Cached TrueCrypt Passphrases
Chris Neilson, a senior at the University of Denver, has discovered how TrueCrypt caches passphrases in memory when the user requests the program to do so. Please note that caching passphrases is not the default behavior, but when the user requests it, here's how they are stored in memory.

The passphrases appear on a page mostly full of zeros. There's no pattern to the offset inside of a memory page, but there are some zeros usually several dozens, a 32-bit representation of the passphrase length, the passphrase (in ASCII), and more zeros.

Although my cryptoscan plugin for the Volatility framework has proven to be ineffective against modern versions of TrueCrypt, it could easily be modified to find these cached passphrases. (Sorry I can't be more helpful and do the work myself, but this would make a great introduction to the Volatility architecture.) Enjoy!