This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn
TrueCrypt is a Windows program to create and mount virtual encrypted disks.
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible with an encryption key generated by a user's password and/or an additional datafile.
The only option for acquiring the content of a TrueCrypt drive is to do a brute-force password guessing attack. Both PRTK and DNA can attack the program.