Forensics TrueCrypt

This page is built according to the Linux version

TrueCrypt is a complicated application and even the truecrypt -h output is a chore to read. You will probably find it helpful anyway.

$ ls -aln .TrueCrypt/
total 44
drwx------ 2 1000 1000 80 Mar 8 13:21 .
drwxr-xr-x 164 1000 1000 8192 Mar 9 18:45 ..
-rw------- 1 1000 1000 1765 Jan 28 16:46 Configuration.xml
-rw------- 1 1000 1000 299 Nov 16 2010 Favorite Volumes.xml
-rw------- 1 1000 1000 449 Jan 28 16:46 History.xml
prw------- 1 1000 1000 0 Mar 8 13:21 .show-request-queue

$ cat .TrueCrypt/Configuration.xml

1 1 1 1 0 0 1 1 0 0 0 1 1 0 0 1 noatime 1 1 60 0 0 0 0 0 0 0 1 1 0 0 1 0

$ cat .TrueCrypt/Favorite\ Volumes.xml

/dev/sdb1 work/redact.tc

$ cat .TrueCrypt/History.xml

/dev/sdb1 /home/mdf/fs/ifs/mfoster/redact.tc /home/mdf/work/redact.tc /home/mdf/work/redact.tc /dev/sdc1 work/redact.tc work.tc /home/mdf/crypt1 /home/mdf cryptlocal

$ file .TrueCrypt/.show-request-queue
.TrueCrypt/.show-request-queue: fifo (named pipe)

$ sudo lsof -n | grep show-request
<If truecrypt not running, this would be empty output)
truecrypt 4773 mdf 14u FIFO 8,7 0t0 13717 /home/mdf/.TrueCrypt/.show-request-queue

Further information that would be good to know...

How does the process respond to signals e.g. INTR and HUP noting any interesting results
Take a core dump using SIGABRT and run strings -a against the coredump, plus a backtrace
Use elfdump and ldd to show the ELF signatures and shared library (.so) linkages