Canberra 2012

Canberra, Australia | Mon, Jul 2 - Tue, Jul 10, 2012

Tales from the Crypt: TrueCrypt Analysis

  • Hal Pomeranz, Deer Run Associates

What if you suspect a device you are investigating may contain TrueCrypt volumes? What if you have no passwords or memory image to analyze and cannot access the volumes? Is all hope lost?

Based on real world investigations, this talk starts by covering techniques for detecting TrueCrypt volumes on Windows systems using a combination of specialized tools, registry forensics, and application-specific configuration files Next we'll look at the information that is available to the investigator about the contents of a TrueCrypt volume, even when the volume itself cannot be decrypted.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
Additional Sessions
Session Speaker Type
Pentesting Modern Defenses James Shewmaker SANS@Night
Risk Management for SMEs Jim Herbeck SANS@Night
Tales from the Crypt: TrueCrypt Analysis Hal Pomeranz, Deer Run Associates SANS@Night