|Volatility Plugins for TrueCrypt passphrases, suspicious processes
||[Oct. 21st, 2008|10:19 pm]
I've written two plugins for the Volatility memory analysis framework:
To use these plugins, save them to the memory_plugins file in the Volatility distribution. From the command line, type:
- cryptoscan - Scans a memory image (or really anything) for TrueCrypt passphrases using the method described in Brian Kaplan's thesis, RAM is Key, Extracting Disk Encryption Keys From Volatile Memory, pages 22-23. According to that paper, passphrases are stored in a structure containing a passphrase length and then 64 bytes of passphrase data. The data must contain exactly length ASCII characters and all remaining bytes must be zeros.
- suspicious - Displays the command line from 'suspicious' processes. A process is considered to be suspicious by this plugin if it contains the phrase 'TrueCrypt' or starts with a lowercase drive letter. You are of course welcome to expand that definition!
C:\> python volatility cryptoscan -f [FILENAME]
These plugins only work on one file at a time. Enjoy!