VeraCrypt volumes are almost always static in size. If a suspect has a 500GB file on a drive with no file extension, or an extension that doesn't match the content (e.g., naming a volume games.iso ), this is a strong indicator.
This article explores the practical reality of VeraCrypt forensics, from live memory acquisition to cold-boot attacks and hidden volume detection. veracrypt forensics
This article provides a deep dive into the forensic analysis of VeraCrypt, covering identification, acquisition strategies, theoretical vulnerabilities, and the practical limitations examiners face. VeraCrypt volumes are almost always static in size