Find data from Truecrypt with Volatility


New Member
Apr 23, 2019

The thing is, I have a memory dump in which appears the process "Truecrypt.exe" and a mounted volume, and I want to find the key.

I issue:

volatility truecryptmaster
volatility truecryptsummary
volatility truecryptpassphrase

The 2 firsts give me results, but the last one yields no results. I expect to find the key that must be stored somewhere in memory.

¿How can I achieve that?


About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu