jessekornblum ([info]jessekornblum) wrote,
@ 2008-10-21 22:19:00
Previous Entry  Add to memories!  Tell a Friend  Next Entry
Entry tags:forensics, memory analysis, python, volatility

Volatility Plugins for TrueCrypt passphrases, suspicious processes
I've written two plugins for the Volatility memory analysis framework:

  • cryptoscan - Scans a memory image (or really anything) for TrueCrypt passphrases using the method described in Brian Kaplan's thesis, RAM is Key, Extracting Disk Encryption Keys From Volatile Memory, pages 22-23. According to that paper, passphrases are stored in a structure containing a passphrase length and then 64 bytes of passphrase data. The data must contain exactly length ASCII characters and all remaining bytes must be zeros.

  • suspicious - Displays the command line from 'suspicious' processes. A process is considered to be suspicious by this plugin if it contains the phrase 'TrueCrypt' or starts with a lowercase drive letter. You are of course welcome to expand that definition!
To use these plugins, save them to the memory_plugins file in the Volatility distribution. From the command line, type:

C:\> python volatility cryptoscan -f [FILENAME]

These plugins only work on one file at a time. Enjoy!

(Read 13 comments) - (Post a new comment)

Re: Problem Using Suspicious
[info]jessekornblum
2009-02-14 04:04 pm UTC (link)
You have to remove the example3.py file from the plugins directory.

(Reply to this) (Parent)(Thread)
Re: Problem Using Suspicious
(Anonymous)
2009-02-17 12:34 pm UTC (link)
Thanks!

(Reply to this) (Parent)
Re: Problem Using Suspicious
(Anonymous)
2009-02-20 12:01 pm UTC (link)
When I run the script, I get the following error...

Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 215, in main
command.execute()
File "memory_plugins/suspicious.py", line 106, in execute
command_line = eprocess.CommandLine
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 96, in __getattribute__
return object.__getattribute__(self, attr)
File "memory_plugins/suspicious.py", line 155, in getCommandLine
if mypeb.ProcessParameters is None:
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 122, in __getattribute__
base_address = self.get_member(attr).v()
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 251, in v
return self.value()
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 255, in value
return self.type.v(self)
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 340, in v
return self.value(theObject)
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 344, in value
theObject.vm.read(theObject.offset, self.size))
File "C:\Python25\lib\struct.py", line 87, in unpack
return o.unpack(s)
struct.error: unpack requires a string argument of length 4

Is there another file that needs to be removed? Thanks.

(Reply to this) (Parent)(Thread)
Re: Problem Using Suspicious
(Anonymous)
2009-03-03 02:39 pm UTC (link)
I too am getting this exact error whilst trying to run the script. Any ideas?

Thanks

(Reply to this) (Parent)(Thread)
Re: Problem Using Suspicious
[info]jessekornblum
2009-03-03 02:52 pm UTC (link)
Sorry, I don't know how to fix the problem you're having. You should probably consider the plugin broken.

(Reply to this) (Parent)
Re: Problem Using Suspicious
[info]jessekornblum
2009-03-03 02:53 pm UTC (link)
Sorry, I don't know how to fix the problem you're having. You should probably consider the plugin broken.

(Reply to this) (Parent)

(Read 13 comments) - (Post a new comment)

Create an Account
Forgot your login or password?
Login w/ OpenID
English • Español • Deutsch • Русский…