In this paper we present a new approach for identifying the crypto routines in different types of malware. In traditional malware analysis, like sandboxing, network data is examined as seen on the wire or data is collected as it is written to a file. The use of proprietary binary formats, obfuscation, or encryption hides important details, which are necessary for investigating malicious behavior. It is hardly possible to create decryptors just from monitored sandbox data. Our approach not only examines the data when leaving or entering the malware but also correlates it with information from inside the malware. By monitoring the data at I/O interfaces as well as data dependencies our approach automatically reveals the data origin. Knowing the data origin enables an analyst to easily find the crypto functions. Using this approach, we were able to identify the encryption, decryption, and command parser in different malware samples each within minutes. In our evaluation, we present the results for the Kraken command&control protocol encryption and for the file encryption of the Srvcp trojan.