After reading an article from a forensics software company. I'm worried about attacks that may be able to recovery the OTFE(on-the-fly encryption) key of VeraCrypt from RAM.
Thereat model:
- On Windows, a signed spyware running elevated is able to access RAM or page file.
- It tries to locate the OTFE key during or after a VeraCrypt volume is mounted.
Question:
- Is there anyway to prevent the key from being accessed while it's in RAM ?
- Does the key remain in RAM after the volume is dismounted ?
Thanks in advance.