This was an incredibly difficult challenge. We unfortunately did not solve it before CDX ended, however, I'm grateful to Carnegie Mellon University (CMU) for keeping the forensic examination environment open even after ENDEX. Note though: any code examples are from my local Truecrypt experiment, not CMU's challenge due to the difficult nature of copy paste between USAFAnyet and CMU CERT.
During the exercise, we tried using volshell from Volatility, a python script, and strings.
Looking at processes active is pretty standard for a memory dump so we did that
read more........http://delogrand.blogspot.com/2013/04/cyber-defense-exercise-2013-extracting.html