32 00 t...t.x.t...r.2. 0x00000030 00 00 00 00 00 00 00 00 00 00 4e 65 77 20 54 65 ..........New.Te 0x00000040 78 74 20 44 6f 63 75 6d 65 6e 74 2e 74 78 74 2e xt.Document.txt. 0x00000050 6c 6e 6b 00 4a 00 03 00 04 00 ef be 00 00 00 00 lnk.J........... 0x00000060 00 00 00 00 14 00 00 00 4e 00 65 00 77 00 20 00 ........N.e.w... 0x00000070 54 00 65 00 78 00 74 00 20 00 44 00 6f 00 63 00 T.e.x.t...D.o.c. 0x00000080 75 00 6d 00 65 00 6e 00 74 00 2e 00 74 00 78 00 u.m.e.n.t...t.x. 0x00000090 74 00 2e 00 6c 00 6e 00 6b 00 00 00 28 00 00 00 t...l.n.k...(... REG_BINARY 1 : (S) 0x00000000 62 00 6c 00 61 00 68 00 20 00 62 00 6c 00 61 00 b.l.a.h...b.l.a. 0x00000010 68 00 2e 00 74 00 78 00 74 00 00 00 5a 00 32 00 h...t.x.t...Z.2. 0x00000020 00 00 00 00 00 00 00 00 00 00 62 6c 61 68 20 62 ..........blah.b 0x00000030 6c 61 68 2e 74 78 74 2e 6c 6e 6b 00 3a 00 03 00 lah.txt.lnk.:... 0x00000040 04 00 ef be 00 00 00 00 00 00 00 00 14 00 00 00 ................ 0x00000050 62 00 6c 00 61 00 68 00 20 00 62 00 6c 00 61 00 b.l.a.h...b.l.a. 0x00000060 68 00 2e 00 74 00 78 00 74 00 2e 00 6c 00 6e 00 h...t.x.t...l.n. 0x00000070 6b 00 00 00 20 00 00 00 k....... Now if you had files from system disk, you could investigate the LNK files, prefetch files etc etc, but we're only looking at memory... Looking at other registry keys, you can see the volume loaded here (note: use the correct control set): printkey -K "software\microsoft\windows\controlset001\explorer\mountpoints2" [snip] REG_BINARY \??\Volume{77267a55-e86e-11df-9f57-000c29b50598} : (S) 0x00000000 54 72 75 65 43 72 79 70 74 56 6f 6c 75 6d 65 59 TrueCryptVolumeY REG_BINARY #{77267a56-e86e-11df-9f57-000c29b50598} : (S) 0x00000000 54 72 75 65 43 72 79 70 74 56 6f 6c 75 6d 65 59 TrueCryptVolumeY REG_BINARY \??\Volume{77267a57-e86e-11df-9f57-000c29b50598} : (S) 0x00000000 54 72 75 65 43 72 79 70 74 56 6f 6c 75 6d 65 54 TrueCryptVolumeT REG_BINARY \DosDevices\T: : (S) 0x00000000 54 72 75 65 43 72 79 70 74 56 6f 6c 75 6d 65 54 TrueCryptVolumeT [snip] printkey -K "mounteddevices" (this is found in SYSTEM) [snip] REG_BINARY \??\Volume{77267a55-e86e-11df-9f57-000c29b50598} : (S) 0x00000000 54 72 75 65 43 72 79 70 74 56 6f 6c 75 6d 65 59 TrueCryptVolumeY REG_BINARY #{77267a56-e86e-11df-9f57-000c29b50598} : (S) 0x00000000 54 72 75 65 43 72 79 70 74 56 6f 6c 75 6d 65 59 TrueCryptVolumeY REG_BINARY \??\Volume{77267a57-e86e-11df-9f57-000c29b50598} : (S) 0x00000000 54 72 75 65 43 72 79 70 74 56 6f 6c 75 6d 65 54 TrueCryptVolumeT REG_BINARY \DosDevices\T: : (S) 0x00000000 54 72 75 65 43 72 79 70 74 56 6f 6c 75 6d 65 54 TrueCryptVolumeT Writing an extremely crude (just enumerates all subkeys of the shellbags keys) shellbags plugin, I was also able to see the TrueCrypt volume at key (Software\Microsoft\Windows\Shell\Bags\Desktop\Desktop): 0650 34 00 11 41 DD 70 20 00 54 52 55 45 43 52 7E 31 4..A.p .TRUECR~1 0660 2E 45 58 45 00 00 48 00 03 00 04 00 EF BE 11 41 .EXE..H........A 0670 29 71 11 41 29 71 14 00 00 00 54 00 72 00 75 00 )q.A)q....T.r.u. 0680 65 00 43 00 72 00 79 00 70 00 74 00 20 00 53 00 e.C.r.y.p.t. .S. 0690 65 00 74 00 75 00 70 00 20 00 37 00 2E 00 31 00 e.t.u.p. .7...1. 06A0 61 00 2E 00 65 00 78 00 65 00 00 00 1C 00 45 05 a...e.x.e.....E. 06B0 00 00 C4 01 00 00 00 00 00 00 .......... So I guess it's time that I go ahead and write a full shellbags plugin... ;-) We can find the TrueCrypt bootloader even though this is not full disk encrypted. This is found in the lsass.exe memory space (used strings plugin to map back): 0fa3050: ea1e 7c00 0020 5472 7565 4372 7970 7420 ..|.. TrueCrypt 0fa3060: 426f 6f74 204c 6f61 6465 720d 0a00 fa33 Boot Loader....3 0fa3070: c08e d88e d0bc 007c fbf6 06b6 7d01 7507 .......|....}.u. 0fa3080: 8d36 057c e8dc 00b8 0090 813e 1304 6a02 .6.|.......>..j. 0fa3090: 7d0e b800 8081 3e13 042a 027d 03b8 0020 }.....>..*.}... 0fa30a0: 8ec0 32c0 bf00 01b9 ffa6 fcf3 aa8c c02d ..2............- 0fa30b0: 0008 8ec0 b102 b004 bb00 01e8 b400 6633 ..............f3 0fa30c0: dbbe 0001 b900 08e8 ba00 6653 bb00 0db1 ..........fS.... 0fa30d0: 06b0 39f6 0646 7d01 7404 b01a b124 e891 ..9..F}.t....$.. 0fa30e0: 0066 5bbe 000d 8b0e b07d e897 0066 3b1e .f[......}...f;. 0fa30f0: b27d 7425 f606 467d 0175 0ec6 0646 7d01 .}t%..F}.u...F}. 0fa3100: b120 f606 b77d 0275 ad8d 3655 7de8 5300 . ...}.u..6U}.S. 0fa3110: 8d36 057c e84c 00eb fe8c c08e d8fa 8ed0 .6.|.L.......... 0fa3120: bc00 80fb 5268 0a0d 6800 7a68 0081 0e68 ....Rh..h.zh...h 0fa3130: e77c 0668 0001 cb83 c406 5a0e 1f85 c074 .|.h......Z....t 0fa3140: 098d 3655 7de8 1b00 ebfe 8a36 b77d 8cc0 ..6U}......6.}.. 0fa3150: 0500 088e c08e d8fa 8ed0 bcfc a7fb 0668 ...............h 0fa3160: 0001 cb33 dbb4 0efc ac84 c074 04cd 10eb ...3.......t.... 0fa3170: f7c3 b500 b600 b402 cd13 7307 8d36 477d ..........s..6G} 0fa3180: e8e0 ffc3 1e06 1f66 33c0 fcac 6603 d866 .......f3...f..f 0fa3190: d1c3 e2f7 1fc3 0044 6973 6b20 6572 726f .......Disk erro 0fa31a0: 720d 0a07 0007 4c6f 6164 6572 2064 616d r.....Loader dam 0fa31b0: 6167 6564 2120 5573 6520 5265 7363 7565 aged! Use Rescue 0fa31c0: 2044 6973 6b3a 2052 6570 6169 7220 4f70 Disk: Repair Op 0fa31d0: 7469 6f6e 7320 3e20 5265 7374 6f72 6500 tions > Restore. 0fa31e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0fa31f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0fa3200: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0fa3210: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0fa3220: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0fa3230: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0fa3240: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U. We can also see what TrueCrypt exes were run: printkey -K "software\microsoft\windows\shellnoroam\muicache" [snip] REG_SZ C:\Documents and Settings\user\Desktop\TrueCrypt Setup 7.1a.exe : (S) TrueCrypt Setup REG_SZ C:\Program Files\TrueCrypt\TrueCrypt.exe : (S) TrueCrypt REG_SZ C:\Program Files\TrueCrypt\TrueCrypt Format.exe : (S) TrueCrypt Format shimcache | grep -i truecrypt [snip] Last Modified: 2012-08-17 14:06:57 , Lastupdate: 2012-08-17 14:09:24 , Path: \??\C:\Documents and Settings\user\Desktop\TrueCrypt Setup 7.1a.exe Last Modified: 2012-08-17 14:09:42 , Lastupdate: 2012-08-17 14:10:02 , Path: \??\C:\Program Files\TrueCrypt\TrueCrypt.exe Last Modified: 2012-08-17 14:09:43 , Lastupdate: 2012-08-17 14:10:12 , Path: \??\C:\Program Files\TrueCrypt\TrueCrypt Format.exe userassist - sadly there were no LNK files listed here for files clicked from within the volume: [snip] REG_BINARY UEME_RUNPATH:C:\Documents and Settings\user\Desktop\TrueCrypt Setup 7.1a.exe : ID: 3 Count: 1 Last updated: 2012-08-17 14:09:24 0x00000000 03 00 00 00 06 00 00 00 60 06 0c e8 81 7c cd 01 ........`....|.. REG_BINARY UEME_RUNPATH:TrueCrypt.lnk : ID: 3 Count: 1 Last updated: 2012-08-17 14:10:02 0x00000000 03 00 00 00 06 00 00 00 a0 96 84 fe 81 7c cd 01 .............|.. REG_BINARY UEME_RUNPATH:C:\Program Files\TrueCrypt\TrueCrypt.exe : ID: 3 Count: 1 Last updated: 2012-08-17 14:10:02 0x00000000 03 00 00 00 06 00 00 00 60 64 9c fe 81 7c cd 01 ........`d...|.. And of course the easiest: using filescan with the patch I've already posted to the list where files of interest are under \Device\TrueCryptVolumeT: filescan |grep -i truecrypt 0x01e59028 1 0 R--r-- \Device\TrueCryptVolumeT\poison_ivy.py 0x01ea0cf0 1 0 -W---- \Device\HarddiskVolume1\Documents and Settings\user\Cookies\user(a)www.truecrypt[1].txt 0x01f8b028 3 0 RWD--- \Device\TrueCryptVolumeT\$BitMap 0x01fc1c60 3 0 RWD--- \Device\TrueCryptVolumeT\$LogFile 0x01fe0478 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\drivers\truecrypt.sys 0x02003028 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\user\Desktop\TrueCrypt Setup 7.1a.exe 0x02008b88 1 0 R--r-d \Device\HarddiskVolume1\Documents and Settings\All Users\Start Menu\Programs\TrueCrypt\TrueCrypt.lnk 0x0204b208 1 0 R--rw- \Device\HarddiskVolume1\Program Files\TrueCrypt\TrueCrypt.exe 0x020bc5e8 1 0 R--r-- \Device\HarddiskVolume1\Documents and Settings\All Users\Start Menu\Programs\TrueCrypt\TrueCrypt Website.url 0x020e1028 1 0 R--r-d \Device\HarddiskVolume1\Program Files\TrueCrypt\TrueCrypt.exe 0x020e1c18 1 0 R--r-d \Device\HarddiskVolume1\Documents and Settings\All Users\Desktop\TrueCrypt.lnk 0x021f1678 1 0 R--rwd \Device\TrueCryptVolumeT\blah blah.txt 0x0223a840 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\user\Application Data\TrueCrypt\Configuration.xml 0x022b78e0 1 0 R--r-d \Device\HarddiskVolume1\Documents and Settings\All Users\Start Menu\Programs\TrueCrypt\Uninstall TrueCrypt.lnk 0x0233a2f0 1 0 R--r-d \Device\HarddiskVolume1\Program Files\TrueCrypt\TrueCrypt Format.exe 0x0234ff90 1 0 R--r-d \Device\HarddiskVolume1\Documents and Settings\user\Desktop\TrueCrypt Setup 7.1a.exe 0x0235ddd8 1 0 RW-r-- \Device\TrueCryptVolumeT\New Text Document.txt 0x02401490 1 0 R--rw- \Device\HarddiskVolume1\Program Files\TrueCrypt\TrueCrypt Format.exe 0x02401490 1 0 R--rw- \Device\HarddiskVolume1\Program Files\TrueCrypt\TrueCrypt Format.exe 0x0240c340 1 0 R--rw- \Device\HarddiskVolume1\Program Files\TrueCrypt\TrueCrypt Setup.exe 0x0241f998 2 1 RW---- \Device\HarddiskVolume1\Documents and Settings\user\Desktop\MyTrueCryptVolume 0x02479c98 3 0 RWD--- \Device\TrueCryptVolumeT\$Mft 0x024a6f00 3 0 RWD--- \Device\TrueCryptVolumeT\$Directory 0x024d9028 3 1 R--rwd \Device\TrueCryptVolumeT\ 0x024ec700 3 0 RWD--- \Device\TrueCryptVolumeT\$Mft 0x024f96c0 3 0 RWD--- \Device\TrueCryptVolumeT\$MftMirr You could possibly find these files in MFT entries in memory if 1) the volume was NTFS formatted and 2) the file was accessed sometime recently and the entry was not overwritten. The downside is that unless you know the file you're searching for ahead of time, you can't really associate it with the TrueCypt volume because there are no drive letters in FN and SI of MFT entries. You an also find filenames in INDX( entries, but again these also do not contain drive letters... These could lead you to the location of the TrueCrypt volume itself, however, if it should reside on the system somewhere (it is a file afterall). You might get lucky and find more information in $LogFile entries if they happen to be in memory, for example: 108cc000 [kernel:d1e1b000] RCRD( 108cc06e [kernel:d1e1b06e] +00 108cc074 [kernel:d1e1b074] /T:\ 108cc099 [kernel:d1e1b099] BLAHBL~1.TXT 108cc0bb [kernel:d1e1b0bb] blah blah.txt 108cc108 [kernel:d1e1b108] T:\blah blah.txt 108cc11c [kernel:d1e1b11c] T:\` I'm sure there's like a million other things you can do and it looks like anyway the original poster found a solution on his own. I just thought I'd post the things I found today and maybe someone else will be so inclined to add more just for fun ;-) All the best, -gleeda On Thu, Aug 16, 2012 at 5:58 PM, Andre' M. DiMino <adimino(a)sempersecurus.org> wrote:

...

Thanks so much for the email - extremely useful already. I'm taking notes so that I can do my best at writing it up at the end. So, with pslist I found one instance of TrueCrypt.exe which had a

PID of

4920. With handles --pid=4920 there was nothing useful - all very much

T/C stuff.

So I did handles without the --pid. Now, with my test data I of course know the name of the T/C volume

file and

sure enough I could see it: Offset(V) Pid Handle Access Type Details ------------------ ------ ------------------ ------------------ ---------------- ------- 0xfffffa8002193b30 4 0x269c 0x2a

Process

TrueCrypt.exe(4920) 0xfffffa80021a63c0 4 0x2a1c 0x12019f File \Device\HarddiskVolume10\MyTrueCryptVolume # Here! 0xfffffa8002193b30 796 0x6c0 0x1fffff

Process

TrueCrypt.exe(4920) 0xfffffa8002193b30 836 0xc28 0x1478

Process

TrueCrypt.exe(4920) 0xfffffa8002193b30 1144 0xd4c 0x1478

Process

know it if

I saw it - especially if it had an innocent name like

"school_work.doc".

I now know my T/C volume is mounted as T: I notice that there are 2 PIDs accessing the T: Look them up in the plist data and they're explorer and notepad

(which is

correct, I'd opened a txt file from the T/C volume). So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks

and grep'd

as the T:

but that

left me with ~130 files and without knowing the file name how would I identify it? Thanks again for all the suggestions so far! On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com

<mailto:atcuno@gmail.com>> wrote:

> > Hello, > > So I will assume you are using the latest release of Volatility,

which

output

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa800267b540 4 0xa8 0x12019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa8002671350 4 0xac 0x13019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa80026794e0 4 0xb0 0x12019f File > >

\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

http://code.google.com/p/volatility/wiki/CommandReference21#handles

> [2] >

http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan

> > > > > .... > > On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge

<adam.bridge(a)yahoo.com <mailto:adam.bridge@yahoo.com>>

> wrote: > > Hello All, > > > > I'm new to Volatility but am a reasonably experienced forensic

examiner.

> > > > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am

trying to

> > determine whether a TrueCrypt volume was mounted and, for bonus

points,

mounted

> > as > > the G drive or there _WAS_ a TrueCrypt volume mounted as the G

drive, or

access of:

has no

> > exit > > time. > > > > I'm just not really sure where to go next? > > Can anybody suggest anything? > > > > More than happy for someone to tell me to go read X! Just can't

find a

> > helpful X to read. > > > > Thank you all, > > AB > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org

<mailto:Vol-users@volatilityfoundation.org>

> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

Andre' M. DiMino

18 Aug 18 Aug

12:02 p.m.

Awesome overview Jamie. Thank you very much! Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV) On 08/17/2012 04:21 PM, Jamie Levy wrote:

...

Thanks so much for the email - extremely useful already. I'm taking notes so that I can do my best at writing it up at the end. So, with pslist I found one instance of TrueCrypt.exe which had a

PID of

4920. With handles --pid=4920 there was nothing useful - all very much

T/C stuff.

So I did handles without the --pid. Now, with my test data I of course know the name of the T/C volume

file and

sure enough I could see it: Offset(V) Pid Handle Access Type Details ------------------ ------ ------------------ ------------------ ---------------- ------- 0xfffffa8002193b30 4 0x269c 0x2a

Process

TrueCrypt.exe(4920) 0xfffffa80021a63c0 4 0x2a1c 0x12019f File \Device\HarddiskVolume10\MyTrueCryptVolume # Here! 0xfffffa8002193b30 796 0x6c0 0x1fffff

Process

TrueCrypt.exe(4920) 0xfffffa8002193b30 836 0xc28 0x1478

Process

TrueCrypt.exe(4920) 0xfffffa8002193b30 1144 0xd4c 0x1478

Process

know it if

I saw it - especially if it had an innocent name like

"school_work.doc".

I now know my T/C volume is mounted as T: I notice that there are 2 PIDs accessing the T: Look them up in the plist data and they're explorer and notepad

(which is

correct, I'd opened a txt file from the T/C volume). So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks

and grep'd

as the T:

but that

left me with ~130 files and without knowing the file name how would I identify it? Thanks again for all the suggestions so far! On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com

<mailto:atcuno@gmail.com>> wrote:

> > Hello, > > So I will assume you are using the latest release of Volatility,

which

output

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa800267b540 4 0xa8 0x12019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa8002671350 4 0xac 0x13019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa80026794e0 4 0xb0 0x12019f File > >

\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

http://code.google.com/p/volatility/wiki/CommandReference21#handles

> [2] >

http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan

> > > > > .... > > On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge

<adam.bridge(a)yahoo.com <mailto:adam.bridge@yahoo.com>>

> wrote: > > Hello All, > > > > I'm new to Volatility but am a reasonably experienced forensic

examiner.

> > > > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am

trying to

> > determine whether a TrueCrypt volume was mounted and, for bonus

points,

mounted

> > as > > the G drive or there _WAS_ a TrueCrypt volume mounted as the G

drive, or

access of:

has no

> > exit > > time. > > > > I'm just not really sure where to go next? > > Can anybody suggest anything? > > > > More than happy for someone to tell me to go read X! Just can't

find a

> > helpful X to read. > > > > Thank you all, > > AB > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org

<mailto:Vol-users@volatilityfoundation.org>

> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Michael Hale Ligh

16 Aug 16 Aug

6:55 p.m.

Adam, Shouldn't you be looking for references to \Device\TrueCryptVolumeT\ instead of (or at least in addition to) \Device\HarddiskVolume10\MyTrueCryptVolume? The TrueCryptVolumeT location is what's actually mapped at T: as shown by symlinkscan. The fact that MyTrueCryptTextFile.txt doesn't show up in the notepad.exe handles output is normal. Basically what notepad does is opens the file, maps it into memory, displays the contents in the GUI, then closes handle (so as not to needlessly consume handles when they're not being used). Thus by the time you acquire memory, the handle is already closed. When you modify the text file and click Save, the process re-opens a handle, flushes the changes, and closes the handle again. If you want to test that, use Process Monitor and set up a filter for notepad.exe. Then open your MyTrueCryptTextFile.txt file and review the APIs being called. You'll see CreateFile followed by CreateFileMapping, and finally CloseHandle. This probably varies per application (for example maybe Microsoft Word always retains an open handle to the document being modified). MHL On Thu, Aug 16, 2012 at 5:24 PM, Adam Bridge <adam.bridge(a)yahoo.com> wrote:

...

stuff.

So I did handles without the --pid. Now, with my test data I of course know the name of the T/C volume file

and

it if

correct, I'd opened a txt file from the T/C volume). So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks and

grep'd

that

left me with ~130 files and without knowing the file name how would I identify it? Thanks again for all the suggestions so far! On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com> wrote: > > Hello, > > So I will assume you are using the latest release of Volatility, which > means the 2.1 command reference will give you information about every > plugin we have: > > http://code.google.com/p/volatility/wiki/CommandReference21 > > The next thing I would do is run the handles plugin [1] and look for > any reference to the open file. You can filter with the -p option to > be only the TrueCrypt process that you found in pslist, but if you do > not see any encrypted container referenced there then you may want to > run it across all processes (the default) because we have seen where > files opened by drivers end up in other processes' handles (e.g. > SYSTEM). > > I think handles would be more helpful to determine if any files were > opened b/c it will show you exactly what truecrypt had open when the > machine hibernated. With filescan you would have to already know the > name of the encrypted container to see if it was ever opened. > > Also, MHL suggested using the symlink scan command [2] as this will > map drive letters to physical device paths. Here is some sample output > for the command: > > $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan > Volatile Systems Volatility Framework 2.2_alpha > Offset(P) #Ptr #Hnd Creation time From > To > ------------------ ------ ------ ------------------------ > -------------------- > ------------------------------------------------------------ > 0x0000000007331840 1 0 2011-12-30 08:26:15 Global > \Global?? > 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z: > \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup > 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A: > \Device\Floppy0 > 0x000000002ab23430 1 0 2011-12-30 08:25:30 D: > \Device\CdRom0 > 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C: > \Device\HarddiskVolume2 > > And you can see, C: is mapped to HarddiskVolume2. From there you can > run handles and filter specifically to files opened on that device > like this: > > $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t File > | grep HarddiskVolume2 > Volatile Systems Volatility Framework 2.2_alpha > 0xfffffa800248e5a0 4 0x5c 0x12008b File > \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl > 0xfffffa800267f300 4 0xa4 0x13019f File > > \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > 0xfffffa800267b540 4 0xa8 0x12019f File > > \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > 0xfffffa8002671350 4 0xac 0x13019f File > > \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > 0xfffffa80026794e0 4 0xb0 0x12019f File > >

\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

http://code.google.com/p/volatility/wiki/CommandReference21#handles

> [2] >

http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan

> > > > > .... > > On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge <adam.bridge(a)yahoo.com> > wrote: > > Hello All, > > > > I'm new to Volatility but am a reasonably experienced forensic

examiner.

> > > > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am

trying to

> > determine whether a TrueCrypt volume was mounted and, for bonus

points,

mounted

> > as > > the G drive or there _WAS_ a TrueCrypt volume mounted as the G

drive, or

of:

> > exit > > time. > > > > I'm just not really sure where to go next? > > Can anybody suggest anything? > > > > More than happy for someone to tell me to go read X! Just can't find

> helpful X to read. > > Thank you all, > AB > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Adam Bridge

17 Aug 17 Aug

3:33 a.m.

Thanks again for all the comments all. I assume people are suggesting Registry keys such as shellbags and MRUs to look for file from the T:? That might give me some clue as to usage. My primary goal here is to identify the file which is the TC volume. @MHL You're absolutely right - the focus should be on \Device\TrueCryptVolumeT as I really only know bout \Device\HarddiskVolume10 because I "cheatingly" know the name of the TC volume (MyTrueCryptVolume). In my real case, I don't know the name. The problem I've got is that I've run into a bit of a dead end with \Device\TrueCryptVolumeT with respect to identifying the file behind it. Adam On Thu, Aug 16, 2012 at 11:55 PM, Michael Hale Ligh <michael.hale(a)gmail.com>wrote:

...

Thanks so much for the email - extremely useful already. I'm taking notes so that I can do my best at writing it up at the end. So, with pslist I found one instance of TrueCrypt.exe which had a PID

4920. With handles --pid=4920 there was nothing useful - all very much T/C

stuff.

So I did handles without the --pid. Now, with my test data I of course know the name of the T/C volume

file and

it if

I saw it - especially if it had an innocent name like

"school_work.doc".

I now know my T/C volume is mounted as T: I notice that there are 2 PIDs accessing the T: Look them up in the plist data and they're explorer and notepad (which

correct, I'd opened a txt file from the T/C volume). So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks and

grep'd

the T:

that

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa800267b540 4 0xa8 0x12019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa8002671350 4 0xac 0x13019f File > >

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

> 0xfffffa80026794e0 4 0xb0 0x12019f File > >

\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

http://code.google.com/p/volatility/wiki/CommandReference21#handles

> [2] >

http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan

> > > > > .... > > On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge <adam.bridge(a)yahoo.com> > wrote: > > Hello All, > > > > I'm new to Volatility but am a reasonably experienced forensic

examiner.

> > > > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am

trying to

> > determine whether a TrueCrypt volume was mounted and, for bonus

points,

mounted

> > as > > the G drive or there _WAS_ a TrueCrypt volume mounted as the G

drive, or

access of:

> > exit > > time. > > > > I'm just not really sure where to go next? > > Can anybody suggest anything? > > > > More than happy for someone to tell me to go read X! Just can't

find a

> > helpful X to read. > > > > Thank you all, > > AB > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org > > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Adam Bridge

8:22 a.m.

Today I've been able to work on the actual case rather than my test case. I've mainly been making use of handles and symlinkscan. Again, my goal is to try and find the "file" which is the TC volume. I've put my rough notes here: http://bridgey.co.uk/vty-tc.txt.html If I'm actually successful I shall write them up with a more tutorial-like approach. I'm pretty much at a point where I'm saying the TC volume is either the entire attached Seagate device or at least a file on that device. If the latter, I have no idea which file! Any comments, suggestions, flames or mother-based insults welcome! On Fri, Aug 17, 2012 at 8:33 AM, Adam Bridge <adam.bridge(a)yahoo.com> wrote:

...

Are there any files (from handles output) that are on \Device\HarddiskVolume10 ? In your output this is the location of the TrueCrypt volume. If they double clicked a document or something from that volume, an entry for its LNK file might show up in the UserAssist key, you can run the userassist plugin just to see what shows up in there. On Thu, Aug 16, 2012 at 4:28 PM, Adam Bridge <adam.bridge(a)yahoo.com> wrote: > Thanks so much for the email - extremely useful already. > I'm taking notes so that I can do my best at writing it up at the end. > > So, with pslist I found one instance of TrueCrypt.exe which had a PID of > 4920. > > With handles --pid=4920 there was nothing useful - all very much T/C stuff. > So I did handles without the --pid. > Now, with my test data I of course know the name of the T/C volume file and > sure enough I could see it: > > Offset(V) Pid Handle Access Type > Details > ------------------ ------ ------------------ ------------------ > ---------------- ------- > 0xfffffa8002193b30 4 0x269c 0x2a Process > TrueCrypt.exe(4920) > 0xfffffa80021a63c0 4 0x2a1c 0x12019f File > \Device\HarddiskVolume10\MyTrueCryptVolume # Here! > 0xfffffa8002193b30 796 0x6c0 0x1fffff Process > TrueCrypt.exe(4920) > 0xfffffa8002193b30 836 0xc28 0x1478 Process > TrueCrypt.exe(4920) > 0xfffffa8002193b30 1144 0xd4c 0x1478 Process > TrueCrypt.exe(4920) > 0xfffffa8001b4f070 2700 0x1084 0x100081 File > \Device\TrueCryptVolumeT\ > 0xfffffa8002c7d1c0 2700 0x1118 0x100081 File > \Device\TrueCryptVolumeT\ > 0xfffffa8001e51f20 4920 0x324 0x100080 File > \Device\TrueCrypt > 0xfffffa80038e4680 4920 0x330 0x1f0001 Mutant > TrueCryptTaskBarIcon > 0xfffffa8004d5a8d0 3384 0xc 0x100020 File > \Device\TrueCryptVolumeT\ > > In my real case I don't know the name of the file - so I wouldn't know it if > I saw it - especially if it had an innocent name like "school_work.doc". > > I now know my T/C volume is mounted as T: > I notice that there are 2 PIDs accessing the T: > Look them up in the plist data and they're explorer and notepad (which is > correct, I'd opened a txt file from the T/C volume). > > So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks and grep'd > for TrueCrypt: > > > Offset(P) #Ptr #Hnd Creation time From > To > ------------------ ------ ------ ------------------------ > -------------------- > ------------------------------------------------------------ > 0x0000000026b33c80 1 0 2012-08-16 19:12:51 > Volume{3d...10a7e8a} \Device\TrueCryptVolumeT > 0x0000000037f51b10 1 0 2012-08-16 18:14:48 TrueCrypt > \Device\TrueCrypt > 0x0000000052ececb0 1 0 2012-08-16 19:12:51 T: > \Device\TrueCryptVolumeT > 0x000000006131c9d0 1 0 2012-08-16 19:12:51 T: > \Device\TrueCryptVolumeT > > So, definitely T: then. > > So I know there's a T/C volume mounted, I know that it's mounted as the T: > and I know that explorer and notepad have both got handles to it. > I've got one last hurdle to clear: how do I find out the file which is > behind \Device\TrueCryptVolumeT? > > I filtered handles for File objects from \Device\HarddiskVolume* but that > left me with ~130 files and without knowing the file name how would I > identify it? > > Thanks again for all the suggestions so far! > > > On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com> wrote: >> >> Hello, >> >> So I will assume you are using the latest release of Volatility, which >> means the 2.1 command reference will give you information about every >> plugin we have: >> >> http://code.google.com/p/volatility/wiki/CommandReference21 >> >> The next thing I would do is run the handles plugin [1] and look for >> any reference to the open file. You can filter with the -p option to >> be only the TrueCrypt process that you found in pslist, but if you do >> not see any encrypted container referenced there then you may want to >> run it across all processes (the default) because we have seen where >> files opened by drivers end up in other processes' handles (e.g. >> SYSTEM). >> >> I think handles would be more helpful to determine if any files were >> opened b/c it will show you exactly what truecrypt had open when the >> machine hibernated. With filescan you would have to already know the >> name of the encrypted container to see if it was ever opened. >> >> Also, MHL suggested using the symlink scan command [2] as this will >> map drive letters to physical device paths. Here is some sample output >> for the command: >> >> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan >> Volatile Systems Volatility Framework 2.2_alpha >> Offset(P) #Ptr #Hnd Creation time From >> To >> ------------------ ------ ------ ------------------------ >> -------------------- >> ------------------------------------------------------------ >> 0x0000000007331840 1 0 2011-12-30 08:26:15 Global >> \Global?? >> 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z: >> \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup >> 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A: >> \Device\Floppy0 >> 0x000000002ab23430 1 0 2011-12-30 08:25:30 D: >> \Device\CdRom0 >> 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C: >> \Device\HarddiskVolume2 >> >> And you can see, C: is mapped to HarddiskVolume2. From there you can >> run handles and filter specifically to files opened on that device >> like this: >> >> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t File >> | grep HarddiskVolume2 >> Volatile Systems Volatility Framework 2.2_alpha >> 0xfffffa800248e5a0 4 0x5c 0x12008b File >> \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl >> 0xfffffa800267f300 4 0xa4 0x13019f File >> >> \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog >> 0xfffffa800267b540 4 0xa8 0x12019f File >> >> \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog >> 0xfffffa8002671350 4 0xac 0x13019f File >> >> \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog >> 0xfffffa80026794e0 4 0xb0 0x12019f File >> >> \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002 >> 0xfffffa8002679c30 4 0xb4 0x1 File >> \Device\HarddiskVolume2 >> >> >> If the combination of handles and symlinkscan does not answer your >> question please write back. Also, it would be interesting if you >> documented your process through this (assuming you can), as I am sure >> many other people will encounter this situation. >> >> >> [1] http://code.google.com/p/volatility/wiki/CommandReference21#handles >> [2] >> http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan >> >> >> >> >> .... >> >> On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge <adam.bridge(a)yahoo.com> >> wrote: >> > Hello All, >> > >> > I'm new to Volatility but am a reasonably experienced forensic examiner. >> > >> > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am trying to >> > determine whether a TrueCrypt volume was mounted and, for bonus points, >> > the >> > path to the TrueCrypt volume file. >> > >> > I've used devicetree and found: >> > >> > DRV 0x23ea15de0 \Driver\truecrypt >> > ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK >> > ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN >> > >> > So a good start. >> > >> > Question: Does that tell me that there _IS_ a TrueCrypt volume mounted >> > as >> > the G drive or there _WAS_ a TrueCrypt volume mounted as the G drive, or >> > that there's no way of knowing one way or the other? >> > >> > filescan shows two entries for \TrueCrypt.exe. The only difference >> > between >> > the two (besides a slight difference in #Ptr) is that one has access of: >> > >> > R--rwd >> > >> > and the other: >> > >> > R--r-d >> > >> > What should I be discerning from this? Why does one have a write >> > permission >> > that the other does not? >> > >> > And finally, pslist shows me that TrueCrypt.exe was started but has no >> > exit >> > time. >> > >> > I'm just not really sure where to go next? >> > Can anybody suggest anything? >> > >> > More than happy for someone to tell me to go read X! Just can't find a >> > helpful X to read. >> > >> > Thank you all, >> > AB >> > >> > _______________________________________________ >> > Vol-users mailing list >> > Vol-users(a)volatilityfoundation.org >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> > > > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Jamie Levy

10:45 a.m.

Try this filescan patch and see if it helps: http://code.google.com/p/volatility/issues/detail?id=325 On Fri, Aug 17, 2012 at 8:22 AM, Adam Bridge <adam.bridge(a)yahoo.com> wrote:

...

The only references to HarddiskVolume10 in the handles output are: 0xfffffa80021a63c0 4 0x2a1c 0x12019f File \Device\HarddiskVolume10\MyTrueCryptVolume 0xfffffa8003992420 2700 0xba8 0x100081 File \Device\HarddiskVolume10\ 0xfffffa8004672940 2700 0xd3c 0x100081 File \Device\HarddiskVolume10\ PID 4 being SYSTEM and 2700 being explorer. I'm assuming you only knew it was HarddiskVolume10 because of 'MyTrueCryptVolume'? In my real case, I don't know the name of the T/C volume. Great thinking about userassist. In my test case I did indeed double-click a txt file (MyTrueCryptTextFile.txt) which was within the T/C volume but sadly it doesn't appear in the userassist output (entirely unrelated to this T/C stuff, it's fascinating what does tho!) Interestingly, the txt file also doesn't appear in the handles output - even though it was open at the time I captured the memory?! (On the test system it is in the Notepad jump list.) Thanks so much for the comments all - I'm learning so much - it's awesome! On Thu, Aug 16, 2012 at 10:10 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote: > > Are there any files (from handles output) that are on > \Device\HarddiskVolume10 ? In your output this is the location of the > TrueCrypt volume. > > If they double clicked a document or something from that volume, an > entry for its LNK file might show up in the UserAssist key, you can > run the userassist plugin just to see what shows up in there. > > > > On Thu, Aug 16, 2012 at 4:28 PM, Adam Bridge <adam.bridge(a)yahoo.com> > wrote: > > Thanks so much for the email - extremely useful already. > > I'm taking notes so that I can do my best at writing it up at the > > end. > > > > So, with pslist I found one instance of TrueCrypt.exe which had a PID > > of > > 4920. > > > > With handles --pid=4920 there was nothing useful - all very much T/C > > stuff. > > So I did handles without the --pid. > > Now, with my test data I of course know the name of the T/C volume > > file and > > sure enough I could see it: > > > > Offset(V) Pid Handle Access Type > > Details > > ------------------ ------ ------------------ ------------------ > > ---------------- ------- > > 0xfffffa8002193b30 4 0x269c 0x2a > > Process > > TrueCrypt.exe(4920) > > 0xfffffa80021a63c0 4 0x2a1c 0x12019f File > > \Device\HarddiskVolume10\MyTrueCryptVolume # Here! > > 0xfffffa8002193b30 796 0x6c0 0x1fffff > > Process > > TrueCrypt.exe(4920) > > 0xfffffa8002193b30 836 0xc28 0x1478 > > Process > > TrueCrypt.exe(4920) > > 0xfffffa8002193b30 1144 0xd4c 0x1478 > > Process > > TrueCrypt.exe(4920) > > 0xfffffa8001b4f070 2700 0x1084 0x100081 File > > \Device\TrueCryptVolumeT\ > > 0xfffffa8002c7d1c0 2700 0x1118 0x100081 File > > \Device\TrueCryptVolumeT\ > > 0xfffffa8001e51f20 4920 0x324 0x100080 File > > \Device\TrueCrypt > > 0xfffffa80038e4680 4920 0x330 0x1f0001 > > Mutant > > TrueCryptTaskBarIcon > > 0xfffffa8004d5a8d0 3384 0xc 0x100020 File > > \Device\TrueCryptVolumeT\ > > > > In my real case I don't know the name of the file - so I wouldn't > > know it if > > I saw it - especially if it had an innocent name like > > "school_work.doc". > > > > I now know my T/C volume is mounted as T: > > I notice that there are 2 PIDs accessing the T: > > Look them up in the plist data and they're explorer and notepad > > (which is > > correct, I'd opened a txt file from the T/C volume). > > > > So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks and > > grep'd > > for TrueCrypt: > > > > > > Offset(P) #Ptr #Hnd Creation time From > > To > > ------------------ ------ ------ ------------------------ > > -------------------- > > ------------------------------------------------------------ > > 0x0000000026b33c80 1 0 2012-08-16 19:12:51 > > Volume{3d...10a7e8a} \Device\TrueCryptVolumeT > > 0x0000000037f51b10 1 0 2012-08-16 18:14:48 TrueCrypt > > \Device\TrueCrypt > > 0x0000000052ececb0 1 0 2012-08-16 19:12:51 T: > > \Device\TrueCryptVolumeT > > 0x000000006131c9d0 1 0 2012-08-16 19:12:51 T: > > \Device\TrueCryptVolumeT > > > > So, definitely T: then. > > > > So I know there's a T/C volume mounted, I know that it's mounted as > > the T: > > and I know that explorer and notepad have both got handles to it. > > I've got one last hurdle to clear: how do I find out the file which > > is > > behind \Device\TrueCryptVolumeT? > > > > I filtered handles for File objects from \Device\HarddiskVolume* but > > that > > left me with ~130 files and without knowing the file name how would I > > identify it? > > > > Thanks again for all the suggestions so far! > > > > > > On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com> > > wrote: > >> > >> Hello, > >> > >> So I will assume you are using the latest release of Volatility, > >> which > >> means the 2.1 command reference will give you information about > >> every > >> plugin we have: > >> > >> http://code.google.com/p/volatility/wiki/CommandReference21 > >> > >> The next thing I would do is run the handles plugin [1] and look for > >> any reference to the open file. You can filter with the -p option to > >> be only the TrueCrypt process that you found in pslist, but if you > >> do > >> not see any encrypted container referenced there then you may want > >> to > >> run it across all processes (the default) because we have seen where > >> files opened by drivers end up in other processes' handles (e.g. > >> SYSTEM). > >> > >> I think handles would be more helpful to determine if any files were > >> opened b/c it will show you exactly what truecrypt had open when the > >> machine hibernated. With filescan you would have to already know the > >> name of the encrypted container to see if it was ever opened. > >> > >> Also, MHL suggested using the symlink scan command [2] as this will > >> map drive letters to physical device paths. Here is some sample > >> output > >> for the command: > >> > >> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan > >> Volatile Systems Volatility Framework 2.2_alpha > >> Offset(P) #Ptr #Hnd Creation time From > >> To > >> ------------------ ------ ------ ------------------------ > >> -------------------- > >> ------------------------------------------------------------ > >> 0x0000000007331840 1 0 2011-12-30 08:26:15 Global > >> \Global?? > >> 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z: > >> \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup > >> 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A: > >> \Device\Floppy0 > >> 0x000000002ab23430 1 0 2011-12-30 08:25:30 D: > >> \Device\CdRom0 > >> 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C: > >> \Device\HarddiskVolume2 > >> > >> And you can see, C: is mapped to HarddiskVolume2. From there you can > >> run handles and filter specifically to files opened on that device > >> like this: > >> > >> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t > >> File > >> | grep HarddiskVolume2 > >> Volatile Systems Volatility Framework 2.2_alpha > >> 0xfffffa800248e5a0 4 0x5c 0x12008b File > >> \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl > >> 0xfffffa800267f300 4 0xa4 0x13019f File > >> > >> > >> \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > >> 0xfffffa800267b540 4 0xa8 0x12019f File > >> > >> > >> \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > >> 0xfffffa8002671350 4 0xac 0x13019f File > >> > >> > >> \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > >> 0xfffffa80026794e0 4 0xb0 0x12019f File > >> > >> > >> \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002 > >> 0xfffffa8002679c30 4 0xb4 0x1 File > >> \Device\HarddiskVolume2 > >> > >> > >> If the combination of handles and symlinkscan does not answer your > >> question please write back. Also, it would be interesting if you > >> documented your process through this (assuming you can), as I am > >> sure > >> many other people will encounter this situation. > >> > >> > >> [1] > >> http://code.google.com/p/volatility/wiki/CommandReference21#handles > >> [2] > >> > >> http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan > >> > >> > >> > >> > >> .... > >> > >> On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge <adam.bridge(a)yahoo.com> > >> wrote: > >> > Hello All, > >> > > >> > I'm new to Volatility but am a reasonably experienced forensic > >> > examiner. > >> > > >> > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am > >> > trying to > >> > determine whether a TrueCrypt volume was mounted and, for bonus > >> > points, > >> > the > >> > path to the TrueCrypt volume file. > >> > > >> > I've used devicetree and found: > >> > > >> > DRV 0x23ea15de0 \Driver\truecrypt > >> > ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK > >> > ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN > >> > > >> > So a good start. > >> > > >> > Question: Does that tell me that there _IS_ a TrueCrypt volume > >> > mounted > >> > as > >> > the G drive or there _WAS_ a TrueCrypt volume mounted as the G > >> > drive, or > >> > that there's no way of knowing one way or the other? > >> > > >> > filescan shows two entries for \TrueCrypt.exe. The only difference > >> > between > >> > the two (besides a slight difference in #Ptr) is that one has > >> > access of: > >> > > >> > R--rwd > >> > > >> > and the other: > >> > > >> > R--r-d > >> > > >> > What should I be discerning from this? Why does one have a write > >> > permission > >> > that the other does not? > >> > > >> > And finally, pslist shows me that TrueCrypt.exe was started but > >> > has no > >> > exit > >> > time. > >> > > >> > I'm just not really sure where to go next? > >> > Can anybody suggest anything? > >> > > >> > More than happy for someone to tell me to go read X! Just can't > >> > find a > >> > helpful X to read. > >> > > >> > Thank you all, > >> > AB > >> > > >> > _______________________________________________ > >> > Vol-users mailing list > >> > Vol-users(a)volatilityfoundation.org > >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >> > > > > > > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org > > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > > > > -- > PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

Adam Bridge

11:06 a.m.

Ok, I'm delighted to say that I've solved it! I was able to work with the list of File objects from handles --pid=4 and really narrow it down to one likely file on a particular device. Went and dug that device out of the store and voila, there was the file and it is indeed a TC volume. Chuffed to bits. Thanks everyone for your help. I shall do my best to write it up over the weekend and post it on the web somewhere. Thanks again! On Fri, Aug 17, 2012 at 3:45 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:

...

Try this filescan patch and see if it helps: http://code.google.com/p/volatility/issues/detail?id=325 On Fri, Aug 17, 2012 at 8:22 AM, Adam Bridge <adam.bridge(a)yahoo.com> wrote:

tutorial-like

approach. I'm pretty much at a point where I'm saying the TC volume is either the entire attached Seagate device or at least a file on that device. If the latter, I have no idea which file! Any comments, suggestions, flames or mother-based insults welcome! On Fri, Aug 17, 2012 at 8:33 AM, Adam Bridge <adam.bridge(a)yahoo.com>

wrote:

> > Thanks again for all the comments all. I assume people are suggesting > Registry keys such as shellbags and MRUs to look for file from the T:?

That

> might give me some clue as to usage. > My primary goal here is to identify the file which is the TC volume. > > @MHL > You're absolutely right - the focus should be on

\Device\TrueCryptVolumeT

> as I really only know bout \Device\HarddiskVolume10 because I

"cheatingly"

> know the name of the TC volume (MyTrueCryptVolume). > In my real case, I don't know the name. The problem I've got is that

I've

> run into a bit of a dead end with \Device\TrueCryptVolumeT with respect

> identifying the file behind it. > > Adam > > > On Thu, Aug 16, 2012 at 11:55 PM, Michael Hale Ligh > <michael.hale(a)gmail.com> wrote: >> >> Adam, >> >> Shouldn't you be looking for references to \Device\TrueCryptVolumeT\ >> instead of (or at least in addition to) >> \Device\HarddiskVolume10\MyTrueCryptVolume? The TrueCryptVolumeT

location is

>> what's actually mapped at T: as shown by symlinkscan. >> >> The fact that MyTrueCryptTextFile.txt doesn't show up in the

notepad.exe

>> handles output is normal. Basically what notepad does is opens the

file,

>> maps it into memory, displays the contents in the GUI, then closes

handle

>> (so as not to needlessly consume handles when they're not being used).

Thus

>> by the time you acquire memory, the handle is already closed. When you >> modify the text file and click Save, the process re-opens a handle,

flushes

>> the changes, and closes the handle again. >> >> If you want to test that, use Process Monitor and set up a filter for >> notepad.exe. Then open your MyTrueCryptTextFile.txt file and review

the APIs

>> being called. You'll see CreateFile followed by CreateFileMapping, and >> finally CloseHandle. This probably varies per application (for example

maybe

>> Microsoft Word always retains an open handle to the document being >> modified). >> >> MHL >> >> On Thu, Aug 16, 2012 at 5:24 PM, Adam Bridge <adam.bridge(a)yahoo.com> >> wrote: >>> >>> The only references to HarddiskVolume10 in the handles output are: >>> >>> 0xfffffa80021a63c0 4 0x2a1c 0x12019f File >>> \Device\HarddiskVolume10\MyTrueCryptVolume >>> 0xfffffa8003992420 2700 0xba8 0x100081 File >>> \Device\HarddiskVolume10\ >>> 0xfffffa8004672940 2700 0xd3c 0x100081 File >>> \Device\HarddiskVolume10\ >>> >>> PID 4 being SYSTEM and 2700 being explorer. I'm assuming you only knew >>> it was HarddiskVolume10 because of 'MyTrueCryptVolume'? >>> In my real case, I don't know the name of the T/C volume. >>> >>> Great thinking about userassist. In my test case I did indeed >>> double-click a txt file (MyTrueCryptTextFile.txt) which was within

the T/C

>>> volume but sadly it doesn't appear in the userassist output (entirely >>> unrelated to this T/C stuff, it's fascinating what does tho!)

Interestingly,

>>> the txt file also doesn't appear in the handles output - even though

it was

>>> open at the time I captured the memory?! (On the test system it is in

the

>>> Notepad jump list.) >>> >>> Thanks so much for the comments all - I'm learning so much - it's >>> awesome! >>> >>> On Thu, Aug 16, 2012 at 10:10 PM, Jamie Levy <jamie.levy(a)gmail.com> >>> wrote: >>>> >>>> Are there any files (from handles output) that are on >>>> \Device\HarddiskVolume10 ? In your output this is the location of

the

>>>> TrueCrypt volume. >>>> >>>> If they double clicked a document or something from that volume, an >>>> entry for its LNK file might show up in the UserAssist key, you can >>>> run the userassist plugin just to see what shows up in there. >>>> >>>> >>>> >>>> On Thu, Aug 16, 2012 at 4:28 PM, Adam Bridge <adam.bridge(a)yahoo.com> >>>> wrote: >>>> > Thanks so much for the email - extremely useful already. >>>> > I'm taking notes so that I can do my best at writing it up at the >>>> > end. >>>> > >>>> > So, with pslist I found one instance of TrueCrypt.exe which had a

PID

>>>> > of >>>> > 4920. >>>> > >>>> > With handles --pid=4920 there was nothing useful - all very much

T/C

>>>> > stuff. >>>> > So I did handles without the --pid. >>>> > Now, with my test data I of course know the name of the T/C volume >>>> > file and >>>> > sure enough I could see it: >>>> > >>>> > Offset(V) Pid Handle Access

Type

>>>> > Details >>>> > ------------------ ------ ------------------ ------------------ >>>> > ---------------- ------- >>>> > 0xfffffa8002193b30 4 0x269c 0x2a >>>> > Process >>>> > TrueCrypt.exe(4920) >>>> > 0xfffffa80021a63c0 4 0x2a1c 0x12019f

File

>>>> > \Device\HarddiskVolume10\MyTrueCryptVolume # Here! >>>> > 0xfffffa8002193b30 796 0x6c0 0x1fffff >>>> > Process >>>> > TrueCrypt.exe(4920) >>>> > 0xfffffa8002193b30 836 0xc28 0x1478 >>>> > Process >>>> > TrueCrypt.exe(4920) >>>> > 0xfffffa8002193b30 1144 0xd4c 0x1478 >>>> > Process >>>> > TrueCrypt.exe(4920) >>>> > 0xfffffa8001b4f070 2700 0x1084 0x100081

File

>>>> > \Device\TrueCryptVolumeT\ >>>> > 0xfffffa8002c7d1c0 2700 0x1118 0x100081

File

>>>> > \Device\TrueCryptVolumeT\ >>>> > 0xfffffa8001e51f20 4920 0x324 0x100080

File

>>>> > \Device\TrueCrypt >>>> > 0xfffffa80038e4680 4920 0x330 0x1f0001 >>>> > Mutant >>>> > TrueCryptTaskBarIcon >>>> > 0xfffffa8004d5a8d0 3384 0xc 0x100020

File

>>>> > \Device\TrueCryptVolumeT\ >>>> > >>>> > In my real case I don't know the name of the file - so I wouldn't >>>> > know it if >>>> > I saw it - especially if it had an innocent name like >>>> > "school_work.doc". >>>> > >>>> > I now know my T/C volume is mounted as T: >>>> > I notice that there are 2 PIDs accessing the T: >>>> > Look them up in the plist data and they're explorer and notepad >>>> > (which is >>>> > correct, I'd opened a txt file from the T/C volume). >>>> > >>>> > So, pretending I hadn't seen 'MyTrueCryptVolume' I tried symlinks

and

>>>> > grep'd >>>> > for TrueCrypt: >>>> > >>>> > >>>> > Offset(P) #Ptr #Hnd Creation time From >>>> > To >>>> > ------------------ ------ ------ ------------------------ >>>> > -------------------- >>>> > ------------------------------------------------------------ >>>> > 0x0000000026b33c80 1 0 2012-08-16 19:12:51 >>>> > Volume{3d...10a7e8a} \Device\TrueCryptVolumeT >>>> > 0x0000000037f51b10 1 0 2012-08-16 18:14:48 TrueCrypt >>>> > \Device\TrueCrypt >>>> > 0x0000000052ececb0 1 0 2012-08-16 19:12:51 T: >>>> > \Device\TrueCryptVolumeT >>>> > 0x000000006131c9d0 1 0 2012-08-16 19:12:51 T: >>>> > \Device\TrueCryptVolumeT >>>> > >>>> > So, definitely T: then. >>>> > >>>> > So I know there's a T/C volume mounted, I know that it's mounted as >>>> > the T: >>>> > and I know that explorer and notepad have both got handles to it. >>>> > I've got one last hurdle to clear: how do I find out the file which >>>> > is >>>> > behind \Device\TrueCryptVolumeT? >>>> > >>>> > I filtered handles for File objects from \Device\HarddiskVolume*

but

>>>> > that >>>> > left me with ~130 files and without knowing the file name how

would I

>>>> > identify it? >>>> > >>>> > Thanks again for all the suggestions so far! >>>> > >>>> > >>>> > On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com> >>>> > wrote: >>>> >> >>>> >> Hello, >>>> >> >>>> >> So I will assume you are using the latest release of Volatility, >>>> >> which >>>> >> means the 2.1 command reference will give you information about >>>> >> every >>>> >> plugin we have: >>>> >> >>>> >> http://code.google.com/p/volatility/wiki/CommandReference21 >>>> >> >>>> >> The next thing I would do is run the handles plugin [1] and look

for

>>>> >> any reference to the open file. You can filter with the -p option

>>>> >> be only the TrueCrypt process that you found in pslist, but if you >>>> >> do >>>> >> not see any encrypted container referenced there then you may want >>>> >> to >>>> >> run it across all processes (the default) because we have seen

where

>>>> >> files opened by drivers end up in other processes' handles (e.g. >>>> >> SYSTEM). >>>> >> >>>> >> I think handles would be more helpful to determine if any files

were

>>>> >> opened b/c it will show you exactly what truecrypt had open when

the

>>>> >> machine hibernated. With filescan you would have to already know

the

>>>> >> name of the encrypted container to see if it was ever opened. >>>> >> >>>> >> Also, MHL suggested using the symlink scan command [2] as this

will

>>>> >> map drive letters to physical device paths. Here is some sample >>>> >> output >>>> >> for the command: >>>> >> >>>> >> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 symlinkscan >>>> >> Volatile Systems Volatility Framework 2.2_alpha >>>> >> Offset(P) #Ptr #Hnd Creation time From >>>> >> To >>>> >> ------------------ ------ ------ ------------------------ >>>> >> -------------------- >>>> >> ------------------------------------------------------------ >>>> >> 0x0000000007331840 1 0 2011-12-30 08:26:15 Global >>>> >> \Global?? >>>> >> 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z: >>>> >>

\Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup

>>>> >> 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A: >>>> >> \Device\Floppy0 >>>> >> 0x000000002ab23430 1 0 2011-12-30 08:25:30 D: >>>> >> \Device\CdRom0 >>>> >> 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C: >>>> >> \Device\HarddiskVolume2 >>>> >> >>>> >> And you can see, C: is mapped to HarddiskVolume2. From there you

can

>>>> >> run handles and filter specifically to files opened on that device >>>> >> like this: >>>> >> >>>> >> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles -t >>>> >> File >>>> >> | grep HarddiskVolume2 >>>> >> Volatile Systems Volatility Framework 2.2_alpha >>>> >> 0xfffffa800248e5a0 4 0x5c 0x12008b

File

>>>> >> \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl >>>> >> 0xfffffa800267f300 4 0xa4 0x13019f

File

>>>> >> >>>> >> >>>> >>

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

>>>> >> 0xfffffa800267b540 4 0xa8 0x12019f

File

>>>> >> >>>> >> >>>> >>

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

>>>> >> 0xfffffa8002671350 4 0xac 0x13019f

File

>>>> >> >>>> >> >>>> >>

\Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog

>>>> >> 0xfffffa80026794e0 4 0xb0 0x12019f

File

>>>> >> >>>> >> >>>> >>

\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

>>>> >> 0xfffffa8002679c30 4 0xb4 0x1

File

>>>> >> \Device\HarddiskVolume2 >>>> >> >>>> >> >>>> >> If the combination of handles and symlinkscan does not answer your >>>> >> question please write back. Also, it would be interesting if you >>>> >> documented your process through this (assuming you can), as I am >>>> >> sure >>>> >> many other people will encounter this situation. >>>> >> >>>> >> >>>> >> [1] >>>> >>

http://code.google.com/p/volatility/wiki/CommandReference21#handles

>>>> >> [2] >>>> >> >>>> >>

http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan

>>>> >> >>>> >> >>>> >>

>>>>> >> >>>>> >> .... >>>>> >> >>>>> >> On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge < adam.bridge(a)yahoo.com>

>>>> >> wrote: >>>> >> > Hello All, >>>> >> > >>>> >> > I'm new to Volatility but am a reasonably experienced forensic >>>> >> > examiner. >>>> >> > >>>> >> > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am >>>> >> > trying to >>>> >> > determine whether a TrueCrypt volume was mounted and, for bonus >>>> >> > points, >>>> >> > the >>>> >> > path to the TrueCrypt volume file. >>>> >> > >>>> >> > I've used devicetree and found: >>>> >> > >>>> >> > DRV 0x23ea15de0 \Driver\truecrypt >>>> >> > ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK >>>> >> > ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN >>>> >> > >>>> >> > So a good start. >>>> >> > >>>> >> > Question: Does that tell me that there _IS_ a TrueCrypt volume >>>> >> > mounted >>>> >> > as >>>> >> > the G drive or there _WAS_ a TrueCrypt volume mounted as the G >>>> >> > drive, or >>>> >> > that there's no way of knowing one way or the other? >>>> >> > >>>> >> > filescan shows two entries for \TrueCrypt.exe. The only

difference

>> >> > between >> >> > the two (besides a slight difference in #Ptr) is that one has >> >> > access of: >> >> > >> >> > R--rwd >> >> > >> >> > and the other: >> >> > >> >> > R--r-d >> >> > >> >> > What should I be discerning from this? Why does one have a write >> >> > permission >> >> > that the other does not? >> >> > >> >> > And finally, pslist shows me that TrueCrypt.exe was started but >> >> > has no >> >> > exit >> >> > time. >> >> > >> >> > I'm just not really sure where to go next? >> >> > Can anybody suggest anything? >> >> > >> >> > More than happy for someone to tell me to go read X! Just can't >> >> > find a >> >> > helpful X to read. >> >> > >> >> > Thank you all, >> >> > AB >> >> > >> >> > _______________________________________________ >> >> > Vol-users mailing list >> >> > Vol-users(a)volatilityfoundation.org >> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> >> > >> > >> > >> > >> > _______________________________________________ >> > Vol-users mailing list >> > Vol-users(a)volatilityfoundation.org >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> > >> >> >> >> -- >> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 > > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

_______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

4471

days inactive

4473

days old

vol-users@lists.volatilityfoundation.org

Manage subscription

14 comments

6 participants

tags (0)

participants (6)

Adam Bridge
Andre' M. DiMino
Andrew Case
Jamie Levy
Michael Hale Ligh
Tom Yarrish