Você pode encontrar alguma referência interessante para o seu ponto neste artigo, A persistência da memória : identificação forense e extração de chaves criptográficas (ref de PDF)
The authors of Volatility describe a hypothetical attack against TrueCrypt (Foundation, 2008), by studying its internal structures and behavior (Walters and Nick, 2007). They do, however, not describe how to locate the different structures in memory, and neither do they discuss the fact that some of these may be paged out, thereby breaking the chain of data structures that leads to the master key if only the memory dump is available for analysis.
...
In other fields of memory analysis, analysts have dumped the memory address space of a specific process by fetching pages from RAM and swap space. The dumps are sometimes sufficient to verify4 and even completely reconstruct executable files (Kornblum, 2006). According to several articles (for example, see Schuster, 2006 and Carvey, 2007), these techniques are able to identify trojans, rootkits and viruses that are stealthy and/or armored in Windows memory dumps.
mais no papel.