As encrypted holders are experienced all the more much of the time the requirement for live imaging is probably going to increment; in any case, a procured live image of an open encrypted record framework can’t later be checked against any unique proof, since when the force is expelled, the decrypted substance is not at this point available. This paper shows that if a memory image is additionally gotten simultaneously as live compartment image, by the structure of on-the-fly encryption, decoding keys can be recuperated from the memory dump. These keys would then be able to be used disconnected to access the scrambled holder document, encouraging norm, repeatable, criminological record framework examination. The recuperation technique used a straight sweep of memory to produce preliminary keys from all conceivable memory positions to decode the compartment. The viability of this methodology is shown by recouping TrueCrypt decoding keys from a memory dump of a Windows system.