• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 593
  • Last Modified:

Windows: Getting forensic image from truecrypt container (opened) and getting forensic image from nonopened truecrypt container


i would like to know to to get a dd image from truecrypt container which is allready mounted


i would like to know how to get it when the file is not mounted.

My environment is a windows box. All Solutions should be freeware.


  • 2
1 Solution
Dave HoweCommented:
to get it while mounted:

download and unzip http://www.chrysocome.net/dd

use the command dd if=\\.\k: of=drive.img bs=10M

where k: is the drive it is mounted on (change to suit)
drive.img is the target file (must be enough space to store an uncompressed image of the drive)
and 10M is the buffer (chunk) size during the copy - larger sizes mean faster copies, but more memory used.

to get it while not mounted:

just copy the file :)
ByteSleuthAuthor Commented:

thanks a lot :-)

Here are your points...
ByteSleuthAuthor Commented:
Thanks a lot buddy.
View my other questions about truecrypt-----

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now