Open an encrypted Truecrypt volume

This section explains how to open an encrypted TrueCrypt volume.

Find the key

If you have a live memory dump, you can find a plugin to extract the truecrypt key with Volatility:

volatility -f mem.dmp --profile=Win7SP1x86 truecryptsummary
Volatility Foundation Volatility Framework 2.5
Registry Version     TrueCrypt Version 7.0a
Password             A_Very_Bad_Passw0rd at offset 0x01224426
[...]

Mount a Truecrypt volume

$ mkdir mount
$ truecrypt volume_truecrypt mount/
# here it will prompt for a password (here the password is A_Very_Bad_Passw0rd)

Written on June 7, 2020