±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35520
New Yesterday: 1 Visitors: 98

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Virtual encryption softwares

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

mrevoluter
Newbie
 

Virtual encryption softwares

Post Posted: May 10, 19 10:08

[color=red][/color]
HI friends,
I rolled through different web forums for the solution regarding how to find the date and time stamps of various encrypted volumes mounted in a windows operating system.
Firstly, we can get info about the truecrypt mounted volumes in the registry file HKLM/SYSTEM/MountedDevices location. But i dont find any time stamps mentioning over there. Kindly provide the info  
 
  

Omnius
Member
 

Re: Virtual encryption softwares

Post Posted: May 10, 19 10:52

I'd be looking for usage of TrueCrypt Format.exe as that can indicate that a volume was created.

I've found this article useful for VeraCrypt that may be of help: sparky.tech/tracking-e...ypt-usage/  
 
  

mrevoluter
Newbie
 

Re: Virtual encryption softwares

Post Posted: May 10, 19 11:34

Thank you Omnius for the reply, however i could get the type of drive the truecrypt is mounted still could not correlate with the time of usage as time stamps are not mentioned anywhere in the corresponding registry.  
 
  

Omnius
Member
 

Re: Virtual encryption softwares

Post Posted: May 10, 19 13:09

Are you able to locate any records of TC being launched? Any .LNK / JumpList records of access to typical TC drive letters? You may be able to infer a connection there and use the timestamps they provide?  
 
  

mrevoluter
Newbie
 

Re: Virtual encryption softwares

Post Posted: May 10, 19 13:29

Yes, I got a .tc file info in the internet explorer artifacts which does not show the time stamp, I got info on various mounted drive letters using truecrypt which does Tahoe any time stamp, I got various .LNK files which shows different time lines for each file but the drive letters does not correlate to the truecrypt mounted volumes and there is no BAM &DAM entries in the registry file, not even {userassist} files in the registry. Though I could relate that .LNK files are accessed from a mounted truecrypt volume. I could not find its execution time stamp.
Q1. If truecrypt is executed in the system where else its execution time stamp will be available.
Q2. Is there any event viewer logs to rule out the execution of truecrypt.
Q3. If a thumb drive is inserted in the system at the time of mounting the truecrypt volume. Any traces could be found to rule out that data is pilfered out?

Kindly reply.....  
 
  

jaclaz
Senior Member
 

Re: Virtual encryption softwares

Post Posted: May 15, 19 17:36

- mrevoluter

Firstly, we can get info about the truecrypt mounted volumes in the registry file HKLM/SYSTEM/MountedDevices location. But i dont find any time stamps mentioning over there. Kindly provide the info

What about the GUID's?

See here (and given links):
www.forensicfocus.com/...c/t=15925/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1