Hi zencoder

Thanks for the reply two scenarios:

1 covertly access computer.
options:
Install software/hardware keylogger
Install trojan with keylogger/remote access capabilities (BO2K)
Bit stream backup of drive onto USB portable storage and forensically examine

2. steal computer
prior to theft:
remotely install trojan
after theft:
Brute force attack
forensically examine drive

There is probably more but this is what I have come up with as you can see my solutions are mainly focused on stealing the password. If I had remote access to a system would I be able to access the RAM or paging file while the unencrypted files are in use or directly after? Or if I physically accesed the computer after the files had been unencrypted sometime that day but the computer had not been turned off?

Any input/direction to relevant sites would be appreciated.

cheers