jessekornblum: Volatility Plugins for TrueCrypt passphrases, suspicious processes

jessekornblum (

jessekornblum) wrote,
@ 2008-10-21 22:19:00

Entry tags:

forensics, memory analysis, python, volatility

Volatility Plugins for TrueCrypt passphrases, suspicious processes
I've written two plugins for the Volatility memory analysis framework:

cryptoscan - Scans a memory image (or really anything) for TrueCrypt passphrases using the method described in Brian Kaplan's thesis, RAM is Key, Extracting Disk Encryption Keys From Volatile Memory, pages 22-23. According to that paper, passphrases are stored in a structure containing a passphrase length and then 64 bytes of passphrase data. The data must contain exactly length ASCII characters and all remaining bytes must be zeros.

suspicious - Displays the command line from 'suspicious' processes. A process is considered to be suspicious by this plugin if it contains the phrase 'TrueCrypt' or starts with a lowercase drive letter. You are of course welcome to expand that definition!

To use these plugins, save them to the memory_plugins file in the Volatility distribution. From the command line, type:

C:\> python volatility cryptoscan -f [FILENAME]

These plugins only work on one file at a time. Enjoy!

(13 comments) - (Post a new comment)

nvalid module [cryptoscan.py]
(Anonymous)
2008-11-14 11:17 am UTC (link)

hello, my name is Pedro Sánchez, very good post. I have a problem when starting what I do wrong?

thanks

Sample:
C:\Volatility-1.3_Beta>python.exe volatility cryptoscan.py -f truecrypt
Error: Invalid module [cryptoscan.py].

Volatile Systems Volatility Framework v1.3
Copyright (C) 2007,2008 Volatile Systems
Copyright (C) 2007 Komoku, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PART

(Reply to this) (Thread)

	Re: nvalid module [cryptoscan.py] (Anonymous) 2008-12-17 10:38 am UTC (link)
	try C:\Volatility-1.3_Beta>python.exe volatility cryptoscan -f truecrypt (Reply to this) (Parent)(Thread)

Re: nvalid module [cryptoscan.py]
(Anonymous)
2009-06-15 05:41 pm UTC (link)

Hi,

I have been evaluating Volatility Framework and the cryptoscan plugin is a great development considering that it reveals the truecrypt passphrase.

Just would like to find out under what conditions would the cryptoscan plugin works? I have tested on a target system with a hidden volume created by truecrypt v6.2a. The acquired memory image is then loaded in Volatility with the cryptoscan plugin but there are no passphrases detected.

(Reply to this) (Parent)(Thread)

	Re: nvalid module [cryptoscan.py] jessekornblum 2009-06-15 05:47 pm UTC (link)
	As noted in the paper, this method only works on older versions of TrueCrypt. (Reply to this) (Parent)(Thread)

	Re: nvalid module [cryptoscan.py] (Anonymous) 2009-07-06 12:59 pm UTC (link)
	Apparently, I have tested with TrueCrypt v4.3 and even the earliest version of TrueCrypt v1.0 but unable to reveal the TrueCrypt passphrase. The memory is dumped out by Mantech MDDv1.3 and the option in TrueCrypt to cache the password in memory is checked also. Please do advice me on this. Thanks. (Reply to this) (Parent)(Thread)

	Re: nvalid module [cryptoscan.py] jessekornblum 2009-07-06 01:22 pm UTC (link)
	I'm sorry, I'm not sure what's going wrong for you. (Reply to this) (Parent)

Problem Using Suspicious
(Anonymous)
2009-02-13 01:26 pm UTC (link)

When I place the suspicious.py in volatlity's memory_plugins folder and then type 'python volatility', I get the following error.

Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 201, in main
MemoryRegistry.Init()
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\registry.py", line 269, in Init
OBJECT_CLASSES = VolatilityObjectRegistry(object2.Object)
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\registry.py", line 244, in __init__
raise Exception("Object %s has already been defined by %s" % (obj,self.objects[obj]))
Exception: Object _EPROCESS has already been defined by

[Error: Irreparable invalid markup ('<class 'example3._eprocess'>') in entry. Owner must fix manually. Raw contents below.]

When I place the suspicious.py in volatlity's memory_plugins folder and then type 'python volatility', I get the following error.

Traceback (most recent call last):
File "volatility", line 219, in <module>
main()
File "volatility", line 201, in main
MemoryRegistry.Init()
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\registry.py", line 269, in Init
OBJECT_CLASSES = VolatilityObjectRegistry(object2.Object)
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\registry.py", line 244, in __init__
raise Exception("Object %s has already been defined by %s" % (obj,self.objects[obj]))
Exception: Object _EPROCESS has already been defined by <class 'example3._EPROCESS'>

How can I correct this? Thanks.

(Reply to this) (Thread)

	Re: Problem Using Suspicious jessekornblum 2009-02-14 04:04 pm UTC (link)
	You have to remove the example3.py file from the plugins directory. (Reply to this) (Parent)(Thread)

	Re: Problem Using Suspicious (Anonymous) 2009-02-17 12:34 pm UTC (link)
	Thanks! (Reply to this) (Parent)

Re: Problem Using Suspicious
(Anonymous)
2009-02-20 12:01 pm UTC (link)

When I run the script, I get the following error...

Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 215, in main
command.execute()
File "memory_plugins/suspicious.py", line 106, in execute
command_line = eprocess.CommandLine
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 96, in __getattribute__
return object.__getattribute__(self, attr)
File "memory_plugins/suspicious.py", line 155, in getCommandLine
if mypeb.ProcessParameters is None:
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 122, in __getattribute__
base_address = self.get_member(attr).v()
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 251, in v
return self.value()
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 255, in value
return self.type.v(self)
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 340, in v
return self.value(theObject)
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 344, in value
theObject.vm.read(theObject.offset, self.size))
File "C:\Python25\lib\struct.py", line 87, in unpack
return o.unpack(s)
struct.error: unpack requires a string argument of length 4

Is there another file that needs to be removed? Thanks.

(Reply to this) (Parent)(Thread)

	Re: Problem Using Suspicious (Anonymous) 2009-03-03 02:39 pm UTC (link)
	I too am getting this exact error whilst trying to run the script. Any ideas? Thanks (Reply to this) (Parent)(Thread)

	Re: Problem Using Suspicious jessekornblum 2009-03-03 02:52 pm UTC (link)
	Sorry, I don't know how to fix the problem you're having. You should probably consider the plugin broken. (Reply to this) (Parent)

	Re: Problem Using Suspicious jessekornblum 2009-03-03 02:53 pm UTC (link)
	Sorry, I don't know how to fix the problem you're having. You should probably consider the plugin broken. (Reply to this) (Parent)

(13 comments) - (Post a new comment)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

LJ Labs

Store